#!/bin/sh default_msg() { sshfpline="$(get_sshfp_authline ${SSH_CLIENT%% *})" cat <&2 You are: $authline $sshfpline EOF } not_self_forge_message() { cat <&2 Error: access denied. The specified directory is not a self-forge. To enable anonymous access, use the following commands: ssh $(id -un)@$(hostname) cd "$1" git config core.self-forge true EOF } get_sshfp_authline() { ( r=${1:-.} key=$(mktemp) || exit trap 'rm -rf "$key"' EXIT echo "$authline" > "$key" get_sshfp "$key" "$r" ) } get_sshfp() { ( key="$1" r="${2:-.}" dns=$(mktemp) || exit trap 'rm -rf "$dns"' EXIT ssh-keygen -r "$r" -f "$key" > "$dns" exec < "$dns" while read line do set -- $line if [ "$3 $5" = "SSHFP 2" ] then echo "$line" break fi done ) } ssh_client_fingerprint_base16() { set -- $(get_sshfp_authline) [ "$6" ] echo $6 } is_self_forge() { local dir="$1" confval [ -d "$dir" ] || return confval=$(GIT_DIR=$dir git config core.self-forge) || return [ "$confval" = true ] } with_soul_bare() { ( set -eC lockfile=$GIT_DIR/index.lock echo $$ > "$lockfile" trap 'rm -f "$lockfile"' EXIT git config core.bare true "$@" git config core.bare false ) } unsupported() { echo "$0: Error: unsupported" >&2 } read authtype authline < "$SSH_USER_AUTH" || exit [ "$authtype" = publickey ] || exit cmd=${SSH_ORIGINAL_COMMAND%% *} case "$cmd" in git-send-pack | git-upload-pack | git-receive-pack ) ;; * ) default_msg exit ;; esac arg=${SSH_ORIGINAL_COMMAND#* } arg=${arg%\'} arg=${arg#\'} case "$arg" in *\'* ) unsupported exit ;; esac if ! dir=$(readlink -e "$arg") then exit elif [ -d "$dir"/.git ] then dir=$dir/.git fi if ! is_self_forge "$dir" then not_self_forge_message "$arg" exit fi case "$cmd" in git-send-pack | git-upload-pack ) GIT_NAMESPACE= "$cmd" "$dir" ;; git-receive-pack ) export GIT_NAMESPACE="$(ssh_client_fingerprint_base16)" [ "$GIT_NAMESPACE" ] GIT_DIR=$dir with_soul_bare "$cmd" "$dir" ;; esac