tenseleyflow/shithub / 88175ea

Browse files

sshd_config: AKC wrapper path + AuthorizedKeysCommandUser=shithub

Authored by espadonne
SHA
88175eadb5ff1fbab3a1650b3170986a99cc4b37
Parents
0bed4c6
Tree
f812ebd

1 changed file

StatusFile+-
M deploy/sshd_config.j2 16 6
deploy/sshd_config.j2modified
@@ -21,13 +21,23 @@ MaxAuthTries 3
21
 MaxSessions 10
21
 MaxSessions 10
22
 MaxStartups 100:30:200
22
 MaxStartups 100:30:200
23
23
24
-# Per-user AKC: when a user named `git` connects, shithubd resolves
24
+# Per-user AKC: when a user named `git` connects, sshd runs the
25
-# the offered key fingerprint to a shithub user via the user_ssh_keys
25
+# wrapper at /usr/local/bin/shithub-ssh-authkeys (which sources
26
-# table and emits the matching authorized_keys line (including the
26
+# /etc/shithub/web.env so SHITHUB_DATABASE_URL is in scope) which in
27
-# `command=...` prefix that locks the session to git protocol).
27
+# turn execs `shithubd ssh-authkeys <fingerprint>`. shithubd resolves
28
+# the fingerprint to a shithub user via the user_ssh_keys table and
29
+# emits the matching authorized_keys line (including a `command=...`
30
+# prefix that locks the session to the git protocol).
31
+#
32
+# AuthorizedKeysCommandUser=shithub: the AKC needs read access to
33
+# /etc/shithub/web.env. shithub-ssh would also work after group
34
+# membership tweaks, but using the same user that owns the env file
35
+# is the simpler trust model — the wrapper script is small and well-
36
+# audited; running it as shithub doesn't widen the blast radius
37
+# beyond what shithubd-web already has.
28
 Match User git
38
 Match User git
29
-    AuthorizedKeysCommand /usr/local/bin/shithubd ssh-authkeys %f
39
+    AuthorizedKeysCommand /usr/local/bin/shithub-ssh-authkeys %f
30
-    AuthorizedKeysCommandUser shithub-ssh
40
+    AuthorizedKeysCommandUser shithub
31
     PermitTTY no
41
     PermitTTY no
32
     AllowAgentForwarding no
42
     AllowAgentForwarding no
33
     AllowTcpForwarding no
43
     AllowTcpForwarding no