mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-25 16:22:43 +01:00
Add an optional "--sshd-key" argument to "bin/ssh-auth" for reading "%k" from modern sshd
Summary: Depends on D20873. Ref T13436. Allow callers to configure "bin/ssh-auth --sshd-key %k" as an "AuthorizedKeysCommand"; if they do, and we recognize the key, emit just that key in the output. Test Plan: - Used `git pull` locally, still worked fine. - Instrumented things, saw the public key lookup actually work and emit a single key. - Ran without "--sshd-key", got a full key list as before. Maniphest Tasks: T13436 Differential Revision: https://secure.phabricator.com/D20874
This commit is contained in:
parent
02f85f03bd
commit
24f771c1bc
1 changed files with 34 additions and 0 deletions
|
@ -4,6 +4,24 @@
|
||||||
$root = dirname(dirname(dirname(__FILE__)));
|
$root = dirname(dirname(dirname(__FILE__)));
|
||||||
require_once $root.'/scripts/init/init-script.php';
|
require_once $root.'/scripts/init/init-script.php';
|
||||||
|
|
||||||
|
// TODO: For now, this is using "parseParital()", not "parse()". This allows
|
||||||
|
// the script to accept (and ignore) additional arguments. This preserves
|
||||||
|
// backward compatibility until installs have time to migrate to the new
|
||||||
|
// syntax.
|
||||||
|
|
||||||
|
$args = id(new PhutilArgumentParser($argv))
|
||||||
|
->parsePartial(
|
||||||
|
array(
|
||||||
|
array(
|
||||||
|
'name' => 'sshd-key',
|
||||||
|
'param' => 'k',
|
||||||
|
'help' => pht(
|
||||||
|
'Accepts the "%%k" parameter from "AuthorizedKeysCommand".'),
|
||||||
|
),
|
||||||
|
));
|
||||||
|
|
||||||
|
$sshd_key = $args->getArg('sshd-key');
|
||||||
|
|
||||||
// NOTE: We are caching a datastructure rather than the flat key file because
|
// NOTE: We are caching a datastructure rather than the flat key file because
|
||||||
// the path on disk to "ssh-exec" is arbitrarily mutable at runtime. See T12397.
|
// the path on disk to "ssh-exec" is arbitrarily mutable at runtime. See T12397.
|
||||||
|
|
||||||
|
@ -85,6 +103,22 @@ if ($authstruct === null) {
|
||||||
$cache->setKey($authstruct_key, $authstruct_raw, $ttl);
|
$cache->setKey($authstruct_key, $authstruct_raw, $ttl);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If we've received an "--sshd-key" argument and it matches some known key,
|
||||||
|
// only emit that key. (For now, if the key doesn't match, we'll fall back to
|
||||||
|
// emitting all keys.)
|
||||||
|
if ($sshd_key !== null) {
|
||||||
|
$matches = array();
|
||||||
|
foreach ($authstruct['keys'] as $key => $key_struct) {
|
||||||
|
if (phutil_hashes_are_identical($key_struct['key'], $sshd_key)) {
|
||||||
|
$matches[$key] = $key_struct;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($matches) {
|
||||||
|
$authstruct['keys'] = $matches;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$bin = $root.'/bin/ssh-exec';
|
$bin = $root.'/bin/ssh-exec';
|
||||||
$instance = PhabricatorEnv::getEnvConfig('cluster.instance');
|
$instance = PhabricatorEnv::getEnvConfig('cluster.instance');
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue