diff options
| author | Rafael Laboissiere <rafael@laboissiere.net> | 2016-01-21 18:23:51 -0200 |
|---|---|---|
| committer | Rafael Laboissiere <rafael@laboissiere.net> | 2016-01-21 18:34:29 -0200 |
| commit | e861551f7330a17f89f2b0704c906dd3451f8fbd (patch) | |
| tree | 4b9f00cc0b9a27f4c1fb10a0e8cece635408f5b6 | |
| parent | 728464761221bcaaf80cd4a2b0c7d323be396cbb (diff) | |
Allow the inclusion of RSA keys with read-only access
This is accomplished by using option 'command="..."' that precede the
key sting in the authorized_keys file. The add-authorized-keys script
accepts now the -r option for enabling the inclusion of the option
above.
The included option is actually 'command="read-only"', which points to
a new script named read-only that is installed in the
git-shell-commands directory of the Git user's login directory. This
is done in the add-git-user script.
Also, this commit makes some improvement in the code. The
add-authorized-keys script has now a usage function and accepts a -h
option. The add-git-user script has been better documented
| -rwxr-xr-x | add-authorized-keys | 48 | ||||
| -rwxr-xr-x | add-git-user | 15 |
2 files changed, 57 insertions, 6 deletions
diff --git a/add-authorized-keys b/add-authorized-keys index a0add93..3eef03f 100755 --- a/add-authorized-keys +++ b/add-authorized-keys @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash ### Add RSA keys to the authorized_keys file of a given user @@ -20,15 +20,41 @@ ### Get the program name prog=${0##*/} +usage () { + local status=$1 + echo "Usage: $prog [-h] [-r] user file" >&$(($status + 1)) + echo "Options:" >&$(($status + 1)) + echo " -h show this usage notice" >&$(($status + 1)) + echo " -r force read-only access" >&$(($status + 1)) + echo "Arguments:" >&$(($status + 1)) + echo " user the Git user to act upon" >&$(($status + 1)) + echo " file the RSA public key to be added" >&$(($status + 1)) + exit $status +} + +### Default value +readonly=no + +### Parse arguments +args=$(getopt rh $*) + +eval set -- "$args" + +while true ; do + case "$1" in + -h) usage 0 ; exit ;; + -r) readonly=yes ; shift ;; + --) shift ; break ;; + esac +done + ### Ensure that the correct number of arguments are given if [ $# != 2 ] ; then - echo "Usage: $prog user file" 1>&2 - exit 1 + usage 1 fi -### Get the input arguments and check their sanity +### Get Git user name and check its sanity user=$1 -rsaid=$2 ret=false id -u $user >/dev/null 2>&1 && ret=true @@ -38,6 +64,9 @@ if [ $ret = false ] ; then exit 1 fi +### Get RSA file name and check its sanity +rsaid=$2 + type="OpenSSH RSA public key" if [ "$(file --brief $rsaid)" != "$type" ] ; then echo "$prog:E: File $rsaid is not of type '$type'." 1>&2 @@ -45,5 +74,12 @@ if [ "$(file --brief $rsaid)" != "$type" ] ; then fi ### Install the key(s) +tmp=$(tempfile) +if [ "$readonly" = yes ] ; then + echo -n "command=\"read-only\" " > $tmp +fi +cat $rsaid >> $tmp + home=$(getent passwd $user | cut -f6 -d:) -cat $rsaid >> $home/.ssh/authorized_keys +cat $tmp >> $home/.ssh/authorized_keys +rm $tmp diff --git a/add-git-user b/add-git-user index 1f5eec1..84660cb 100755 --- a/add-git-user +++ b/add-git-user @@ -63,6 +63,21 @@ printf '%s\\n\\n' "provide interactive shell access." exit 128 EOF chmod +x $nolog + +### Create the read-only script +readonly=$gitshdir/read-only +cat > $readonly <<EOF +#!/bin/bash +read -a tokens <<< "\$SSH_ORIGINAL_COMMAND" +if [ "\${tokens[0]}" != git-receive-pack ] ; then + exec git-shell -c "\$SSH_ORIGINAL_COMMAND" +else + exit 128 +fi +EOF +chmod +x $readonly + +### Adjust owner of git-shell-commands directory chown -R $user:$user $gitshdir ### Initialize the SSH directory |