From 2e5909e761f40e42684fbaa71f3b5bcb49500567 Mon Sep 17 00:00:00 2001 From: Andrew Cady Date: Sat, 23 Oct 2021 12:52:42 -0400 Subject: move all files to EndoForge --- src/AnonymousAccessCommand | 126 --------------------------------------------- src/AuthorizedKeysCommand | 15 ------ src/anonymous-access.conf | 10 ---- 3 files changed, 151 deletions(-) delete mode 100755 src/AnonymousAccessCommand delete mode 100755 src/AuthorizedKeysCommand delete mode 100644 src/anonymous-access.conf (limited to 'src') diff --git a/src/AnonymousAccessCommand b/src/AnonymousAccessCommand deleted file mode 100755 index 443d25e..0000000 --- a/src/AnonymousAccessCommand +++ /dev/null @@ -1,126 +0,0 @@ -#!/bin/sh -default_msg() -{ - sshfpline="$(get_sshfp_authline ${SSH_CLIENT%% *})" - cat <&2 - - You are: - - $authline - $sshfpline - -EOF -} - -get_sshfp_authline() -{ - ( - r=${1:-.} - key=$(mktemp) || exit - trap 'rm -rf "$key"' EXIT - echo "$authline" > "$key" - get_sshfp "$key" "$r" - ) -} - -get_sshfp() -{ - ( - key="$1" - r="${2:-.}" - dns=$(mktemp) || exit - trap 'rm -rf "$dns"' EXIT - - ssh-keygen -r "$r" -f "$key" > "$dns" - exec < "$dns" - while read line - do - set -- $line - if [ "$3 $5" = "SSHFP 2" ] - then - echo "$line" - break - fi - done - ) -} - -ssh_client_fingerprint_base16() -{ - set -- $(get_sshfp_authline) - [ "$6" ] - echo $6 -} - -check_if_self_forge() -{ - # TODO: don't use description, but something else. - local dir="$1" - [ -d "$dir" ] || exit - [ -r "$dir"/description ] || exit - read description < "$dir"/description - if [ "$description" != self-forge ] && [ "$(GIT_DIR=$dir git config core.self-forge)" != true ] - then - echo 'Error: access denied. The specified directory is not a self-forge.' >&2 - exit - fi -} - -read authtype authline < "$SSH_USER_AUTH" || exit -[ "$authtype" = publickey ] || exit - -cmd=${SSH_ORIGINAL_COMMAND%% *} - -case "$cmd" in - git-send-pack | git-upload-pack) - GIT_NAMESPACE= - ;; - git-receive-pack) - export GIT_NAMESPACE="$(ssh_client_fingerprint_base16)" - [ "$GIT_NAMESPACE" ] || exit - ;; - *) - default_msg - exit - ;; -esac - -arg=${SSH_ORIGINAL_COMMAND#* } -arg=${arg%\'} -arg=${arg#\'} -case "$arg" in - *\'*) exit ;; - *.git) ;; - *) arg=$arg/.git ;; -esac - -dir=$(readlink -e "$arg") || exit - -check_if_self_forge "$dir" - -with_allowCurrentBranch() -{ - local cmd="$1" dir="$2" - ( - set -eC - lockfile=$GIT_DIR/index.lock - echo $$ > "$lockfile" - trap 'rm -f "$lockfile"' EXIT - - # This doesn't seem very secure. Need to patch git probably. - for deny in CurrentBranch # DeleteCurrent - do git config receive.deny$deny false - done - "$@" - for deny in CurrentBranch # DeleteCurrent - do git config receive.deny$deny true - done - ) -} - -if [ "$GIT_NAMESPACE" ] -then - GIT_DIR=$dir with_allowCurrentBranch "$cmd" "$dir" -else - "$cmd" "$dir" -fi diff --git a/src/AuthorizedKeysCommand b/src/AuthorizedKeysCommand deleted file mode 100755 index 6e13063..0000000 --- a/src/AuthorizedKeysCommand +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -username=$1 -userhome=$2 -fingerprint=$3 -authline="$4 $5" - -case "$userhome" in - *'"'*) exit ;; -esac - -usercommand=$userhome/.ssh/AnonymousAccessCommand - -[ -x "$usercommand" ] || exit - -printf 'command="%s",no-port-forwarding %s\n' "$usercommand $fingerprint" "$authline" diff --git a/src/anonymous-access.conf b/src/anonymous-access.conf deleted file mode 100644 index 5cd6b6a..0000000 --- a/src/anonymous-access.conf +++ /dev/null @@ -1,10 +0,0 @@ -ExposeAuthInfo=yes -AuthorizedKeysCommandUser=root -AuthorizedKeysCommand=/etc/ssh/AuthorizedKeysCommand %u %h %f "%t %k" - -# %u The username. -# %h The home directory of the user. -# %f The fingerprint of the key or certificate. -# %t The key or certificate type. -# %k The base64-encoded key or certificate for authentication. - -- cgit v1.2.3