basessh/distgit: adjust the way ssh is configured for distgit
Basically, we are now installing a small wrapper in /usr/local/bin which just echoes to stdout what should be in the authorized_keys file for that user. That content is generated by retrieving the ssh key from sssd via the command sss_ssh_authorizedkeys as well as the usual ssh way to restrict the action an user/key can do: command="...". In this case, we're setting a couple of environment variable that are needed later on for things to work properly as well as only allow the user to call the aclchecker.py script provided by pagure. Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
This commit is contained in:
Pierre-Yves Chibon
parent
492fe4f671
commit
2b46c6a7fb
3 changed files with 33 additions and 0 deletions
|
|
@ -51,8 +51,13 @@ AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
|||
AcceptEnv XMODIFIERS
|
||||
|
||||
{% if sshd_keyhelper %}
|
||||
{% if inventory_hostname.startswith('pkgs') %}
|
||||
AuthorizedKeysCommandUser nobody
|
||||
AuthorizedKeysCommand /usr/local/bin/ssh_wrapper "%u"
|
||||
{% else %}
|
||||
AuthorizedKeysCommandUser git
|
||||
AuthorizedKeysCommand /usr/libexec/pagure/keyhelper.py "%u" "%h" "%t" "%f"
|
||||
{% endif %}
|
||||
{% else %}
|
||||
AuthorizedKeysCommandUser nobody
|
||||
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue