Re: False negative authentication with multiple accounts on a SSH-GIT server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi there,

you can use GIT_SSH_COMMAND or config 'core.sshCommand'.
For more flexibility use wrappers like ssh-ident.

Recommended read: https://superuser.com/a/1616186/557798

Hope this helps
Kind regards
Maddes


On 2021-01-19 07:17, Harley Paterson wrote:
Hello,

I've noticed an edge case in Git when a user has two Git accounts on a
single server - as might be common for a personal account and a work
account on a Git forge (Github, GitLab, Bitbucket...)

When attempting SSH login, `ssh` and Git will eagerly connect with the
first matching key. This may or may not be the key right key for the
repository the user needs. As a result, Git clones, pulls, and pushes
will fail with the `Repository not found` if the wrong key is tried
first.

For example, the user `alice` has two accounts on the host
`git-server.com`. `alice`'s accounts are `alice-work`, and
`alice-personal`. `alice-work` has access to the `foo` repository, and
`alice-personal` has access to the `bar` repository.

`alice` attempts to clone `foo` with both her `alice-work` and
`alice-personal` keys in her SSH Agent. SSH Agent does not define
which key it will attempt first, so SSH may connect successfully to
`git-server.com` with her `alice-personal` keys, which do not have
access to the `foo` repository.

I'd be interested in your opinions for fixes to this. I am willing to
make a patch, although my knowledge of the Git codebase isn't perfect.

- Should Git servers provide distinctly different error messages for
`access denied`, and `repository does not exist`? Currently the server
immediately closes the connection in this case, so
`transport.c:handshake()` with fail when attempting to
`discover_version()` because the reader hits the EOF. Perhaps the
server could send a hypothetical access denied packet here, and a more
appropriate error generated?

Can anyone point me to where in the Git codebase the daemon receives
and responds to these requests? I haven't found it yet, if I wanted to
patch this.

- Should Git provide a `-i` option to allow the user to choose an SSH
key, which could be added to the SSH subprocess's command line?

- Should Git attempt to iterate over all keys in the SSH Agent when
the connection is setup, testing the connection to check if each
connected key has access to the target repository, before giving up
and reporting an error? This may be difficult looking at the current
behavior of `ssh` and `ssh-agent`. `ssh-add -l` no longer lists paths
to files (which could be plugged into `ssh -i`), just the key
signature. Does anyone know of any SSH/SSH-Agent tricks which might
help with this?

All the best,



H Paterson.



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux