|
Size: 2207
Comment:
|
← Revision 3 as of 2023-05-30 15:37:11 ⇥
Size: 2152
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| The Sourcehut approach for [[Encryption/SSH|SSH]]-accessible repositories is to insert an authentication dispatch into the host's sshd(8) configuration. | Sourcehut uses an authentication dispatch to enable key-based [[Encryption/SSH|SSH]] access to repositories. |
| Line 11: | Line 11: |
| == Setup == | == Design == Users have [[Encryption/SSHKeyGen|SSH keys]] associated with their accounts. When an SSH client tries to access the `sshd(8)` server, the request is dispatched to the script `gitsrht-dispatch`. This process runs as `root`. `gitsrht-dispatch` is separately configured to expect specific usernames to trigger specific authentication logic. It falls back to re-dispatching for local user login. For the `git` user, `gitsrht-dispatch` takes the SSH key provided with the request and checks it against the user database, to determine who is attempting to access a repository. Assuming that the user lookup succeeded, the ACL for the requested repository is also checked. Again assuming success on repository lookup, a virtual `authorized_users` file is generated and passed back to `sshd(8)`. ---- == Users == A user named `git` is created automatically by installing the `git.sr.ht` package, but an additional step of manually setting a login password for that user is necessary. {{{ sudo passwd git }}} This user should automatically have `gitsrht-dispatch` as the login shell. It does not allow interactive login, just SSH-based [[Git|git]] actions. ---- == Logs == `/var/log/gitsrht-shell` needs to exist and be writable by the `git` user. ---- == SSHD == Setup [[Encryption/OpenSSH|sshd(8)]]. |
| Line 21: | Line 57: |
| A git user is created automatically by installing the `git.sr.ht` package, but an additional step of setting a login password for that user is necessary. {{{ sudo passwd git }}} |
|
| Line 31: | Line 62: |
| == configuration == | == Sourcehut == |
| Line 33: | Line 64: |
| The relevant configuration is found in the `git.sr.ht::dispatch` section of the Sourcehut configuration. | In `/etc/sr.ht/config.ini`, set: |
| Line 41: | Line 72: |
| This should work out of the box, but additional authentication stacks can be inserted here. ---- == Design == When a user pulls from (or pushes to) `[email protected]:~username/reponame`, `gitsrht-dispatch` (set in `sshd_config` as the `AuthorizedKeysCommand`) will parse the `git.sr.ht::dispatch` section of the Sourcehut configuration. This process runs as `root`. The right-hand side is the uid-gid pair that `gitsrht-dispatch` will watch for, and the left-hand side is a binary that will be dispatched to. If no dispatcher matches, `gitsrht-dispatch` looks up the user's `authorized_users` file, to ensure that normal SSH access is uninterrupted. Assuming the user is `git`, the authentication is dispatched to `gitsrht-keys`. This program generates a virtual `authorized_users` file that will be returned to the `sshd(8)` process. The virtual `authorized_users` file is based on the Sourcehut database of SSH keys, and includes the keys of all users who should have access to the corresponding repository. Both the SSH keys and repository-level access controls are managed in the web UI. Note that the `git` user is made to login using `gitsrht-shell`. This shell program wants to log to `/var/log/gitsrht-shell` despite running as `git`, so ownership or access levels need to be adjusted for that file. |
The right-hand side is the uid-gid pair that `gitsrht-dispatch` will watch for, and the left-hand side is a binary that will be dispatched to. This should work out of the box, but additional authentication stacks can be inserted here. |
Sourcehut SSH
Sourcehut uses an authentication dispatch to enable key-based SSH access to repositories.
Design
Users have SSH keys associated with their accounts. When an SSH client tries to access the sshd(8) server, the request is dispatched to the script gitsrht-dispatch. This process runs as root.
gitsrht-dispatch is separately configured to expect specific usernames to trigger specific authentication logic. It falls back to re-dispatching for local user login.
For the git user, gitsrht-dispatch takes the SSH key provided with the request and checks it against the user database, to determine who is attempting to access a repository. Assuming that the user lookup succeeded, the ACL for the requested repository is also checked. Again assuming success on repository lookup, a virtual authorized_users file is generated and passed back to sshd(8).
Users
A user named git is created automatically by installing the git.sr.ht package, but an additional step of manually setting a login password for that user is necessary.
sudo passwd git
This user should automatically have gitsrht-dispatch as the login shell. It does not allow interactive login, just SSH-based git actions.
Logs
/var/log/gitsrht-shell needs to exist and be writable by the git user.
SSHD
Setup sshd(8).
In /etc/ssh/sshd_config, set:
AuthorizedKeysCommand=/usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k" AuthorizedKeysCommandUser=root PermitUserEnvironment SRHT_*
Sourcehut
In /etc/sr.ht/config.ini, set:
[git.sr.ht::dispatch] /usr/bin/gitsrht-keys=git:git /usr/bin/buildsrht-keys=builds:builds
The right-hand side is the uid-gid pair that gitsrht-dispatch will watch for, and the left-hand side is a binary that will be dispatched to. This should work out of the box, but additional authentication stacks can be inserted here.