= Sourcehut SSH = Sourcehut uses an authentication dispatch to enable key-based [[Encryption/SSH|SSH]] access to repositories. <> ---- == Design == Users have [[Encryption/SSHKeyGen|SSH keys]] associated with their accounts. When an SSH client tries to access the `sshd(8)` server, the request is dispatched to the script `gitsrht-dispatch`. This process runs as `root`. `gitsrht-dispatch` is separately configured to expect specific usernames to trigger specific authentication logic. It falls back to re-dispatching for local user login. For the `git` user, `gitsrht-dispatch` takes the SSH key provided with the request and checks it against the user database, to determine who is attempting to access a repository. Assuming that the user lookup succeeded, the ACL for the requested repository is also checked. Again assuming success on repository lookup, a virtual `authorized_users` file is generated and passed back to `sshd(8)`. ---- == Users == A user named `git` is created automatically by installing the `git.sr.ht` package, but an additional step of manually setting a login password for that user is necessary. {{{ sudo passwd git }}} This user should automatically have `gitsrht-dispatch` as the login shell. It does not allow interactive login, just SSH-based [[Git|git]] actions. ---- == Logs == `/var/log/gitsrht-shell` needs to exist and be writable by the `git` user. ---- == SSHD == Setup [[Encryption/OpenSSH|sshd(8)]]. In `/etc/ssh/sshd_config`, set: {{{ AuthorizedKeysCommand=/usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k" AuthorizedKeysCommandUser=root PermitUserEnvironment SRHT_* }}} ---- == Sourcehut == In `/etc/sr.ht/config.ini`, set: {{{ [git.sr.ht::dispatch] /usr/bin/gitsrht-keys=git:git /usr/bin/buildsrht-keys=builds:builds }}} The right-hand side is the uid-gid pair that `gitsrht-dispatch` will watch for, and the left-hand side is a binary that will be dispatched to. This should work out of the box, but additional authentication stacks can be inserted here. ---- CategoryRicottone