diff options
| author | Andrew Cady <d@jerkface.net> | 2019-07-29 18:42:41 -0400 |
|---|---|---|
| committer | Andrew Cady <d@jerkface.net> | 2019-07-29 19:09:03 -0400 |
| commit | b97c9e45ff37ee6d6135a525a3c784136adcf188 (patch) | |
| tree | 1ad91168281cbb4f1ed2f24720739e05c020ee9f | |
| parent | 134c077b0607d702f248d26eea49360ae06d0450 (diff) | |
query authorized_keys.d in ssh-forced-command
| -rwxr-xr-x | forced-ssh-command | 33 | ||||
| -rwxr-xr-x | hooks/post-receive | 33 |
2 files changed, 32 insertions, 34 deletions
diff --git a/forced-ssh-command b/forced-ssh-command index 4af26c6..e06d96c 100755 --- a/forced-ssh-command +++ b/forced-ssh-command | |||
| @@ -141,14 +141,45 @@ valid_new_public_repo() | |||
| 141 | esac | 141 | esac |
| 142 | } | 142 | } |
| 143 | 143 | ||
| 144 | GET_NOMIC_USER() | ||
| 145 | { | ||
| 146 | local whitelist_dir="$1" a b keytype keyval keyname | ||
| 147 | if [ "$NOMIC_USER" ] | ||
| 148 | then | ||
| 149 | return | ||
| 150 | elif [ "$SSH_USER_AUTH" ] && [ -f "$SSH_USER_AUTH" ] | ||
| 151 | then | ||
| 152 | read authtype keytype keyval < "$SSH_USER_AUTH" | ||
| 153 | [ "$authtype" = publickey ] || exit | ||
| 154 | |||
| 155 | for keyname in "${whitelist_dir}"/* | ||
| 156 | do | ||
| 157 | while read a b _ | ||
| 158 | do | ||
| 159 | case "$a $b" in | ||
| 160 | "$keytype $keyval") | ||
| 161 | NOMIC_USER=${keyname#authorized_keys.d/} | ||
| 162 | break | ||
| 163 | ;; | ||
| 164 | esac | ||
| 165 | done < "$keyname" | ||
| 166 | done | ||
| 167 | true | ||
| 168 | else | ||
| 169 | warn "\$SSH_USER_AUTH missing. Try putting 'ExposeAuthInfo yes' in /etc/ssh/sshd_config" | ||
| 170 | false | ||
| 171 | fi | ||
| 172 | } | ||
| 173 | |||
| 144 | check_if_ssh_user_owns_repository() | 174 | check_if_ssh_user_owns_repository() |
| 145 | { | 175 | { |
| 146 | git --git-dir "$git_dir" config --get-all samizdat.anonymous-ssh-owner | grep -xqF "$SSH_REMOTE_FINGERPRINT_TRIMMED" | 176 | git --git-dir "$git_dir" config --get-all samizdat.anonymous-ssh-owner | grep -xqF "$SSH_REMOTE_FINGERPRINT_TRIMMED" |
| 147 | } | 177 | } |
| 178 | |||
| 148 | ssh_user_owns_repository() | 179 | ssh_user_owns_repository() |
| 149 | { | 180 | { |
| 150 | if [ -z "$SSH_USER_OWNS_REPOSITORY" ]; then | 181 | if [ -z "$SSH_USER_OWNS_REPOSITORY" ]; then |
| 151 | check_if_ssh_user_owns_repository | 182 | check_if_ssh_user_owns_repository || GET_NOMIC_USER "$git_dir" |
| 152 | SSH_USER_OWNS_REPOSITORY=$? | 183 | SSH_USER_OWNS_REPOSITORY=$? |
| 153 | fi | 184 | fi |
| 154 | return $SSH_USER_OWNS_REPOSITORY | 185 | return $SSH_USER_OWNS_REPOSITORY |
diff --git a/hooks/post-receive b/hooks/post-receive index 74fe96b..72dc81d 100755 --- a/hooks/post-receive +++ b/hooks/post-receive | |||
| @@ -15,38 +15,5 @@ warn() | |||
| 15 | fi | 15 | fi |
| 16 | } | 16 | } |
| 17 | 17 | ||
| 18 | GET_NOMIC_USER() | ||
| 19 | { | ||
| 20 | if [ "$NOMIC_USER" ] | ||
| 21 | then | ||
| 22 | return | ||
| 23 | elif [ "$SSH_USER_AUTH" ] && [ -f "$SSH_USER_AUTH" ] | ||
| 24 | then | ||
| 25 | read authtype keytype keyval < "$SSH_USER_AUTH" | ||
| 26 | [ "$authtype" = publickey ] || exit | ||
| 27 | |||
| 28 | for keyname in authorized_keys.d/* | ||
| 29 | do | ||
| 30 | while read a b _ | ||
| 31 | do | ||
| 32 | case "$a $b" in | ||
| 33 | "$keytype $keyval") | ||
| 34 | NOMIC_USER=${keyname#authorized_keys.d/} | ||
| 35 | break | ||
| 36 | ;; | ||
| 37 | esac | ||
| 38 | done < "$keyname" | ||
| 39 | done | ||
| 40 | true | ||
| 41 | else | ||
| 42 | warn "\$SSH_USER_AUTH missing. Try putting 'ExposeAuthInfo yes' in /etc/ssh/sshd_config" | ||
| 43 | false | ||
| 44 | fi | ||
| 45 | } | ||
| 46 | |||
| 47 | GIT_WORK_TREE=. git checkout -f master -- authorized_keys.d/\* | 18 | GIT_WORK_TREE=. git checkout -f master -- authorized_keys.d/\* |
| 48 | 19 | ||
| 49 | if GET_NOMIC_USER | ||
| 50 | then | ||
| 51 | warn "NOMIC_USER=$NOMIC_USER" | ||
| 52 | fi | ||