Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

basessh/distgit: adjust the way ssh is configured for distgit

Browse source 
Basically, we are now installing a small wrapper in /usr/local/bin
which just echoes to stdout what should be in the authorized_keys
file for that user.
That content is generated by retrieving the ssh key from sssd via
the command sss_ssh_authorizedkeys as well as the usual ssh way to
restrict the action an user/key can do: command="...".
In this case, we're setting a couple of environment variable that
are needed later on for things to work properly as well as only
allow the user to call the aclchecker.py script provided by pagure.

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
This commit is contained in:
Pierre-Yves Chibon 2021-04-01 20:45:41 +02:00
parent 492fe4f671
commit 2b46c6a7fb
3 changed files with 33 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
roles/basessh/templates/sshd_config
View file

@ -51,8 +51,13 @@ AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS AcceptEnv XMODIFIERS
{% if sshd_keyhelper %} {% if sshd_keyhelper %}
{% if inventory_hostname.startswith('pkgs') %}
AuthorizedKeysCommandUser nobody
AuthorizedKeysCommand /usr/local/bin/ssh_wrapper "%u"
{% else %}
AuthorizedKeysCommandUser git AuthorizedKeysCommandUser git
AuthorizedKeysCommand /usr/libexec/pagure/keyhelper.py "%u" "%h" "%t" "%f" AuthorizedKeysCommand /usr/libexec/pagure/keyhelper.py "%u" "%h" "%t" "%f"
{% endif %}
{% else %} {% else %}
AuthorizedKeysCommandUser nobody AuthorizedKeysCommandUser nobody
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

16
roles/distgit/files/ssh_wrapper Normal file
View file

@ -0,0 +1,16 @@
#!/bin/sh
keys=`/usr/bin/sss_ssh_authorizedkeys $1`
if [ -z "$keys" ];
then
echo "No ssh key found by sssd";
exit 1
fi
/usr/bin/sss_ssh_authorizedkeys $1 | while read -r key
do
echo "command=\"PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git/ /usr/libexec/pagure/aclchecker.py $1\", $key"
done

12
roles/distgit/tasks/main.yml
View file

@ -106,6 +106,18 @@
tags: tags:
- distgit - distgit
# -- SSH
# We use a wrapper to let packager ssh in while restricting the command they can
# do, this installs that wrapper (which is otherwise configured in sshd_config)
- name: install the ssh_wrapper wrapper script
copy: src=ssh_wrapper dest=/usr/local/bin/ssh_wrapper mode=0755
tags:
- config
- distgit
- ssh
- basessh
# -- Dist Git -------------------------------------------- # -- Dist Git --------------------------------------------
# This is the Git setup itself: group, root directory, scripts,... # This is the Git setup itself: group, root directory, scripts,...
- name: install dist-git - name: install dist-git