From 901a5f722049c6316d137688756613f06a57d423 Mon Sep 17 00:00:00 2001
From: Sitaram Chamarty <sitaram@sita-lt.atc.tcs.com>
Date: Sun, 23 Aug 2009 07:09:59 +0530
Subject: [PATCH] gl-add-auth-keys; first version, pretty much done

---
 gl-add-auth-keys | 71 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100755 gl-add-auth-keys

diff --git a/gl-add-auth-keys b/gl-add-auth-keys
new file mode 100755
index 0000000..dfadc1a
--- /dev/null
+++ b/gl-add-auth-keys
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# === add-auth-keys ===
+# refreshes ~/.ssh/authorized_keys from the list of pub-keys
+
+# part of the gitosis-lite (GL) suite
+
+# how run:      manual, by GL admin
+# when:         anytime a pubkey is added/deleted
+#               (i.e., contents of ~/.gitosis-lite/pubkeys change)
+# input:        ~/.gitosis-lite/pubkeys
+# output:       ~/.ssh/authorized_keys
+# security:
+#     - touches a very critical system file that manages the restrictions on
+#       incoming users.  Be sure to audit AUTH_COMMAND and AUTH_OPTIONS (see
+#       below) on any change to this script
+#     - no security checks within program.  The GL admin runs this manually
+
+# robustness:
+#     - if the "start" line exists, but the "end" line does not, you lose the
+#       rest of the existing authkey file.  In general, "don't do that (TM)",
+#       but we do have a "vim -d" popping up so you can see the changes being
+#       made, just in case...
+
+# other notes:
+#     - you do NOT need to run this for permission changes within
+#       gitosis-lite.conf, (like giving an *existing* user new rights)
+#     - keys are added/deleted from the keystore **manually**, and all keys
+#       are named "name.pub"
+
+# command and options for authorized_keys
+AUTH_COMMAND=~/.gitosis-lite/myecho
+AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty"
+
+# save existing authkeys minus the GL-added stuff
+sed -e '/^# gitosis-lite start/,/^# gitosis-lite end/d' \
+    < ~/.ssh/authorized_keys \
+    > ~/.ssh/new_authkeys
+
+# add our "start" line, each key on its own line (prefixed by command and
+# options, in the standard ssh authorized_keys format), then the "end" line.
+echo "# gitosis-lite start" >> ~/.ssh/new_authkeys
+cd ~/.gitosis-lite/pubkeys
+for i in *.pub
+do
+    j=${i%.pub}
+    echo -n "command=\"$AUTH_COMMAND $j\",$AUTH_OPTIONS "
+    cat $i
+done >> ~/.ssh/new_authkeys
+echo "# gitosis-lite end" >> ~/.ssh/new_authkeys
+
+# just so you can see what changes are being made
+vim -d ~/.ssh/authorized_keys ~/.ssh/new_authkeys
+
+# all done; overwrite the file (use cat to avoid perm changes)
+cat ~/.ssh/new_authkeys > ~/.ssh/authorized_keys
+rm ~/.ssh/new_authkeys
+
+# if the gl admin directory (~/.gitosis-lite) is itself a git repo, do an
+# autocheckin.  nothing fancy; this is a "just in case" type of thing.
+cd ~/.gitosis-lite
+if [[ -d .git ]]
+then
+    git add -A pubkeys                  # stage all changes in pubkeys
+    if ! git diff --cached --quiet      # and if there are any
+    then
+        echo pubkeys changed            # create a commit message
+        echo
+        git diff --cached --name-status
+    fi | git commit -F -                # and commit
+fi