diff --git a/gl-add-auth-keys b/gl-add-auth-keys deleted file mode 100755 index dfadc1a..0000000 --- a/gl-add-auth-keys +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/bash - -# === add-auth-keys === -# refreshes ~/.ssh/authorized_keys from the list of pub-keys - -# part of the gitosis-lite (GL) suite - -# how run: manual, by GL admin -# when: anytime a pubkey is added/deleted -# (i.e., contents of ~/.gitosis-lite/pubkeys change) -# input: ~/.gitosis-lite/pubkeys -# output: ~/.ssh/authorized_keys -# security: -# - touches a very critical system file that manages the restrictions on -# incoming users. Be sure to audit AUTH_COMMAND and AUTH_OPTIONS (see -# below) on any change to this script -# - no security checks within program. The GL admin runs this manually - -# robustness: -# - if the "start" line exists, but the "end" line does not, you lose the -# rest of the existing authkey file. In general, "don't do that (TM)", -# but we do have a "vim -d" popping up so you can see the changes being -# made, just in case... - -# other notes: -# - you do NOT need to run this for permission changes within -# gitosis-lite.conf, (like giving an *existing* user new rights) -# - keys are added/deleted from the keystore **manually**, and all keys -# are named "name.pub" - -# command and options for authorized_keys -AUTH_COMMAND=~/.gitosis-lite/myecho -AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty" - -# save existing authkeys minus the GL-added stuff -sed -e '/^# gitosis-lite start/,/^# gitosis-lite end/d' \ - < ~/.ssh/authorized_keys \ - > ~/.ssh/new_authkeys - -# add our "start" line, each key on its own line (prefixed by command and -# options, in the standard ssh authorized_keys format), then the "end" line. -echo "# gitosis-lite start" >> ~/.ssh/new_authkeys -cd ~/.gitosis-lite/pubkeys -for i in *.pub -do - j=${i%.pub} - echo -n "command=\"$AUTH_COMMAND $j\",$AUTH_OPTIONS " - cat $i -done >> ~/.ssh/new_authkeys -echo "# gitosis-lite end" >> ~/.ssh/new_authkeys - -# just so you can see what changes are being made -vim -d ~/.ssh/authorized_keys ~/.ssh/new_authkeys - -# all done; overwrite the file (use cat to avoid perm changes) -cat ~/.ssh/new_authkeys > ~/.ssh/authorized_keys -rm ~/.ssh/new_authkeys - -# if the gl admin directory (~/.gitosis-lite) is itself a git repo, do an -# autocheckin. nothing fancy; this is a "just in case" type of thing. -cd ~/.gitosis-lite -if [[ -d .git ]] -then - git add -A pubkeys # stage all changes in pubkeys - if ! git diff --cached --quiet # and if there are any - then - echo pubkeys changed # create a commit message - echo - git diff --cached --name-status - fi | git commit -F - # and commit -fi diff --git a/gl-compile-conf b/gl-compile-conf new file mode 100755 index 0000000..a954744 --- /dev/null +++ b/gl-compile-conf @@ -0,0 +1,86 @@ +#!/usr/bin/perl -w + +use strict; + +# === add-auth-keys === +# refreshes ~/.ssh/authorized_keys from the list of pub-keys + +# part of the gitosis-lite (GL) suite + +# how run: manual, by GL admin +# when: anytime a pubkey is added/deleted +# (i.e., contents of ~/.gitosis-lite/keydir change) +# input: ~/.gitosis-lite/keydir +# output: ~/.ssh/authorized_keys +# security: +# - touches a very critical system file that manages the restrictions on +# incoming users. Be sure to audit AUTH_COMMAND and AUTH_OPTIONS (see +# below) on any change to this script +# - no security checks within program. The GL admin runs this manually + +# robustness: +# - if the "start" line exists, but the "end" line does not, you lose the +# rest of the existing authkey file. In general, "don't do that (TM)", +# but we do have a "vim -d" popping up so you can see the changes being +# made, just in case... + +# other notes: +# - you do NOT need to run this for permission changes within +# gitosis-lite.conf, (like giving an *existing* user new rights) +# - keys are added/deleted from the keystore **manually**, and all keys +# are named "name.pub" + +# command and options for authorized_keys +our $AUTH_COMMAND=$ENV{HOME} . "/.gitosis-lite/gl-auth-command"; +our $AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty"; + +# quick subroutines +sub my_chdir +{ + chdir($_[0]) or die "chdir $_[0] failed: $!"; +} + +open(INF, "<", $ENV{HOME} . "/.ssh/authorized_keys") or die "open old authkeys failed: $!"; +open(OUT, ">", $ENV{HOME} . "/.ssh/new_authkeys") or die "open new authkeys failed: $!"; +# save existing authkeys minus the GL-added stuff +while () +{ + print OUT unless (/^# gitosis-lite start/../^# gitosis-lite end/); +} + +# add our "start" line, each key on its own line (prefixed by command and +# options, in the standard ssh authorized_keys format), then the "end" line. +print OUT "# gitosis-lite start\n"; +my_chdir($ENV{HOME} . "/.gitosis-lite/keydir"); +for my $pubkey (glob("*.pub")) +{ + my $user = $pubkey; $user =~ s/\.pub$//; + print OUT "command=\"$AUTH_COMMAND $user\",$AUTH_OPTIONS "; + print OUT `cat $pubkey`; +} +print OUT "# gitosis-lite end\n"; +close(OUT); + +# check what changes are being made; just a comfort factor +system("vim -d ~/.ssh/authorized_keys ~/.ssh/new_authkeys"); + +# all done; overwrite the file (use cat to avoid perm changes) +system("cat ~/.ssh/new_authkeys > ~/.ssh/authorized_keys"); +system("rm ~/.ssh/new_authkeys"); + +# if the gl admin directory (~/.gitosis-lite) is itself a git repo, do an +# autocheckin. nothing fancy; this is a "just in case" type of thing. +my_chdir($ENV{HOME} . "/.gitosis-lite"); +if (-d ".git") +{ + system("git add -A keydir"); # stage all changes in keydir + if (! system("git diff --cached --quiet") ) + # and if there are any + { + open(COMMIT, "|-", "git commit -F -") + or die "pipe commit failed: $!"; + print COMMIT "keydir changed\n\n"; + print COMMIT `git diff --cached --name-status`; + close(COMMIT) or die "close commit failed: $!"; + } +}