(ssh) make it easier to make give some users a full shell
Sitaram Chamarty
parent
07169c37ec
commit
8644690506
|
|
@ -151,20 +151,23 @@ Done? OK, now the general outline for ssh troubleshooting is this:
|
|||
Thanks to an idea from Jesse Keating, a single key can allow both gitolite
|
||||
access *and* shell access.
|
||||
|
||||
This is done by manually prefixing the username with "-s" as an extra argument
|
||||
in the "command=" part of `~/.ssh/authorized_keys`. For example
|
||||
To do this:
|
||||
|
||||
command="/home/g3/gitolite/src/gitolite-shell u1",no-port-[...etc...]
|
||||
* add the list of users who will have shell access -- one username per line,
|
||||
no extra whitespace -- to a plain text file of your choice.
|
||||
|
||||
should be edited to be
|
||||
* put the name of this file in a new rc variable `SHELL_USERS_LIST`. For
|
||||
example it could be
|
||||
|
||||
command="/home/g3/gitolite/src/gitolite-shell -s u1",no-port-[...etc...]
|
||||
SHELL_USERS_LIST => "$ENV{HOME}/.gitolite.shell-users",
|
||||
|
||||
and moved out of the gitolite area of the authkeys file.
|
||||
* add the line `'Shell::input',` to the `INPUT` list in the rc file.
|
||||
|
||||
It should be easy to make src/triggers/post-compile/ssh-authkeys read a list
|
||||
of shell capable users from some file on the server and put in the "-s" for
|
||||
those users. Patches welcome.
|
||||
* add the line `'post-compile/ssh-authkeys-shell-users',` to the
|
||||
`POST_COMPILE` list, *after* the `'post-compile/ssh-authkeys',` line.
|
||||
|
||||
Then run `gitolite compile; gitolite trigger POST_COMPILE` or push a dummy
|
||||
change to the admin repo.
|
||||
|
||||
#### simulating ssh-copy-id
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,31 @@
|
|||
#!/usr/bin/perl
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
use File::Temp qw(tempfile);
|
||||
|
||||
use lib $ENV{GL_LIBDIR};
|
||||
use Gitolite::Rc;
|
||||
use Gitolite::Common;
|
||||
|
||||
$|++;
|
||||
|
||||
my $akfile = "$ENV{HOME}/.ssh/authorized_keys";
|
||||
my $sufile = $rc{SHELL_USERS_LIST} or exit 0;
|
||||
-r $sufile or _die "'$sufile' not readable";
|
||||
|
||||
# ----------------------------------------------------------------------
|
||||
|
||||
my $aktext = slurp($akfile);
|
||||
|
||||
for my $su ( shell_users() ) {
|
||||
$aktext =~ s(/gitolite-shell $su",(.*?),no-pty )(/gitolite-shell -s $su",$1 );
|
||||
}
|
||||
|
||||
_print( $akfile, $aktext );
|
||||
|
||||
sub shell_users {
|
||||
my @ret = grep { not /^#/ } slurp($sufile);
|
||||
chomp(@ret);
|
||||
return @ret;
|
||||
}
|
||||
Loading…
Reference in New Issue