From 9d7d54e28060c2f3e61d4c68663761cbbf4d1e57 Mon Sep 17 00:00:00 2001 From: "Kyle J. McKay" Date: Mon, 24 Oct 2016 07:28:54 -0700 Subject: [PATCH] ssh: enable fetches using "git" user If the "mob" user is enabled it's already possible to fetch over ssh with no password or registered user by simply using the "mob" user since it's a passwordless user. If "mob" is disbled, however, that will not work. The user name "git" is already reserved and cannot be added to the list of push users for a project. Allow the "git" user to always work for fetches (upload-pack and upload-archive) even when "mob" is disabled. Set up the "git" user to only have read-only access by giving it the same group as the user "nobody". Pre-existing $chroot/etc/passwd files must be edited by hand to add the git user in order to enable this functionality. With this change it's now possible to fetch using either something like "ssh://git@example.com/proj.git" or "git@example.com:proj.git" which looks a lot nicer than "mob@example.com:proj.git". It's also more secure since it's a read-only user and is available even when the "mob" user has been disabled. Actually displaying the new fetch-over-ssh option to users on the gitweb project pages is left as an excercise for a future update. Signed-off-by: Kyle J. McKay --- bin/git-shell-verify | 5 +++++ jailsetup.sh | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/bin/git-shell-verify b/bin/git-shell-verify index 8b3a6cd..91815ac 100755 --- a/bin/git-shell-verify +++ b/bin/git-shell-verify @@ -185,6 +185,11 @@ fi proj="${dir#$reporoot/}"; projbare="${proj%.git}" +if [ "$type" = 'receive-pack' ] && [ "$LOGNAME" = 'git' ]; then + echo "The user '$LOGNAME' may only be used for fetches, sorry" >&2 + exit 3 +fi + if [ "$type" = 'receive-pack' ] && ! [ -f "$dir/.nofetch" ]; then echo "The $proj project is a mirror and may not be pushed to, sorry" >&2 exit 3 diff --git a/jailsetup.sh b/jailsetup.sh index 1ea0dd9..37391f7 100755 --- a/jailsetup.sh +++ b/jailsetup.sh @@ -91,6 +91,7 @@ EOT $cfg_mirror_user:x:$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 3-5):/:/bin/true everyone:x:65537:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):every user:/:/bin/false mob:$mobpass:65538:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify +git::65539:$("$getent" passwd nobody | cut -d : -f 4):read-only access:/:/bin/git-shell-verify EOT elif [ -z "$dbonly" ]; then # Make sure an sshd entry is present @@ -399,7 +400,7 @@ fi AuthorizedKeysFile /etc/sshkeys/%u StrictModes no -# mob user: +# mob and git users: PermitEmptyPasswords yes ChallengeResponseAuthentication no PasswordAuthentication yes -- 2.11.4.GIT