Use of principals added to README

2019-08-02 03:02:25 +02:00 · 2019-08-02 03:02:25 +02:00 · acc17bccc8
parent 3f9ba857d3
commit acc17bccc8
1 changed files with 56 additions and 0 deletions
--- a/README.rst
+++ b/README.rst
@ -190,6 +190,62 @@ Note that this short snippet is not a substitute for reading and
 understanding the relevant documentation.


+Using ssh-certificates and principals
+=====================================
+
+``ssh certificates`` are a new feature of openssh, where you setup your own ssh-CA
+and you sign all you host- and user-pubkeys. 
+
+If you want to use certificates ans principals, please visit THIS_ and THIS_ website.
+To find out more about the AuthorizedPrincipalCommand in sshd_config, please consult GITLABS_ 
+documentation for it.
+
+.. _THIS: https://ef.gy/hardening-ssh
+.. _THIS: https://framkant.org/2017/07/scalable-access-control-using-openssh-certificates/
+.. _GITLABS: https://docs.gitlab.com/ee/administration/operations/ssh_certificates.html
+
+To use principals and ssh-certificates with this fork of gitosis, please add this snippet to your sshd_config on your git-server
+
+    Match User git
+        AuthorizedPrincipalsCommandUser git
+        AuthorizedPrincipalsCommand    /usr/local/bin/gitosis-authorized-principals %i 
+
+This will run the command as user "git", which will you have installed, when you serve your gitrepos with gitosis. 
+%i is the key-identity of your certificate, which will you give on your sign-process to the user-certificate.
+
+Then you need an additional line in your gitosis.conf in the [gitosis]-section
+
+    [gitosis]
+    ...
+    allowedPrincipals = git gitosis-admin
+
+In the members-line of your gitosis.conf, you have to write down the key-identity (which is passed as %i in you sshd_config). If you are not sure,
+what the identity is, try
+
+    ssh-keygen -L -f ~/.ssh/id_rsa-cert.pub
+
+    /home/myusername/.ssh/id_rsa-cert.pub:
+        Type: ssh-rsa-cert-v01@openssh.com user certificate
+        Public key: RSA-CERT SHA256:cjLH4l45G32zOaJBjv8Udnr7bkwHRNB3nAz0a6SCOl0
+        Signing CA: ED25519 SHA256:9bMENs+blen§naslr§BJEN421I5ckbu4mvpnktiHdUs (using ssh-ed25519)
+        Key ID: "myusername"
+        Serial: 4
+        Valid: from 2019-08-02T02:29:00 to 2020-08-01T02:30:20
+        Principals: 
+                myusername
+                principal2
+                git
+                gitosis-admin
+        Critical Options: (none)
+        Extensions: 
+                permit-X11-forwarding
+                permit-agent-forwarding
+                permit-port-forwarding
+                permit-pty
+                permit-user-rc
+
+from your principals in the key, only git and gitosis-admin are allowed. You must have at least one of this allowed principals in your key, to get access to your gitosis-served repos.
+Access is only given, if you have one of the allowed principals in your certificate, and your key ID is listed as member in the repo

 Contact
 =======