Sourcehut SSH
Sourcehut uses an authentication dispatch to enable key-based SSH access to repositories.
Design
Users have SSH keys associated with their accounts. When an SSH client tries to access the sshd(8) server, the request is dispatched to the script gitsrht-dispatch. This process runs as root.
gitsrht-dispatch is separately configured to expect specific usernames to trigger specific authentication logic. It falls back to re-dispatching for local user login.
For the git user, gitsrht-dispatch takes the SSH key provided with the request and checks it against the user database, to determine who is attempting to access a repository. Assuming that the user lookup succeeded, the ACL for the requested repository is also checked. Again assuming success on repository lookup, a virtual authorized_users file is generated and passed back to sshd(8).
Users
A user named git is created automatically by installing the git.sr.ht package, but an additional step of manually setting a login password for that user is necessary.
sudo passwd git
This user should automatically have gitsrht-dispatch as the login shell. It does not allow interactive login, just SSH-based git actions.
Logs
/var/log/gitsrht-shell needs to exist and be writable by the git user.
SSHD
Setup sshd(8).
In /etc/ssh/sshd_config, set:
AuthorizedKeysCommand=/usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k" AuthorizedKeysCommandUser=root PermitUserEnvironment SRHT_*
Sourcehut
In /etc/sr.ht/config.ini, set:
[git.sr.ht::dispatch] /usr/bin/gitsrht-keys=git:git /usr/bin/buildsrht-keys=builds:builds
The right-hand side is the uid-gid pair that gitsrht-dispatch will watch for, and the left-hand side is a binary that will be dispatched to. This should work out of the box, but additional authentication stacks can be inserted here.