Reputation: 35
Shell Wrapper: Which user connecting VIA SSH
I'm having issues wrapping my head around the topic discussed below in the Git user manual. Any elaboration or links would be helpful. I've found a couple topics discussing this, but I honestly am having issues comprehending the overall concept, language it's to be written in, and so on.
If you’ve allowed everyone to connect with a single user (like "git") via public-key authentication, you may have to give that user a shell wrapper that determines which user is connecting based on the public key, and set an environment variable specifying that user. Here I assume the connecting user is in the $USER environment variable, so your update script begins by gathering all the information you need:
Quoted from here
Edit: Having issues figuring out the command that I need to use to see the SSH key that the remote user is passing in. Additionally, I have no idea how to iterate through the authorized_keys file to match keys up. Is there any documentation on this matter?
Upvotes: 0
Views: 829
Answers (2)
Reputation: 8446
Gitolite, which adds an authorization layer to git as a server over ssh has a nice explanation on how this works.
In essense, the gitolite tools relies on the possibility to add options to each entry in authorized_keys.
[ options ] key-type base64-key [ comment ]
In this case, the command option tells sshd to use the gitolite-shell wrapper. The command itself includes a unique string argument identifying the user of this particular key. In addition to the command= option, a couple of other options are included, which (at least ten years ago) should protect the system from any abuse.
Example from my own gitolite experiment:
command="/Users/git/bin/gitolite-shell hlangeveld",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAA... hlangeveld@...
Note how the option string contains several options which should prevent abuse of the git account for different purposes. You also don't need gitolite specifically, but it has automated the creation of new key entries.
Upvotes: 3
Reputation: 2010
A wrapper script is just a script that you call that then calls another script or program.
This is done fairly often in unix.
A user's shell is bascially a program. So you can wrap it in a script as well.
If you have a user 'tom'. He'll appear in /etc/passwd as such:
tom:x:91:91:Tom Mot:/home/tom:/bin/bash
But tom is actually the account shared by the tom dept.
So you want to set some variables up in the env that identify which member of the tom dept is logging in.
You do this by changing the /bin/bash attribute to /bin/tom-wrapper
And then you add a script in that path:
/bin/tom-wrapper:
#!/bin/bash
KEY=$(figure out the ssh key the user used to log in) if [ $KEY == $tom_user_one ]; then
USER="Tom User One"
/bin/bash fi
if [ $KEY == $tom_user_two ]; then
USER="Tom User Two"
/bin/bash fi
echo "You aren't the Tom I am looking for." exit 0
That's a super simplistic script that doesn't quite do what you want but demonstrates the theory.
Remember to chmod +x the script.
Then when the user logs in, instead of hitting bash directly, they hit your script... which figures out which tom user this is... sets and env variable named user identifying the user, and then gives the user a shell.
Super over simplified but it is the basic idea.
Upvotes: 3
Related Questions
- git pushes with wrong user from terminal
- How does git know who I am when I use ssh to log in?
- How to Figure Which SSH Client is Used by Git in Git Bash on Windows
- Specify Git identity based on SSH host or identity
- How to determine the user who pushed to a remote repo in git using jenkins git plugin?
- Check authorized_keys to see which key was used for pushing the commit
- Git - how to allow only authentified SSH user
- How to restrict some user on UNIX server for only accessing GIT command?
- Limit SSH User to a shell command
- Can I associate ssh username with commit with git over ssh?