gl-add-auth-keys; first version, pretty much done
This commit is contained in:
Sitaram Chamarty
commit
901a5f7220
71
gl-add-auth-keys
Executable file
71
gl-add-auth-keys
Executable file
|
|
@ -0,0 +1,71 @@
|
|||
#!/bin/bash
|
||||
|
||||
# === add-auth-keys ===
|
||||
# refreshes ~/.ssh/authorized_keys from the list of pub-keys
|
||||
|
||||
# part of the gitosis-lite (GL) suite
|
||||
|
||||
# how run: manual, by GL admin
|
||||
# when: anytime a pubkey is added/deleted
|
||||
# (i.e., contents of ~/.gitosis-lite/pubkeys change)
|
||||
# input: ~/.gitosis-lite/pubkeys
|
||||
# output: ~/.ssh/authorized_keys
|
||||
# security:
|
||||
# - touches a very critical system file that manages the restrictions on
|
||||
# incoming users. Be sure to audit AUTH_COMMAND and AUTH_OPTIONS (see
|
||||
# below) on any change to this script
|
||||
# - no security checks within program. The GL admin runs this manually
|
||||
|
||||
# robustness:
|
||||
# - if the "start" line exists, but the "end" line does not, you lose the
|
||||
# rest of the existing authkey file. In general, "don't do that (TM)",
|
||||
# but we do have a "vim -d" popping up so you can see the changes being
|
||||
# made, just in case...
|
||||
|
||||
# other notes:
|
||||
# - you do NOT need to run this for permission changes within
|
||||
# gitosis-lite.conf, (like giving an *existing* user new rights)
|
||||
# - keys are added/deleted from the keystore **manually**, and all keys
|
||||
# are named "name.pub"
|
||||
|
||||
# command and options for authorized_keys
|
||||
AUTH_COMMAND=~/.gitosis-lite/myecho
|
||||
AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty"
|
||||
|
||||
# save existing authkeys minus the GL-added stuff
|
||||
sed -e '/^# gitosis-lite start/,/^# gitosis-lite end/d' \
|
||||
< ~/.ssh/authorized_keys \
|
||||
> ~/.ssh/new_authkeys
|
||||
|
||||
# add our "start" line, each key on its own line (prefixed by command and
|
||||
# options, in the standard ssh authorized_keys format), then the "end" line.
|
||||
echo "# gitosis-lite start" >> ~/.ssh/new_authkeys
|
||||
cd ~/.gitosis-lite/pubkeys
|
||||
for i in *.pub
|
||||
do
|
||||
j=${i%.pub}
|
||||
echo -n "command=\"$AUTH_COMMAND $j\",$AUTH_OPTIONS "
|
||||
cat $i
|
||||
done >> ~/.ssh/new_authkeys
|
||||
echo "# gitosis-lite end" >> ~/.ssh/new_authkeys
|
||||
|
||||
# just so you can see what changes are being made
|
||||
vim -d ~/.ssh/authorized_keys ~/.ssh/new_authkeys
|
||||
|
||||
# all done; overwrite the file (use cat to avoid perm changes)
|
||||
cat ~/.ssh/new_authkeys > ~/.ssh/authorized_keys
|
||||
rm ~/.ssh/new_authkeys
|
||||
|
||||
# if the gl admin directory (~/.gitosis-lite) is itself a git repo, do an
|
||||
# autocheckin. nothing fancy; this is a "just in case" type of thing.
|
||||
cd ~/.gitosis-lite
|
||||
if [[ -d .git ]]
|
||||
then
|
||||
git add -A pubkeys # stage all changes in pubkeys
|
||||
if ! git diff --cached --quiet # and if there are any
|
||||
then
|
||||
echo pubkeys changed # create a commit message
|
||||
echo
|
||||
git diff --cached --name-status
|
||||
fi | git commit -F - # and commit
|
||||
fi
|
||||
Loading…
Reference in a new issue