deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

allow pubkey filename as extra argument to command in authkeys

Browse source
This commit is contained in:
Sitaram Chamarty 2012-05-30 14:45:19 +05:30
parent a64401bd9a
commit 7170ad9124
3 changed files with 43 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
doc/extras/sts.mkd
View file

@ -176,6 +176,34 @@ To do this:
Then run `gitolite compile; gitolite trigger POST_COMPILE` or push a dummy Then run `gitolite compile; gitolite trigger POST_COMPILE` or push a dummy
change to the admin repo. change to the admin repo.
### distinguishing one key from another
Since a user can have [more than one key][multi-key], it is sometimes useful
to distinguish one key from another. Sshd does not tell you even the
fingerprint of the key that finally matched, so normally all you have is the
`GL_USER` env var.
However, if you replace
'post-compile/ssh-authkeys',
in the `POST_COMPILE` trigger list in the rc file with
'post-compile/ssh-authkeys --key-file-name',
then an extra argument is added after the username in the "command" variable
of the authkeys file. That is, instead of this:
command="/home/g3/gitolite/src/gitolite-shell u3",no-port-forwarding,...
you get this:
command="/home/g3/gitolite/src/gitolite-shell u3 keydir/u3.pub",no-port-forwarding,...
You can then write an INPUT trigger to do whatever you need with the file
name, which is in `$ARGV[1]` (the second argument). The actual file is
available at `$ENV{GL_ADMIN_BASE}/$ARGV[1]` if you need its contents.
### simulating ssh-copy-id ### simulating ssh-copy-id
don't have `ssh-copy-id`? This is broadly what that command does, if you want don't have `ssh-copy-id`? This is broadly what that command does, if you want

17
src/triggers/post-compile/ssh-authkeys
View file

@ -3,6 +3,7 @@ use strict;
use warnings; use warnings;
use File::Temp qw(tempfile); use File::Temp qw(tempfile);
use Getopt::Long;
use lib $ENV{GL_LIBDIR}; use lib $ENV{GL_LIBDIR};
use Gitolite::Rc; use Gitolite::Rc;
@ -10,8 +11,18 @@ use Gitolite::Common;
$|++; $|++;
# can be called directly, or as a post-update hook. Since it ignores # best called via 'gitolite trigger POST_COMPILE'; other modes at your own
# arguments anyway, it hardly matters. # risk, especially if the rc file specifies arguments for it. (That is also
# why it doesn't respond to "-h" like most gitolite commands do).
# option procesing
# ----------------------------------------------------------------------
# currently has one option:
# -kfn, --key-file-name adds the keyfilename as a second argument
my $kfn = '';
GetOptions( 'key-file-name|kfn' => \$kfn, );
tsh_try("sestatus"); tsh_try("sestatus");
my $selinux = ( tsh_text() =~ /enabled/ ); my $selinux = ( tsh_text() =~ /enabled/ );
@ -130,6 +141,6 @@ sub optionise {
return ''; return '';
} }
chomp(@line); chomp(@line);
return "command=\"$glshell $user\",$auth_options $line[0]"; return "command=\"$glshell $user" . ( $kfn ? " $f" : "" ) . "\",$auth_options $line[0]";
} }

2
src/triggers/post-compile/ssh-authkeys-shell-users
View file

@ -19,7 +19,7 @@ my $sufile = $rc{SHELL_USERS_LIST} or exit 0;
my $aktext = slurp($akfile); my $aktext = slurp($akfile);
for my $su ( shell_users() ) { for my $su ( shell_users() ) {
$aktext =~ s(/gitolite-shell $su",(.*?),no-pty )(/gitolite-shell -s $su",$1 ); $aktext =~ s(/gitolite-shell $su([" ].*?),no-pty )(/gitolite-shell -s $su$1 );
} }
_print( $akfile, $aktext ); _print( $akfile, $aktext );