diff options
| author |  Joey Hess <joey@kitenet.net> | 2013-07-31 13:30:49 -0400 |
|---|---|---|
| committer | Joey Hess <joey@kitenet.net> | 2013-07-31 13:30:49 -0400 |
| commit | 595633e7bb6fe5b3c92fe09ab4489156896b7c21 (patch) | |
| tree | a4567dcaeeeda6634e1b2b2d692fec38d5079215 | |
| parent | de6872b36985a825eb9fb3b818468ff2bce7a7cb (diff) | |
set IdentitiesOnly
When setting up a dedicated ssh key to access the annex on a host,
set IdentitiesOnly to prevent the ssh-agent from forcing use of a different
ssh key.
That behavior could result in unncessary password prompts. I remember
getting a message or two from people who got deluged with password
prompts and I couldn't at the time see why.
Also, it would prevent git-annex-shell from being run on the remote host,
when git-annex was installed there by unpacking the standalone tarball,
since the authorized_keys line for the dedicated ssh key, which sets
up calling git-annex-shell when it's not in path, wouldn't be used.
This fixes
http://git-annex.branchable.com/bugs/Internal_Server_Error:_Unknown_UUID
but I've not closed that bug yet since I should still:
1. Investigate why the ssh remote got set up despite being so broken.
2. Make the webapp not handle the NoUUID state in such an ugly way.
3. Possibly add code to fix up systems that encountered the problem.
Although since it requires changes to .ssh/config this may be one for
the release notes.
Thanks to TJ for pointing me in the right direction to understand what
was happening here.
| -rw-r--r-- | Assistant/Ssh.hs | 7 | ||||
| -rw-r--r-- | debian/changelog | 4 |
2 files changed, 10 insertions, 1 deletions
diff --git a/Assistant/Ssh.hs b/Assistant/Ssh.hs index 10a4c7838..7a93a2fa9 100644 --- a/Assistant/Ssh.hs +++ b/Assistant/Ssh.hs @@ -172,6 +172,9 @@ genSshKeyPair = withTmpDir "git-annex-keygen" $ \dir -> do - ~/.ssh/ANYTHING.pub, and uses them indiscriminately. But using this key - for a normal login to the server will force git-annex-shell to run, - and locks the user out. Luckily, it does not recurse into subdirectories. + - + - Similarly, IdentitiesOnly is set in the ssh config to prevent the + - ssh-agent from forcing use of a different key. -} setupSshKeyPair :: SshKeyPair -> SshData -> IO SshData setupSshKeyPair sshkeypair sshdata = do @@ -188,7 +191,9 @@ setupSshKeyPair sshkeypair sshdata = do writeFile (sshdir </> sshpubkeyfile) (sshPubKey sshkeypair) setSshConfig sshdata - [ ("IdentityFile", "~/.ssh/" ++ sshprivkeyfile) ] + [ ("IdentityFile", "~/.ssh/" ++ sshprivkeyfile) + , ("IdentitiesOnly", "yes") + ] where sshprivkeyfile = "git-annex" </> "key." ++ mangleSshHostName sshdata sshpubkeyfile = sshprivkeyfile ++ ".pub" diff --git a/debian/changelog b/debian/changelog index ec8a748e6..d7752f51c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,6 +11,10 @@ git-annex (4.20130724) UNRELEASED; urgency=low that caused git-annex sync on FAT or other crippled filesystems to add symlink standin files to the annex. * importfeed can be used to import files from podcast feeds. + * webapp: When setting up a dedicated ssh key to access the annex + on a host, set IdentitiesOnly to prevent the ssh-agent from forcing + use of a different ssh key. That could result in unncessary password + prompts, or prevent git-annex-shell from being run on the remote host. * Add status message to XMPP presence tag, to identify to others that the client is a git-annex client. Closes: #717652 * webapp: When creating a repository on a removable drive, set |