deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

(ssh) make it easier to make give some users a full shell

Browse source
This commit is contained in:
Sitaram Chamarty 2012-05-18 12:48:51 +05:30
parent 07169c37ec
commit 8644690506
2 changed files with 43 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
doc/extras/sts.mkd
View file

@ -151,20 +151,23 @@ Done? OK, now the general outline for ssh troubleshooting is this:
Thanks to an idea from Jesse Keating, a single key can allow both gitolite Thanks to an idea from Jesse Keating, a single key can allow both gitolite
access *and* shell access. access *and* shell access.
This is done by manually prefixing the username with "-s" as an extra argument To do this:
in the "command=" part of `~/.ssh/authorized_keys`. For example
command="/home/g3/gitolite/src/gitolite-shell u1",no-port-[...etc...] * add the list of users who will have shell access -- one username per line,
no extra whitespace -- to a plain text file of your choice.
should be edited to be * put the name of this file in a new rc variable `SHELL_USERS_LIST`. For
example it could be
command="/home/g3/gitolite/src/gitolite-shell -s u1",no-port-[...etc...] SHELL_USERS_LIST => "$ENV{HOME}/.gitolite.shell-users",
and moved out of the gitolite area of the authkeys file. * add the line `'Shell::input',` to the `INPUT` list in the rc file.
It should be easy to make src/triggers/post-compile/ssh-authkeys read a list * add the line `'post-compile/ssh-authkeys-shell-users',` to the
of shell capable users from some file on the server and put in the "-s" for `POST_COMPILE` list, *after* the `'post-compile/ssh-authkeys',` line.
those users. Patches welcome.
Then run `gitolite compile; gitolite trigger POST_COMPILE` or push a dummy
change to the admin repo.
#### simulating ssh-copy-id #### simulating ssh-copy-id

31
src/triggers/post-compile/ssh-authkeys-shell-users Executable file
View file

@ -0,0 +1,31 @@
#!/usr/bin/perl
use strict;
use warnings;
use File::Temp qw(tempfile);
use lib $ENV{GL_LIBDIR};
use Gitolite::Rc;
use Gitolite::Common;
$|++;
my $akfile = "$ENV{HOME}/.ssh/authorized_keys";
my $sufile = $rc{SHELL_USERS_LIST} or exit 0;
-r $sufile or _die "'$sufile' not readable";
# ----------------------------------------------------------------------
my $aktext = slurp($akfile);
for my $su ( shell_users() ) {
$aktext =~ s(/gitolite-shell $su",(.*?),no-pty )(/gitolite-shell -s $su",$1 );
}
_print( $akfile, $aktext );
sub shell_users {
my @ret = grep { not /^#/ } slurp($sufile);
chomp(@ret);
return @ret;
}