savannah-hackers-public
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] mercurial ssh access issues

From: Sylvain Beucler
Subject: Re: [Savannah-hackers-public] mercurial ssh access issues
Date: Tue, 22 Apr 2008 01:30:12 +0200
User-agent: Mutt/1.5.17+20080114 (2008-01-14) 
Hi,

Apparently everything's fine :)
I merged your branch in the main repository.

I modified your fix for the authorized_keys==0 issue, by using cleaner
DB functions that I had introduced a while ago (the original DB access
functions can give ambiguous results in some cases, like NULL).
In what cases did it happen, though? Initialy, in the disk image, user
'admin' is member of 'siteadmin' (so he's entitled for a user account)
and has no registered SSH key, so this should trigger the
authorized_keys bug you reported, but AFAICS ~admin/.ssh/ did not
contain a 'authorized_keys' file.

Something else: think that it'd be better to get rid of hg-ssh and
reimplement it with a couple lines of Perl straight in
sv_membersh. hg-ssh is not properly part of Mercurial anyway.

-- 
Sylvain

On Mon, Apr 21, 2008 at 08:17:29PM +0200, Aleix Conchillo Flaqué wrote:
> I have added hg-ssh support to sv_membersh and reverted the previous
> commit. It seems to work fine.
> 
> http://github.com/aleix/savane-cleanup/commit/5341cd8a014372de6fae56acc0ba770835640d18
> 
> Is there any other thing missing?
> 
> Aleix
> 
> On Thu, Apr 17, 2008 at 10:12 PM, Sylvain Beucler <address@hidden> wrote:
> > Hi,
> >
> >  I don't think it's interesting to use "command=" from .ssh/authorized;
> >  sv_membersh is doing this job at the shell level (that is, the users'
> >  shell is /usr/local/bin/sv_membersh instead of /bin/bash). This works
> >  in other contexts than SSH.
> >
> >  Note that what you allow in "command=" is also subject to shell
> >  restrictions (that is, to sv_membersh's filters).
> >
> >  --
> >  Sylvain
> >
> >
> >
> >  On Thu, Apr 17, 2008 at 09:06:38AM +0200, Aleix Conchillo Flaqué wrote:
> >  > On Tue, Apr 15, 2008 at 9:10 PM, Sylvain Beucler <address@hidden> wrote:
> >  > > Hi,
> >  > >
> >  > >  Good idea. Try to see if you can modify backend/account/sv_membersh.in
> >  > >  in this regard.
> >  > >
> >  > >  "cd /srv/hg/project" is a good idea, it permits to avoid the /srv/hg
> >  > >  path. Too bad I didn't think of this for SVN and Git at Savannah ;)
> >  > >
> >  >
> >  > I have added automatic authorized_keys command modification in this 
> > commit:
> >  >
> >  > 
> > http://github.com/aleix/savane-cleanup/commit/0062cd754fcde31519e7460d0058266df31b04e7
> >  >
> >  > I have modified sv_users.in instead of sv_membersh.in, because there
> >  > where the UserAddSSHKey calls are found. I have added and extra
> >  > argument for the ssh command to execute. It can be empty and only the
> >  > key will be saved (as before).
> >  >
> >  > I have added a new file sv_ssh_access.in that only executes
> >  > SSH_ORIGINAL_COMMAND (seems to work fine).
> >  >
> >  > I have also solved an issue when adding ssh keys. It seems that NULL
> >  > (i.e. when user has no ssh keys) were returned as 0, and the current
> >  > checks did not handle it, so the authorized_keys file was created with
> >  > a 0.
> >  >
> >  > May be an extra configuration file would be better, indicating whether
> >  > to use authorized_keys command or not. Or we could leave it like that
> >  > and add a configuration file (when needed) for the sv_ssh_access
> >  > script.
> >  >
> >  > And other thing I've seen, is that tabs are used. Is this the default?
> >  > I'd rather use spaces as as tabs are not very friendly (diffs,
> >  > printing, different tab settings, etc.).
> >  >
> >  > Any comments would be welcome.
> >
reply via email to
[Prev in Thread] Current Thread [Next in Thread]