+1 here. -re On 10/10/2018 12:09 PM, Patrick マルタインアンドレアス Uiterwijk wrote: > Hi, > > Can I get +1s to the following patch? > This would enable keyhelper.py on pagure.io, which is an alternative to authorized_keys file, which need a gitolite recompile to get changes activated. > If anything goes wrong with it, sshd will fall back to the authorized_keys file, which will still be updated. > Note that due to the fact that sshd_config is a file (instead of template), it needs a copy of the file (I have a todo to fix this), but the only change from the EL7 one to this is the last two lines, addition of AuthorizedKeysCommand. > > Patrick > > > commit 95523df6b2ed99a170cac19f6e84daf43b81b617 > Author: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx> > Date: Wed Oct 10 17:37:16 2018 +0200 > > Add keyhelper to pagure.io > > Signed-off-by: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx> > > diff --git a/roles/basessh/files/ssh/sshd_config.pagure b/roles/basessh/files/ssh/sshd_config.pagure > new file mode 100644 > index 000000000..8fca2d49f > --- /dev/null > +++ b/roles/basessh/files/ssh/sshd_config.pagure > @@ -0,0 +1,166 @@ > +# $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $ > + > +# This is the sshd server system-wide configuration file. See > +# sshd_config(5) for more information. > + > +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin > + > +# The strategy used for options in the default sshd_config shipped with > +# OpenSSH is to specify options with their default value where > +# possible, but leave them commented. Uncommented options override the > +# default value. > + > +# If you want to change the port on a SELinux system, you have to tell > +# SELinux about this change. > +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER > +# > +#Port 22 > +#AddressFamily any > +#ListenAddress 0.0.0.0 > +#ListenAddress :: > + > +# The default requires explicit activation of protocol 1 > +#Protocol 2 > + > +# HostKey for protocol version 1 > +#HostKey /etc/ssh/ssh_host_key > +# HostKeys for protocol version 2 > +HostKey /etc/ssh/ssh_host_rsa_key > +HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub > +#HostKey /etc/ssh/ssh_host_dsa_key > +#HostKey /etc/ssh/ssh_host_ecdsa_key > + > +# Lifetime and size of ephemeral version 1 server key > +#KeyRegenerationInterval 1h > +#ServerKeyBits 1024 > + > +# Ciphers and keying > +#RekeyLimit default none > + > +# Logging > +# obsoletes QuietMode and FascistLogging > +#SyslogFacility AUTH > +SyslogFacility AUTHPRIV > +#LogLevel INFO > +LogLevel VERBOSE > + > +# Authentication: > + > +#LoginGraceTime 2m > +#PermitRootLogin yes > +#StrictModes yes > +PermitRootLogin without-password > +StrictModes yes > +#MaxAuthTries 6 > +#MaxSessions 10 > + > +#RSAAuthentication yes > +#PubkeyAuthentication yes > + > +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 > +# but this is overridden so installations will only check .ssh/authorized_keys > +AuthorizedKeysFile .ssh/authorized_keys > + > +#AuthorizedPrincipalsFile none > + > +#AuthorizedKeysCommand none > +#AuthorizedKeysCommandUser nobody > + > +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts > +#RhostsRSAAuthentication no > +# similar for protocol version 2 > +#HostbasedAuthentication no > +# Change to yes if you don't trust ~/.ssh/known_hosts for > +# RhostsRSAAuthentication and HostbasedAuthentication > +#IgnoreUserKnownHosts no > +# Don't read the user's ~/.rhosts and ~/.shosts files > +#IgnoreRhosts yes > + > +# To disable tunneled clear text passwords, change to no here! > +#PasswordAuthentication yes > +#PermitEmptyPasswords no > +PasswordAuthentication no > + > +# Change to no to disable s/key passwords > +#ChallengeResponseAuthentication yes > +ChallengeResponseAuthentication no > + > +# Kerberos options > +#KerberosAuthentication no > +#KerberosOrLocalPasswd yes > +#KerberosTicketCleanup yes > +#KerberosGetAFSToken no > +#KerberosUseKuserok yes > + > +# GSSAPI options > +#GSSAPIAuthentication no > +GSSAPIAuthentication yes > +#GSSAPICleanupCredentials yes > +GSSAPICleanupCredentials yes > +#GSSAPIStrictAcceptorCheck yes > +#GSSAPIKeyExchange no > + > +# Set this to 'yes' to enable PAM authentication, account processing, > +# and session processing. If this is enabled, PAM authentication will > +# be allowed through the ChallengeResponseAuthentication and > +# PasswordAuthentication. Depending on your PAM configuration, > +# PAM authentication via ChallengeResponseAuthentication may bypass > +# the setting of "PermitRootLogin without-password". > +# If you just want the PAM account and session checks to run without > +# PAM authentication, then enable this but set PasswordAuthentication > +# and ChallengeResponseAuthentication to 'no'. > +# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several > +# problems. > +#UsePAM no > +UsePAM yes > + > +#AllowAgentForwarding yes > +#AllowTcpForwarding yes > +#GatewayPorts no > +#X11Forwarding no > +X11Forwarding yes > +#X11DisplayOffset 10 > +#X11UseLocalhost yes > +#PrintMotd yes > +#PrintLastLog yes > +#TCPKeepAlive yes > +#UseLogin no > +UsePrivilegeSeparation sandbox # Default for new installations. > +#PermitUserEnvironment no > +#Compression delayed > +#ClientAliveInterval 0 > +#ClientAliveCountMax 3 > +#ShowPatchLevel no > +#UseDNS yes > +#PidFile /var/run/sshd.pid > +#MaxStartups 10:30:100 > +#PermitTunnel no > +#ChrootDirectory none > +#VersionAddendum none > + > +# no default banner path > +#Banner none > + > +# Accept locale-related environment variables > +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES > +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE > +AcceptEnv XMODIFIERS > + > +# override default of no subsystems > +Subsystem sftp /usr/libexec/openssh/sftp-server > + > +# Uncomment this if you want to use .local domain > +#Host *.local > +# CheckHostIP no > + > +# Example of overriding settings on a per-user basis > +#Match User anoncvs > +# X11Forwarding no > +# AllowTcpForwarding no > +# ForceCommand cvs server > + > + > +# For repospanner/git > +AuthorizedKeysCommandUser git > +AuthorizedKeysCommand /usr/libexec/pagure/keyhelper.py "%u" "%h" "%t" "%f" > diff --git a/roles/pagure/frontend/templates/pagure.cfg b/roles/pagure/frontend/templates/pagure.cfg > index 942712f83..09df7561f 100644 > --- a/roles/pagure/frontend/templates/pagure.cfg > +++ b/roles/pagure/frontend/templates/pagure.cfg > @@ -311,3 +311,6 @@ FEDMSG_NOTIFICATIONS = True > THEME = 'pagureio' > > MIRROR_SSHKEYS_FOLDER='/srv/mirror/ssh' > + > +SSH_KEYS_USERNAME_EXPECT = "git" > +SSH_KEYS_OPTIONS = 'command="/usr/share/gitolite3/gitolite-shell %(username)s",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty' > _______________________________________________ > infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
