shithub Public

Watch 1 Fork 0 Star 0

Text · 1710 bytes Raw Blame History

  
        1
        # Managed by Ansible. Ops admins log in as the operator user (with
      
        2
        # their own ed25519 key in ~/.ssh/authorized_keys); git users are
      
        3
        # all multiplexed under the `git` user via shithubd's AKC subcommand.
      
        4
        
        5
        Port 22
      
        6
        Protocol 2
      
        7
        PermitRootLogin prohibit-password
      
        8
        PasswordAuthentication no
      
        9
        ChallengeResponseAuthentication no
      
        10
        KbdInteractiveAuthentication no
      
        11
        PubkeyAuthentication yes
      
        12
        AuthenticationMethods publickey
      
        13
        PermitEmptyPasswords no
      
        14
        X11Forwarding no
      
        15
        AllowAgentForwarding no
      
        16
        AllowTcpForwarding no
      
        17
        ClientAliveInterval 60
      
        18
        ClientAliveCountMax 3
      
        19
        LoginGraceTime 30
      
        20
        MaxAuthTries 3
      
        21
        MaxSessions 10
      
        22
        MaxStartups 100:30:200
      
        23
        
        24
        # Per-user AKC: when a user named `git` connects, sshd runs the
      
        25
        # wrapper at /usr/local/bin/shithub-ssh-authkeys (which sources
      
        26
        # /etc/shithub/web.env so SHITHUB_DATABASE_URL is in scope) which in
      
        27
        # turn execs `shithubd ssh-authkeys <fingerprint>`. shithubd resolves
      
        28
        # the fingerprint to a shithub user via the user_ssh_keys table and
      
        29
        # emits the matching authorized_keys line (including a `command=...`
      
        30
        # prefix that locks the session to the git protocol).
      
        31
        #
      
        32
        # AuthorizedKeysCommandUser=shithub: the AKC needs read access to
      
        33
        # /etc/shithub/web.env. shithub-ssh would also work after group
      
        34
        # membership tweaks, but using the same user that owns the env file
      
        35
        # is the simpler trust model — the wrapper script is small and well-
      
        36
        # audited; running it as shithub doesn't widen the blast radius
      
        37
        # beyond what shithubd-web already has.
      
        38
        Match User git
      
        39
            AuthorizedKeysCommand /usr/local/bin/shithub-ssh-authkeys %f
      
        40
            AuthorizedKeysCommandUser shithub
      
        41
            PermitTTY no
      
        42
            AllowAgentForwarding no
      
        43
            AllowTcpForwarding no
      
        44
            PermitOpen none
      
        45
            X11Forwarding no
      
        46
            PermitTunnel no
      
        47
            Banner none
      
        48

1	# Managed by Ansible. Ops admins log in as the operator user (with
2	# their own ed25519 key in ~/.ssh/authorized_keys); git users are
3	# all multiplexed under the `git` user via shithubd's AKC subcommand.
4
5	Port 22
6	Protocol 2
7	PermitRootLogin prohibit-password
8	PasswordAuthentication no
9	ChallengeResponseAuthentication no
10	KbdInteractiveAuthentication no
11	PubkeyAuthentication yes
12	AuthenticationMethods publickey
13	PermitEmptyPasswords no
14	X11Forwarding no
15	AllowAgentForwarding no
16	AllowTcpForwarding no
17	ClientAliveInterval 60
18	ClientAliveCountMax 3
19	LoginGraceTime 30
20	MaxAuthTries 3
21	MaxSessions 10
22	MaxStartups 100:30:200
23
24	# Per-user AKC: when a user named `git` connects, sshd runs the
25	# wrapper at /usr/local/bin/shithub-ssh-authkeys (which sources
26	# /etc/shithub/web.env so SHITHUB_DATABASE_URL is in scope) which in
27	# turn execs `shithubd ssh-authkeys <fingerprint>`. shithubd resolves
28	# the fingerprint to a shithub user via the user_ssh_keys table and
29	# emits the matching authorized_keys line (including a `command=...`
30	# prefix that locks the session to the git protocol).
31	#
32	# AuthorizedKeysCommandUser=shithub: the AKC needs read access to
33	# /etc/shithub/web.env. shithub-ssh would also work after group
34	# membership tweaks, but using the same user that owns the env file
35	# is the simpler trust model — the wrapper script is small and well-
36	# audited; running it as shithub doesn't widen the blast radius
37	# beyond what shithubd-web already has.
38	Match User git
39	AuthorizedKeysCommand /usr/local/bin/shithub-ssh-authkeys %f
40	AuthorizedKeysCommandUser shithub
41	PermitTTY no
42	AllowAgentForwarding no
43	AllowTcpForwarding no
44	PermitOpen none
45	X11Forwarding no
46	PermitTunnel no
47	Banner none
48