From 2b46c6a7fbf462e5ce0c91d7cfbbd9c8a0523b98 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Thu, 1 Apr 2021 20:45:41 +0200 Subject: [PATCH] basessh/distgit: adjust the way ssh is configured for distgit Basically, we are now installing a small wrapper in /usr/local/bin which just echoes to stdout what should be in the authorized_keys file for that user. That content is generated by retrieving the ssh key from sssd via the command sss_ssh_authorizedkeys as well as the usual ssh way to restrict the action an user/key can do: command="...". In this case, we're setting a couple of environment variable that are needed later on for things to work properly as well as only allow the user to call the aclchecker.py script provided by pagure. Signed-off-by: Pierre-Yves Chibon --- roles/basessh/templates/sshd_config | 5 +++++ roles/distgit/files/ssh_wrapper | 16 ++++++++++++++++ roles/distgit/tasks/main.yml | 12 ++++++++++++ 3 files changed, 33 insertions(+) create mode 100644 roles/distgit/files/ssh_wrapper diff --git a/roles/basessh/templates/sshd_config b/roles/basessh/templates/sshd_config index 09802c76d8..b54428d3ea 100644 --- a/roles/basessh/templates/sshd_config +++ b/roles/basessh/templates/sshd_config @@ -51,8 +51,13 @@ AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS {% if sshd_keyhelper %} +{% if inventory_hostname.startswith('pkgs') %} +AuthorizedKeysCommandUser nobody +AuthorizedKeysCommand /usr/local/bin/ssh_wrapper "%u" +{% else %} AuthorizedKeysCommandUser git AuthorizedKeysCommand /usr/libexec/pagure/keyhelper.py "%u" "%h" "%t" "%f" +{% endif %} {% else %} AuthorizedKeysCommandUser nobody AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys diff --git a/roles/distgit/files/ssh_wrapper b/roles/distgit/files/ssh_wrapper new file mode 100644 index 0000000000..489fe20436 --- /dev/null +++ b/roles/distgit/files/ssh_wrapper @@ -0,0 +1,16 @@ +#!/bin/sh + +keys=`/usr/bin/sss_ssh_authorizedkeys $1` + +if [ -z "$keys" ]; +then + echo "No ssh key found by sssd"; + exit 1 +fi + + +/usr/bin/sss_ssh_authorizedkeys $1 | while read -r key +do + echo "command=\"PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git/ /usr/libexec/pagure/aclchecker.py $1\", $key" +done + diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index 79889e375c..e848b05337 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -106,6 +106,18 @@ tags: - distgit +# -- SSH +# We use a wrapper to let packager ssh in while restricting the command they can +# do, this installs that wrapper (which is otherwise configured in sshd_config) + +- name: install the ssh_wrapper wrapper script + copy: src=ssh_wrapper dest=/usr/local/bin/ssh_wrapper mode=0755 + tags: + - config + - distgit + - ssh + - basessh + # -- Dist Git -------------------------------------------- # This is the Git setup itself: group, root directory, scripts,... - name: install dist-git