Use of principals added to README
This commit is contained in:
Jakobus Schürz
parent
3f9ba857d3
commit
acc17bccc8
1 changed files with 56 additions and 0 deletions
56
README.rst
56
README.rst
|
|
@ -190,6 +190,62 @@ Note that this short snippet is not a substitute for reading and
|
|||
understanding the relevant documentation.
|
||||
|
||||
|
||||
Using ssh-certificates and principals
|
||||
=====================================
|
||||
|
||||
``ssh certificates`` are a new feature of openssh, where you setup your own ssh-CA
|
||||
and you sign all you host- and user-pubkeys.
|
||||
|
||||
If you want to use certificates ans principals, please visit THIS_ and THIS_ website.
|
||||
To find out more about the AuthorizedPrincipalCommand in sshd_config, please consult GITLABS_
|
||||
documentation for it.
|
||||
|
||||
.. _THIS: https://ef.gy/hardening-ssh
|
||||
.. _THIS: https://framkant.org/2017/07/scalable-access-control-using-openssh-certificates/
|
||||
.. _GITLABS: https://docs.gitlab.com/ee/administration/operations/ssh_certificates.html
|
||||
|
||||
To use principals and ssh-certificates with this fork of gitosis, please add this snippet to your sshd_config on your git-server
|
||||
|
||||
Match User git
|
||||
AuthorizedPrincipalsCommandUser git
|
||||
AuthorizedPrincipalsCommand /usr/local/bin/gitosis-authorized-principals %i
|
||||
|
||||
This will run the command as user "git", which will you have installed, when you serve your gitrepos with gitosis.
|
||||
%i is the key-identity of your certificate, which will you give on your sign-process to the user-certificate.
|
||||
|
||||
Then you need an additional line in your gitosis.conf in the [gitosis]-section
|
||||
|
||||
[gitosis]
|
||||
...
|
||||
allowedPrincipals = git gitosis-admin
|
||||
|
||||
In the members-line of your gitosis.conf, you have to write down the key-identity (which is passed as %i in you sshd_config). If you are not sure,
|
||||
what the identity is, try
|
||||
|
||||
ssh-keygen -L -f ~/.ssh/id_rsa-cert.pub
|
||||
|
||||
/home/myusername/.ssh/id_rsa-cert.pub:
|
||||
Type: ssh-rsa-cert-v01@openssh.com user certificate
|
||||
Public key: RSA-CERT SHA256:cjLH4l45G32zOaJBjv8Udnr7bkwHRNB3nAz0a6SCOl0
|
||||
Signing CA: ED25519 SHA256:9bMENs+blen§naslr§BJEN421I5ckbu4mvpnktiHdUs (using ssh-ed25519)
|
||||
Key ID: "myusername"
|
||||
Serial: 4
|
||||
Valid: from 2019-08-02T02:29:00 to 2020-08-01T02:30:20
|
||||
Principals:
|
||||
myusername
|
||||
principal2
|
||||
git
|
||||
gitosis-admin
|
||||
Critical Options: (none)
|
||||
Extensions:
|
||||
permit-X11-forwarding
|
||||
permit-agent-forwarding
|
||||
permit-port-forwarding
|
||||
permit-pty
|
||||
permit-user-rc
|
||||
|
||||
from your principals in the key, only git and gitosis-admin are allowed. You must have at least one of this allowed principals in your key, to get access to your gitosis-served repos.
|
||||
Access is only given, if you have one of the allowed principals in your certificate, and your key ID is listed as member in the repo
|
||||
|
||||
Contact
|
||||
=======
|
||||
|
|
|
|||
Loading…
Reference in a new issue