Use of principals added to README
This commit is contained in:
Jakobus Schürz
parent
3f9ba857d3
commit
acc17bccc8
1 changed files with 56 additions and 0 deletions
56
README.rst
56
README.rst
|
|
@ -190,6 +190,62 @@ Note that this short snippet is not a substitute for reading and
|
||||||
understanding the relevant documentation.
|
understanding the relevant documentation.
|
||||||
|
|
||||||
|
|
||||||
|
Using ssh-certificates and principals
|
||||||
|
=====================================
|
||||||
|
|
||||||
|
``ssh certificates`` are a new feature of openssh, where you setup your own ssh-CA
|
||||||
|
and you sign all you host- and user-pubkeys.
|
||||||
|
|
||||||
|
If you want to use certificates ans principals, please visit THIS_ and THIS_ website.
|
||||||
|
To find out more about the AuthorizedPrincipalCommand in sshd_config, please consult GITLABS_
|
||||||
|
documentation for it.
|
||||||
|
|
||||||
|
.. _THIS: https://ef.gy/hardening-ssh
|
||||||
|
.. _THIS: https://framkant.org/2017/07/scalable-access-control-using-openssh-certificates/
|
||||||
|
.. _GITLABS: https://docs.gitlab.com/ee/administration/operations/ssh_certificates.html
|
||||||
|
|
||||||
|
To use principals and ssh-certificates with this fork of gitosis, please add this snippet to your sshd_config on your git-server
|
||||||
|
|
||||||
|
Match User git
|
||||||
|
AuthorizedPrincipalsCommandUser git
|
||||||
|
AuthorizedPrincipalsCommand /usr/local/bin/gitosis-authorized-principals %i
|
||||||
|
|
||||||
|
This will run the command as user "git", which will you have installed, when you serve your gitrepos with gitosis.
|
||||||
|
%i is the key-identity of your certificate, which will you give on your sign-process to the user-certificate.
|
||||||
|
|
||||||
|
Then you need an additional line in your gitosis.conf in the [gitosis]-section
|
||||||
|
|
||||||
|
[gitosis]
|
||||||
|
...
|
||||||
|
allowedPrincipals = git gitosis-admin
|
||||||
|
|
||||||
|
In the members-line of your gitosis.conf, you have to write down the key-identity (which is passed as %i in you sshd_config). If you are not sure,
|
||||||
|
what the identity is, try
|
||||||
|
|
||||||
|
ssh-keygen -L -f ~/.ssh/id_rsa-cert.pub
|
||||||
|
|
||||||
|
/home/myusername/.ssh/id_rsa-cert.pub:
|
||||||
|
Type: ssh-rsa-cert-v01@openssh.com user certificate
|
||||||
|
Public key: RSA-CERT SHA256:cjLH4l45G32zOaJBjv8Udnr7bkwHRNB3nAz0a6SCOl0
|
||||||
|
Signing CA: ED25519 SHA256:9bMENs+blen§naslr§BJEN421I5ckbu4mvpnktiHdUs (using ssh-ed25519)
|
||||||
|
Key ID: "myusername"
|
||||||
|
Serial: 4
|
||||||
|
Valid: from 2019-08-02T02:29:00 to 2020-08-01T02:30:20
|
||||||
|
Principals:
|
||||||
|
myusername
|
||||||
|
principal2
|
||||||
|
git
|
||||||
|
gitosis-admin
|
||||||
|
Critical Options: (none)
|
||||||
|
Extensions:
|
||||||
|
permit-X11-forwarding
|
||||||
|
permit-agent-forwarding
|
||||||
|
permit-port-forwarding
|
||||||
|
permit-pty
|
||||||
|
permit-user-rc
|
||||||
|
|
||||||
|
from your principals in the key, only git and gitosis-admin are allowed. You must have at least one of this allowed principals in your key, to get access to your gitosis-served repos.
|
||||||
|
Access is only given, if you have one of the allowed principals in your certificate, and your key ID is listed as member in the repo
|
||||||
|
|
||||||
Contact
|
Contact
|
||||||
=======
|
=======
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue