aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Joey Hess <joey@kitenet.net>2012-09-26 18:59:18 -0400
committerGravatar Joey Hess <joey@kitenet.net>2012-09-26 18:59:18 -0400
commit051381badc632649db4f37618fbd79292f0b92f5 (patch)
tree540060f3bb3bd1a980e689d34fe04ae5fc6514c9
parent1ffa0436e6353a2b37f5e8b02553fe6c697bf468 (diff)
use ~/.ssh/git-annex-shell wrapper
This was needed for the OSX self-contained app, but is a generally good idea. It avoids needing perl; is probably faster; and could eventually be replaced by something faster yet.
-rw-r--r--Assistant/Install.hs3
-rw-r--r--Assistant/Ssh.hs24
2 files changed, 23 insertions, 4 deletions
diff --git a/Assistant/Install.hs b/Assistant/Install.hs
index b404bc4b6..72a511736 100644
--- a/Assistant/Install.hs
+++ b/Assistant/Install.hs
@@ -47,7 +47,8 @@ ensureInstalled = do
let content = unlines
[ "#!/bin/sh"
, "set -e"
- , "exec", base </> "runshell" ++ " git-annex-shell \"$@\""
+ , "exec", base </> "runshell" ++
+ " git-annex-shell -c \"$SSH_ORIGINAL_COMMAND\""
]
curr <- catchDefaultIO "" $ readFile shim
when (curr /= content) $ do
diff --git a/Assistant/Ssh.hs b/Assistant/Ssh.hs
index 32df9cd0b..876f85466 100644
--- a/Assistant/Ssh.hs
+++ b/Assistant/Ssh.hs
@@ -119,10 +119,20 @@ removeAuthorizedKeys rsynconly pubkey = do
writeFile keyfile $ unlines $ filter (/= keyline) ls
{- Implemented as a shell command, so it can be run on remote servers over
- - ssh. -}
+ - ssh.
+ -
+ - The ~/.ssh/git-annex-shell wrapper script is created if not already
+ - present.
+ -}
addAuthorizedKeysCommand :: Bool -> SshPubKey -> String
addAuthorizedKeysCommand rsynconly pubkey = join "&&"
[ "mkdir -p ~/.ssh"
+ , join "; "
+ [ "if [ ! -e " ++ wrapper ++ " ]"
+ , "then (" ++ join ";" (map echoval script) ++ ") > " ++ wrapper
+ , "fi"
+ ]
+ , "chmod 700 " ++ wrapper
, "touch ~/.ssh/authorized_keys"
, "chmod 600 ~/.ssh/authorized_keys"
, unwords
@@ -131,15 +141,23 @@ addAuthorizedKeysCommand rsynconly pubkey = join "&&"
, ">>~/.ssh/authorized_keys"
]
]
+ where
+ echoval v = "echo " ++ shellEscape v
+ wrapper = "~/.ssh/git-annex-shell"
+ script =
+ [ "#!/bin/sh"
+ , "set -e"
+ , "exec git-annex-shell -c \"$SSH_ORIGINAL_COMMAND\""
+ ]
authorizedKeysLine :: Bool -> SshPubKey -> String
authorizedKeysLine rsynconly pubkey
{- TODO: Locking down rsync is difficult, requiring a rather
- long perl script. -}
| rsynconly = pubkey
- | otherwise = limitcommand "git-annex-shell -c" ++ pubkey
+ | otherwise = limitcommand ++ pubkey
where
- limitcommand c = "command=\"perl -e 'exec qw(" ++ c ++ "), $ENV{SSH_ORIGINAL_COMMAND}'\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding "
+ limitcommand = "command=\"~/.ssh/git-annex-shell\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding "
{- Generates a ssh key pair. -}
genSshKeyPair :: IO SshKeyPair