Commit ef1f3798 authored by Lukas Fleischer's avatar Lukas Fleischer
Browse files

Update the OpenSSH patch



Use the latest version of Damien Miller's patch to extend the parameters
to the AuthorizedKeysCommand.
Signed-off-by: Lukas Fleischer's avatarLukas Fleischer <lfleischer@archlinux.org>
parent 4f4cfff6
......@@ -28,7 +28,7 @@ Setup on Arch Linux
$ cd /srv/http/aurweb/
$ git clone git://anongit.mindrot.org/openssh.git
$ cd openssh
$ git checkout V_6_7_P1
$ git checkout V_6_8_P1
$ git am ../scripts/git-integration/0001-Patch-sshd-for-the-AUR.patch
$ autoreconf
$ ./configure
......
......@@ -28,7 +28,7 @@ auto_orphan_age = 15552000
auto_delete_age = 86400
[auth]
key-prefixes = ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519
valid-keytypes = ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519
username-regex = [a-zA-Z0-9]+[.\-_]?[a-zA-Z0-9]+$
git-serve-cmd = /srv/http/aurweb/scripts/git-integration/git-serve.py
ssh-options = no-port-forwarding,no-X11-forwarding,no-pty
......
......@@ -4,6 +4,7 @@ import configparser
import mysql.connector
import os
import re
import sys
config = configparser.RawConfigParser()
config.read(os.path.dirname(os.path.realpath(__file__)) + "/../../conf/config")
......@@ -14,14 +15,14 @@ aur_db_user = config.get('database', 'user')
aur_db_pass = config.get('database', 'password')
aur_db_socket = config.get('database', 'socket')
key_prefixes = config.get('auth', 'key-prefixes').split()
valid_keytypes = config.get('auth', 'valid-keytypes').split()
username_regex = config.get('auth', 'username-regex')
git_serve_cmd = config.get('auth', 'git-serve-cmd')
ssh_opts = config.get('auth', 'ssh-options')
pubkey = os.environ.get("SSH_KEY")
valid_prefixes = tuple(p + " " for p in key_prefixes)
if pubkey is None or not pubkey.startswith(valid_prefixes):
keytype = sys.argv[1]
keytext = sys.argv[2]
if not keytype in valid_keytypes:
exit(1)
db = mysql.connector.connect(host=aur_db_host, user=aur_db_user,
......@@ -30,7 +31,7 @@ db = mysql.connector.connect(host=aur_db_host, user=aur_db_user,
cur = db.cursor()
cur.execute("SELECT Username FROM Users WHERE SSHPubKey = %s " +
"AND Suspended = 0", (pubkey,))
"AND Suspended = 0", (keytype + " " + keytext,))
if cur.rowcount != 1:
exit(1)
......@@ -39,4 +40,5 @@ user = cur.fetchone()[0]
if not re.match(username_regex, user):
exit(1)
print('command="%s %s",%s %s' % (git_serve_cmd, user, ssh_opts, pubkey))
print('command="%s %s",%s %s' % (git_serve_cmd, user, ssh_opts,
keytype + " " + keytext))
......@@ -2,5 +2,5 @@ Port 2222
HostKey ~/.ssh/ssh_host_rsa_key
PasswordAuthentication no
UsePrivilegeSeparation no
AuthorizedKeysCommand /srv/http/aurweb/scripts/git-integration/git-auth.py
AuthorizedKeysCommand /srv/http/aurweb/scripts/git-integration/git-auth.py "%t" "%k"
AuthorizedKeysCommandUser aur
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment