From 864469050696fbff1581607a9203288f09247c31 Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Fri, 18 May 2012 12:48:51 +0530 Subject: [PATCH] (ssh) make it easier to make give some users a full shell --- doc/extras/sts.mkd | 21 +++++++------ .../post-compile/ssh-authkeys-shell-users | 31 +++++++++++++++++++ 2 files changed, 43 insertions(+), 9 deletions(-) create mode 100755 src/triggers/post-compile/ssh-authkeys-shell-users diff --git a/doc/extras/sts.mkd b/doc/extras/sts.mkd index 9252d58..843f679 100644 --- a/doc/extras/sts.mkd +++ b/doc/extras/sts.mkd @@ -151,20 +151,23 @@ Done? OK, now the general outline for ssh troubleshooting is this: Thanks to an idea from Jesse Keating, a single key can allow both gitolite access *and* shell access. -This is done by manually prefixing the username with "-s" as an extra argument -in the "command=" part of `~/.ssh/authorized_keys`. For example +To do this: - command="/home/g3/gitolite/src/gitolite-shell u1",no-port-[...etc...] + * add the list of users who will have shell access -- one username per line, + no extra whitespace -- to a plain text file of your choice. -should be edited to be + * put the name of this file in a new rc variable `SHELL_USERS_LIST`. For + example it could be - command="/home/g3/gitolite/src/gitolite-shell -s u1",no-port-[...etc...] + SHELL_USERS_LIST => "$ENV{HOME}/.gitolite.shell-users", -and moved out of the gitolite area of the authkeys file. + * add the line `'Shell::input',` to the `INPUT` list in the rc file. -It should be easy to make src/triggers/post-compile/ssh-authkeys read a list -of shell capable users from some file on the server and put in the "-s" for -those users. Patches welcome. + * add the line `'post-compile/ssh-authkeys-shell-users',` to the + `POST_COMPILE` list, *after* the `'post-compile/ssh-authkeys',` line. + +Then run `gitolite compile; gitolite trigger POST_COMPILE` or push a dummy +change to the admin repo. #### simulating ssh-copy-id diff --git a/src/triggers/post-compile/ssh-authkeys-shell-users b/src/triggers/post-compile/ssh-authkeys-shell-users new file mode 100755 index 0000000..91ed857 --- /dev/null +++ b/src/triggers/post-compile/ssh-authkeys-shell-users @@ -0,0 +1,31 @@ +#!/usr/bin/perl +use strict; +use warnings; + +use File::Temp qw(tempfile); + +use lib $ENV{GL_LIBDIR}; +use Gitolite::Rc; +use Gitolite::Common; + +$|++; + +my $akfile = "$ENV{HOME}/.ssh/authorized_keys"; +my $sufile = $rc{SHELL_USERS_LIST} or exit 0; +-r $sufile or _die "'$sufile' not readable"; + +# ---------------------------------------------------------------------- + +my $aktext = slurp($akfile); + +for my $su ( shell_users() ) { + $aktext =~ s(/gitolite-shell $su",(.*?),no-pty )(/gitolite-shell -s $su",$1 ); +} + +_print( $akfile, $aktext ); + +sub shell_users { + my @ret = grep { not /^#/ } slurp($sufile); + chomp(@ret); + return @ret; +}