2012-03-11 17:03:15 +01:00
|
|
|
#!/usr/bin/perl
|
|
|
|
use strict;
|
|
|
|
use warnings;
|
|
|
|
|
|
|
|
use File::Temp qw(tempfile);
|
2012-05-30 11:15:19 +02:00
|
|
|
use Getopt::Long;
|
2012-03-11 17:03:15 +01:00
|
|
|
|
2012-04-06 16:59:05 +02:00
|
|
|
use lib $ENV{GL_LIBDIR};
|
2012-03-11 17:03:15 +01:00
|
|
|
use Gitolite::Rc;
|
|
|
|
use Gitolite::Common;
|
|
|
|
|
|
|
|
$|++;
|
|
|
|
|
2012-05-30 11:15:19 +02:00
|
|
|
# best called via 'gitolite trigger POST_COMPILE'; other modes at your own
|
|
|
|
# risk, especially if the rc file specifies arguments for it. (That is also
|
|
|
|
# why it doesn't respond to "-h" like most gitolite commands do).
|
|
|
|
|
|
|
|
# option procesing
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
|
|
|
# currently has one option:
|
|
|
|
# -kfn, --key-file-name adds the keyfilename as a second argument
|
|
|
|
|
|
|
|
my $kfn = '';
|
|
|
|
GetOptions( 'key-file-name|kfn' => \$kfn, );
|
2012-03-11 17:03:15 +01:00
|
|
|
|
2012-03-27 07:01:32 +02:00
|
|
|
tsh_try("sestatus");
|
2012-03-30 02:41:06 +02:00
|
|
|
my $selinux = ( tsh_text() =~ /enabled/ );
|
2012-03-27 07:01:32 +02:00
|
|
|
|
2012-04-13 10:28:40 +02:00
|
|
|
my $ab = $rc{GL_ADMIN_BASE};
|
2012-03-16 04:55:39 +01:00
|
|
|
trace( 2, "'keydir' not found in '$ab'; exiting" ), exit if not -d "$ab/keydir";
|
2012-03-30 02:41:06 +02:00
|
|
|
my $akdir = "$ENV{HOME}/.ssh";
|
|
|
|
my $akfile = "$ENV{HOME}/.ssh/authorized_keys";
|
2012-04-13 10:28:40 +02:00
|
|
|
my $glshell = $rc{GL_BINDIR} . "/gitolite-shell";
|
2012-03-11 17:03:15 +01:00
|
|
|
my $auth_options = auth_options();
|
|
|
|
|
|
|
|
sanity();
|
|
|
|
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
|
|
|
_chdir($ab);
|
|
|
|
|
|
|
|
# old data
|
|
|
|
my $old_ak = slurp($akfile);
|
|
|
|
my @non_gl = grep { not /^# gito.*start/ .. /^# gito.*end/ } slurp($akfile);
|
|
|
|
chomp(@non_gl);
|
|
|
|
my %seen = map { $_ => 'a non-gitolite key' } ( fp(@non_gl) );
|
|
|
|
|
|
|
|
# pubkey files
|
|
|
|
chomp( my @pubkeys = `find keydir -type f -name "*.pub" | sort` );
|
|
|
|
my @gl_keys = ();
|
|
|
|
for my $f (@pubkeys) {
|
|
|
|
my $fp = fp($f);
|
|
|
|
if ( $seen{$fp} ) {
|
|
|
|
_warn "$f duplicates $seen{$fp}, sshd will ignore it";
|
|
|
|
} else {
|
|
|
|
$seen{$fp} = $f;
|
|
|
|
}
|
|
|
|
push @gl_keys, grep { /./ } optionise($f);
|
|
|
|
}
|
|
|
|
|
|
|
|
# dump it out
|
|
|
|
if (@gl_keys) {
|
2012-03-27 02:52:07 +02:00
|
|
|
my $out = join( "\n", @non_gl, "# gitolite start", @gl_keys, "# gitolite end" ) . "\n";
|
2012-03-11 17:03:15 +01:00
|
|
|
|
|
|
|
my $ak = slurp($akfile);
|
2012-05-21 11:52:19 +02:00
|
|
|
_die "'$akfile' changed between start and end of this program!" if $ak ne $old_ak;
|
2012-03-11 17:03:15 +01:00
|
|
|
_print( $akfile, $out );
|
|
|
|
}
|
|
|
|
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
|
|
|
sub sanity {
|
2012-05-21 11:52:19 +02:00
|
|
|
_die "'$glshell' not found; this should NOT happen..." if not -f $glshell;
|
|
|
|
_die "'$glshell' found but not readable; this should NOT happen..." if not -r $glshell;
|
|
|
|
_die "'$glshell' found but not executable; this should NOT happen..." if not -x $glshell;
|
2012-03-11 17:03:15 +01:00
|
|
|
|
2012-03-30 02:41:06 +02:00
|
|
|
_warn "$akdir missing; creating a new one" if not -d $akdir;
|
|
|
|
_warn "$akfile missing; creating a new one" if not -f $akfile;
|
2012-03-16 04:55:39 +01:00
|
|
|
|
2012-03-30 02:41:06 +02:00
|
|
|
_mkdir( $akdir, 0700 ) if not -d $akfile;
|
2012-03-11 17:03:15 +01:00
|
|
|
if ( not -f $akfile ) {
|
|
|
|
_print( $akfile, "" );
|
|
|
|
chmod 0700, $akfile;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
sub auth_options {
|
2012-04-13 10:28:40 +02:00
|
|
|
my $auth_options = $rc{AUTH_OPTIONS};
|
2012-03-11 17:03:15 +01:00
|
|
|
$auth_options ||= "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty";
|
|
|
|
|
|
|
|
return $auth_options;
|
|
|
|
}
|
|
|
|
|
|
|
|
sub fp {
|
|
|
|
# input: see below
|
|
|
|
# output: a (list of) FPs
|
|
|
|
my $in = shift || '';
|
|
|
|
if ( $in =~ /\.pub$/ ) {
|
|
|
|
# single pubkey file
|
2012-03-21 05:04:39 +01:00
|
|
|
_die "bad pubkey file '$in'" unless $in =~ $REPONAME_PATT;
|
2012-03-11 17:03:15 +01:00
|
|
|
return fp_file($in);
|
|
|
|
} elsif ( -f $in ) {
|
|
|
|
# an authkeys file
|
|
|
|
return map { fp_line($_) } grep { !/^#/ and /\S/ } slurp($in);
|
|
|
|
} else {
|
|
|
|
# one or more actual keys
|
2012-03-12 16:24:30 +01:00
|
|
|
return map { fp_line($_) } grep { !/^#/ and /\S/ } ( $in, @_ );
|
2012-03-11 17:03:15 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
sub fp_file {
|
2012-03-30 02:41:06 +02:00
|
|
|
return $selinux++ if $selinux; # return a unique "fingerprint" to prevent noise
|
2012-03-11 17:03:15 +01:00
|
|
|
my $f = shift;
|
2012-03-21 05:04:39 +01:00
|
|
|
my $fp = `ssh-keygen -l -f '$f'`;
|
2012-03-11 17:03:15 +01:00
|
|
|
chomp($fp);
|
2012-05-21 11:52:19 +02:00
|
|
|
_die "fingerprinting failed for '$f'" unless $fp =~ /([0-9a-f][0-9a-f](:[0-9a-f][0-9a-f])+)/;
|
2012-03-11 17:03:15 +01:00
|
|
|
$fp = $1;
|
|
|
|
return $fp;
|
|
|
|
}
|
|
|
|
|
|
|
|
sub fp_line {
|
|
|
|
my ( $fh, $fn ) = tempfile();
|
|
|
|
print $fh shift;
|
|
|
|
close $fh;
|
|
|
|
my $fp = fp_file($fn);
|
|
|
|
unlink $fn;
|
|
|
|
return $fp;
|
|
|
|
}
|
|
|
|
|
|
|
|
sub optionise {
|
|
|
|
my $f = shift;
|
|
|
|
|
|
|
|
my $user = $f;
|
|
|
|
$user =~ s(.*/)(); # foo/bar/baz.pub -> baz.pub
|
|
|
|
$user =~ s/(\@[^.]+)?\.pub$//; # baz.pub, baz@home.pub -> baz
|
|
|
|
|
|
|
|
my @line = slurp($f);
|
|
|
|
if ( @line != 1 ) {
|
|
|
|
_warn "$f does not contain exactly 1 line; ignoring";
|
|
|
|
return '';
|
|
|
|
}
|
|
|
|
chomp(@line);
|
2012-05-30 11:15:19 +02:00
|
|
|
return "command=\"$glshell $user" . ( $kfn ? " $f" : "" ) . "\",$auth_options $line[0]";
|
2012-03-11 17:03:15 +01:00
|
|
|
}
|
|
|
|
|