From 5c61b2ef7a3b016cfe41f9569679ad7ad6c57112 Mon Sep 17 00:00:00 2001 From: Nick Thomas Date: Tue, 19 Dec 2017 11:42:09 +0000 Subject: Introduce a more-complete implementation of bin/authorized_keys bin/authorized_keys doesn't check that the requesting user matches the expected user, so to enable database authorized keys lookups, we currently ask the admin to create a custom script for that purpose. Better is to have a complete script that can perform the whole task. This commit introduces bin/gitlab-shell-authorized-keys-check which does so. --- bin/gitlab-shell-authorized-keys-check | 42 ++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100755 bin/gitlab-shell-authorized-keys-check (limited to 'bin/gitlab-shell-authorized-keys-check') diff --git a/bin/gitlab-shell-authorized-keys-check b/bin/gitlab-shell-authorized-keys-check new file mode 100755 index 0000000..2ea1a74 --- /dev/null +++ b/bin/gitlab-shell-authorized-keys-check @@ -0,0 +1,42 @@ +#!/usr/bin/env ruby + +# +# GitLab shell authorized_keys helper. Query GitLab API to get the authorized +# command for a given ssh key fingerprint +# +# Ex. +# bin/gitlab-shell-authorized-keys-check +# +# Returns +# command="/bin/gitlab-shell key-#",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAA... +# +# Expects to be called by the SSH daemon, via configuration like: +# AuthorizedKeysCommandUser git +# AuthorizedKeysCommand /bin/gitlab-shell-authorized-keys-check git %u %k + +abort "# Wrong number of arguments. #{ARGV.size}. Usage: +# gitlab-shell-authorized-keys-check " unless ARGV.size == 3 + +expected_username = ARGV[0] +abort '# No username provided' if expected_username.nil? || expected_username == '' + +actual_username = ARGV[1] +abort '# No username provided' if actual_username.nil? || actual_username == '' + +# Only check access if the requested username matches the configured username. +# Normally, these would both be 'git', but it can be configured by the user +exit 0 unless expected_username == actual_username + +key = ARGV[2] +abort "# No key provided" if key.nil? || key == '' + +require_relative '../lib/gitlab_init' +require_relative '../lib/gitlab_net' +require_relative '../lib/gitlab_keys' + +authorized_key = GitlabNet.new.authorized_key(key) +if authorized_key.nil? + puts "# No key was found for #{key}" +else + puts GitlabKeys.key_line("key-#{authorized_key['id']}", authorized_key['key']) +end -- cgit v1.2.1