gitolite/contrib/real-users/gl-shell-setup

#!/bin/bash

# WARNING 1: probably contains bashisms galore.  If you don't have bash,
# please install it.

# NOTE 1: this script is run as root.

# ------------------------------------------------------------------------------
# ------------------------------------------------------------------------------

# BEGIN site-local changes

    # the full path to the new login shell to replace these users' existing shell
    new_shell="/usr/local/bin/gl-shell"

    my_chsh() {
        # please replace with appropriate command for your OS/distro.  This one is
        # suitable at least for Fedora, maybe others also
        chsh -s $new_shell $1 >&2
    }

    # remove these 2 lines after you have done your customisation
    [ -f /tmp/done.gl-shell-setup ] || { echo please customise $0 before using >&2; exit 1; }

# END site-local changes

# ------------------------------------------------------------------------------

die() { echo "FATAL: $@" >&2; exit 1; }

# ------------------------------------------------------------------------------

euid=$(perl -e 'print $>')
if [ "$euid" = "0" ]
then

    [ -n "$1" ] || die "need a valid username"
    user=$1
    id $user >/dev/null || die "need a valid username"

    # now fix up the user's login shell
    my_chsh $user

    pubkey="$PWD/$user.pub"
    [ -f "$pubkey" ] && {
        echo "$user.pub already exists.  Shell changed, exiting..." >&2
        exit 0
    }

    # drat... 'cd ~$user` doesn't work...
    cd $(bash -c "echo ~$user") || die "can't cd to $user's home directory"

    # now set up her rsa key, creating it if needed.  This will get used if
    # she comes in via password or without agent forwarding.
    [ -d .ssh ] || {
        mkdir .ssh
        chown $user .ssh
        chmod go-w  .ssh
    }

    [ -f .ssh/id_rsa.pub ] || {
        ssh-keygen -q -N "" -f .ssh/id_rsa >&2
        chown $user .ssh/id_rsa .ssh/id_rsa.pub
        chmod go-rw .ssh/id_rsa
        chmod go-w  .ssh/id_rsa.pub
    }

    # create alice.pub
    cat .ssh/id_rsa.pub > $pubkey

    exit 0

else

    die "needs to run as root"

fi
password access to gitolite using real users 2011-09-13 11:41:51 +02:00			`#!/bin/bash`

			`# WARNING 1: probably contains bashisms galore. If you don't have bash,`
			`# please install it.`

(password access) backward compat breakage for gl-shell-setup; read below gl-shell-setup has a "run as hosting user" piece that basically automates the adding of the user's (new) key to the admin repo. This is now gone. (It's not that hard to automate yourself if you want to do it anyway, using gl-admin-push). I did this because I needed to allow someone in through a gateway, and realised that that has the exact same needs. So the whole scheme has been changed to treat the proxy and the gitolite host as being two different servers. At that point it became cumbersome to do the second bit, and I left it out. Other changes: - you can define exceptions for the default shell in gl-shell - the doc has been simplified. 2011-11-15 12:47:16 +01:00			`# NOTE 1: this script is run as root.`
password access to gitolite using real users 2011-09-13 11:41:51 +02:00
(password access) backward compat breakage for gl-shell-setup; read below gl-shell-setup has a "run as hosting user" piece that basically automates the adding of the user's (new) key to the admin repo. This is now gone. (It's not that hard to automate yourself if you want to do it anyway, using gl-admin-push). I did this because I needed to allow someone in through a gateway, and realised that that has the exact same needs. So the whole scheme has been changed to treat the proxy and the gitolite host as being two different servers. At that point it became cumbersome to do the second bit, and I left it out. Other changes: - you can define exceptions for the default shell in gl-shell - the doc has been simplified. 2011-11-15 12:47:16 +01:00			`# ------------------------------------------------------------------------------`
password access to gitolite using real users 2011-09-13 11:41:51 +02:00			`# ------------------------------------------------------------------------------`

(password access) backward compat breakage for gl-shell-setup; read below gl-shell-setup has a "run as hosting user" piece that basically automates the adding of the user's (new) key to the admin repo. This is now gone. (It's not that hard to automate yourself if you want to do it anyway, using gl-admin-push). I did this because I needed to allow someone in through a gateway, and realised that that has the exact same needs. So the whole scheme has been changed to treat the proxy and the gitolite host as being two different servers. At that point it became cumbersome to do the second bit, and I left it out. Other changes: - you can define exceptions for the default shell in gl-shell - the doc has been simplified. 2011-11-15 12:47:16 +01:00			`# BEGIN site-local changes`
password access to gitolite using real users 2011-09-13 11:41:51 +02:00
(password access) backward compat breakage for gl-shell-setup; read below gl-shell-setup has a "run as hosting user" piece that basically automates the adding of the user's (new) key to the admin repo. This is now gone. (It's not that hard to automate yourself if you want to do it anyway, using gl-admin-push). I did this because I needed to allow someone in through a gateway, and realised that that has the exact same needs. So the whole scheme has been changed to treat the proxy and the gitolite host as being two different servers. At that point it became cumbersome to do the second bit, and I left it out. Other changes: - you can define exceptions for the default shell in gl-shell - the doc has been simplified. 2011-11-15 12:47:16 +01:00			`# the full path to the new login shell to replace these users' existing shell`
			`new_shell="/usr/local/bin/gl-shell"`
password access to gitolite using real users 2011-09-13 11:41:51 +02:00
(password access) backward compat breakage for gl-shell-setup; read below gl-shell-setup has a "run as hosting user" piece that basically automates the adding of the user's (new) key to the admin repo. This is now gone. (It's not that hard to automate yourself if you want to do it anyway, using gl-admin-push). I did this because I needed to allow someone in through a gateway, and realised that that has the exact same needs. So the whole scheme has been changed to treat the proxy and the gitolite host as being two different servers. At that point it became cumbersome to do the second bit, and I left it out. Other changes: - you can define exceptions for the default shell in gl-shell - the doc has been simplified. 2011-11-15 12:47:16 +01:00			`my_chsh() {`
			`# please replace with appropriate command for your OS/distro. This one is`
			`# suitable at least for Fedora, maybe others also`
			`chsh -s $new_shell $1 >&2`
			`}`
password access to gitolite using real users 2011-09-13 11:41:51 +02:00
(password access) backward compat breakage for gl-shell-setup; read below gl-shell-setup has a "run as hosting user" piece that basically automates the adding of the user's (new) key to the admin repo. This is now gone. (It's not that hard to automate yourself if you want to do it anyway, using gl-admin-push). I did this because I needed to allow someone in through a gateway, and realised that that has the exact same needs. So the whole scheme has been changed to treat the proxy and the gitolite host as being two different servers. At that point it became cumbersome to do the second bit, and I left it out. Other changes: - you can define exceptions for the default shell in gl-shell - the doc has been simplified. 2011-11-15 12:47:16 +01:00			`# remove these 2 lines after you have done your customisation`
			`[ -f /tmp/done.gl-shell-setup ] \|\| { echo please customise $0 before using >&2; exit 1; }`
password access to gitolite using real users 2011-09-13 11:41:51 +02:00
(password access) backward compat breakage for gl-shell-setup; read below gl-shell-setup has a "run as hosting user" piece that basically automates the adding of the user's (new) key to the admin repo. This is now gone. (It's not that hard to automate yourself if you want to do it anyway, using gl-admin-push). I did this because I needed to allow someone in through a gateway, and realised that that has the exact same needs. So the whole scheme has been changed to treat the proxy and the gitolite host as being two different servers. At that point it became cumbersome to do the second bit, and I left it out. Other changes: - you can define exceptions for the default shell in gl-shell - the doc has been simplified. 2011-11-15 12:47:16 +01:00			`# END site-local changes`
password access to gitolite using real users 2011-09-13 11:41:51 +02:00
			`# ------------------------------------------------------------------------------`

			`die() { echo "FATAL: $@" >&2; exit 1; }`

			`# ------------------------------------------------------------------------------`

			`euid=$(perl -e 'print $>')`
			`if [ "$euid" = "0" ]`
			`then`

			`[ -n "$1" ] \|\| die "need a valid username"`
			`user=$1`
			`id $user >/dev/null \|\| die "need a valid username"`

			`# now fix up the user's login shell`
			`my_chsh $user`

(password access) backward compat breakage for gl-shell-setup; read below gl-shell-setup has a "run as hosting user" piece that basically automates the adding of the user's (new) key to the admin repo. This is now gone. (It's not that hard to automate yourself if you want to do it anyway, using gl-admin-push). I did this because I needed to allow someone in through a gateway, and realised that that has the exact same needs. So the whole scheme has been changed to treat the proxy and the gitolite host as being two different servers. At that point it became cumbersome to do the second bit, and I left it out. Other changes: - you can define exceptions for the default shell in gl-shell - the doc has been simplified. 2011-11-15 12:47:16 +01:00			`pubkey="$PWD/$user.pub"`
			`[ -f "$pubkey" ] && {`
			`echo "$user.pub already exists. Shell changed, exiting..." >&2`
			`exit 0`
			`}`

password access to gitolite using real users 2011-09-13 11:41:51 +02:00			# drat... 'cd ~$user` doesn't work...
			`cd $(bash -c "echo ~$user") \|\| die "can't cd to $user's home directory"`

(password access) backward compat breakage for gl-shell-setup; read below gl-shell-setup has a "run as hosting user" piece that basically automates the adding of the user's (new) key to the admin repo. This is now gone. (It's not that hard to automate yourself if you want to do it anyway, using gl-admin-push). I did this because I needed to allow someone in through a gateway, and realised that that has the exact same needs. So the whole scheme has been changed to treat the proxy and the gitolite host as being two different servers. At that point it became cumbersome to do the second bit, and I left it out. Other changes: - you can define exceptions for the default shell in gl-shell - the doc has been simplified. 2011-11-15 12:47:16 +01:00			`# now set up her rsa key, creating it if needed. This will get used if`
			`# she comes in via password or without agent forwarding.`
password access to gitolite using real users 2011-09-13 11:41:51 +02:00			`[ -d .ssh ] \|\| {`
			`mkdir .ssh`
			`chown $user .ssh`
			`chmod go-w .ssh`
			`}`
(password access) backward compat breakage for gl-shell-setup; read below gl-shell-setup has a "run as hosting user" piece that basically automates the adding of the user's (new) key to the admin repo. This is now gone. (It's not that hard to automate yourself if you want to do it anyway, using gl-admin-push). I did this because I needed to allow someone in through a gateway, and realised that that has the exact same needs. So the whole scheme has been changed to treat the proxy and the gitolite host as being two different servers. At that point it became cumbersome to do the second bit, and I left it out. Other changes: - you can define exceptions for the default shell in gl-shell - the doc has been simplified. 2011-11-15 12:47:16 +01:00
password access to gitolite using real users 2011-09-13 11:41:51 +02:00			`[ -f .ssh/id_rsa.pub ] \|\| {`
(password access) backward compat breakage for gl-shell-setup; read below gl-shell-setup has a "run as hosting user" piece that basically automates the adding of the user's (new) key to the admin repo. This is now gone. (It's not that hard to automate yourself if you want to do it anyway, using gl-admin-push). I did this because I needed to allow someone in through a gateway, and realised that that has the exact same needs. So the whole scheme has been changed to treat the proxy and the gitolite host as being two different servers. At that point it became cumbersome to do the second bit, and I left it out. Other changes: - you can define exceptions for the default shell in gl-shell - the doc has been simplified. 2011-11-15 12:47:16 +01:00			`ssh-keygen -q -N "" -f .ssh/id_rsa >&2`
password access to gitolite using real users 2011-09-13 11:41:51 +02:00			`chown $user .ssh/id_rsa .ssh/id_rsa.pub`
			`chmod go-rw .ssh/id_rsa`
			`chmod go-w .ssh/id_rsa.pub`
			`}`

(password access) backward compat breakage for gl-shell-setup; read below gl-shell-setup has a "run as hosting user" piece that basically automates the adding of the user's (new) key to the admin repo. This is now gone. (It's not that hard to automate yourself if you want to do it anyway, using gl-admin-push). I did this because I needed to allow someone in through a gateway, and realised that that has the exact same needs. So the whole scheme has been changed to treat the proxy and the gitolite host as being two different servers. At that point it became cumbersome to do the second bit, and I left it out. Other changes: - you can define exceptions for the default shell in gl-shell - the doc has been simplified. 2011-11-15 12:47:16 +01:00			`# create alice.pub`
			`cat .ssh/id_rsa.pub > $pubkey`
password access to gitolite using real users 2011-09-13 11:41:51 +02:00
			`exit 0`

			`else`

(password access) backward compat breakage for gl-shell-setup; read below gl-shell-setup has a "run as hosting user" piece that basically automates the adding of the user's (new) key to the admin repo. This is now gone. (It's not that hard to automate yourself if you want to do it anyway, using gl-admin-push). I did this because I needed to allow someone in through a gateway, and realised that that has the exact same needs. So the whole scheme has been changed to treat the proxy and the gitolite host as being two different servers. At that point it became cumbersome to do the second bit, and I left it out. Other changes: - you can define exceptions for the default shell in gl-shell - the doc has been simplified. 2011-11-15 12:47:16 +01:00			`die "needs to run as root"`
password access to gitolite using real users 2011-09-13 11:41:51 +02:00
			`fi`