Update the OpenSSH patch

Use the latest version of Damien Miller's patch to extend the parameters to the AuthorizedKeysCommand. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2025-02-03 10:43:03 +01:00 · 2015-04-11 13:25:59 +02:00 · 2015-04-11 13:25:59 +02:00 · ef1f3798a0
commit ef1f3798a0
parent 4f4cfff620
5 changed files with 1063 additions and 119 deletions
--- a/2
+++ b/2
@ -28,7 +28,7 @@ Setup on Arch Linux
   $ cd /srv/http/aurweb/
   $ git clone git://anongit.mindrot.org/openssh.git
   $ cd openssh
-   $ git checkout V_6_7_P1
+   $ git checkout V_6_8_P1
   $ git am ../scripts/git-integration/0001-Patch-sshd-for-the-AUR.patch
   $ autoreconf
   $ ./configure
--- a/conf/config.proto
+++ b/conf/config.proto
@ -28,7 +28,7 @@ auto_orphan_age = 15552000
 auto_delete_age = 86400

 [auth]
-key-prefixes = ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519
+valid-keytypes = ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519
 username-regex = [a-zA-Z0-9]+[.\-_]?[a-zA-Z0-9]+$
 git-serve-cmd = /srv/http/aurweb/scripts/git-integration/git-serve.py
 ssh-options = no-port-forwarding,no-X11-forwarding,no-pty
--- a/scripts/git-integration/0001-Patch-sshd-for-the-AUR.patch
+++ b/scripts/git-integration/0001-Patch-sshd-for-the-AUR.patch
--- a/scripts/git-integration/git-auth.py
+++ b/scripts/git-integration/git-auth.py
@ -4,6 +4,7 @@ import configparser
 import mysql.connector
 import os
 import re
+import sys

 config = configparser.RawConfigParser()
 config.read(os.path.dirname(os.path.realpath(__file__)) + "/../../conf/config")
@ -14,14 +15,14 @@ aur_db_user = config.get('database', 'user')
 aur_db_pass = config.get('database', 'password')
 aur_db_socket = config.get('database', 'socket')

-key_prefixes = config.get('auth', 'key-prefixes').split()
+valid_keytypes = config.get('auth', 'valid-keytypes').split()
 username_regex = config.get('auth', 'username-regex')
 git_serve_cmd = config.get('auth', 'git-serve-cmd')
 ssh_opts = config.get('auth', 'ssh-options')

-pubkey = os.environ.get("SSH_KEY")
-valid_prefixes = tuple(p + " " for p in key_prefixes)
-if pubkey is None or not pubkey.startswith(valid_prefixes):
+keytype = sys.argv[1]
+keytext = sys.argv[2]
+if not keytype in valid_keytypes:
    exit(1)

 db = mysql.connector.connect(host=aur_db_host, user=aur_db_user,
@ -30,7 +31,7 @@ db = mysql.connector.connect(host=aur_db_host, user=aur_db_user,

 cur = db.cursor()
 cur.execute("SELECT Username FROM Users WHERE SSHPubKey = %s " +
-            "AND Suspended = 0", (pubkey,))
+            "AND Suspended = 0", (keytype + " " + keytext,))

 if cur.rowcount != 1:
    exit(1)
@ -39,4 +40,5 @@ user = cur.fetchone()[0]
 if not re.match(username_regex, user):
    exit(1)

-print('command="%s %s",%s %s' % (git_serve_cmd, user, ssh_opts, pubkey))
+print('command="%s %s",%s %s' % (git_serve_cmd, user, ssh_opts,
+    keytype + " " + keytext))
--- a/scripts/git-integration/sshd_config
+++ b/scripts/git-integration/sshd_config
@ -2,5 +2,5 @@ Port 2222
 HostKey ~/.ssh/ssh_host_rsa_key
 PasswordAuthentication no
 UsePrivilegeSeparation no
-AuthorizedKeysCommand /srv/http/aurweb/scripts/git-integration/git-auth.py
+AuthorizedKeysCommand /srv/http/aurweb/scripts/git-integration/git-auth.py "%t" "%k"
 AuthorizedKeysCommandUser aur