diff options
author | Joey Hess <joey@kitenet.net> | 2012-09-26 18:59:18 -0400 |
---|---|---|
committer | Joey Hess <joey@kitenet.net> | 2012-09-26 18:59:18 -0400 |
commit | 051381badc632649db4f37618fbd79292f0b92f5 (patch) | |
tree | 540060f3bb3bd1a980e689d34fe04ae5fc6514c9 | |
parent | 1ffa0436e6353a2b37f5e8b02553fe6c697bf468 (diff) |
use ~/.ssh/git-annex-shell wrapper
This was needed for the OSX self-contained app, but is a generally good
idea. It avoids needing perl; is probably faster; and could eventually
be replaced by something faster yet.
-rw-r--r-- | Assistant/Install.hs | 3 | ||||
-rw-r--r-- | Assistant/Ssh.hs | 24 |
2 files changed, 23 insertions, 4 deletions
diff --git a/Assistant/Install.hs b/Assistant/Install.hs index b404bc4b6..72a511736 100644 --- a/Assistant/Install.hs +++ b/Assistant/Install.hs @@ -47,7 +47,8 @@ ensureInstalled = do let content = unlines [ "#!/bin/sh" , "set -e" - , "exec", base </> "runshell" ++ " git-annex-shell \"$@\"" + , "exec", base </> "runshell" ++ + " git-annex-shell -c \"$SSH_ORIGINAL_COMMAND\"" ] curr <- catchDefaultIO "" $ readFile shim when (curr /= content) $ do diff --git a/Assistant/Ssh.hs b/Assistant/Ssh.hs index 32df9cd0b..876f85466 100644 --- a/Assistant/Ssh.hs +++ b/Assistant/Ssh.hs @@ -119,10 +119,20 @@ removeAuthorizedKeys rsynconly pubkey = do writeFile keyfile $ unlines $ filter (/= keyline) ls {- Implemented as a shell command, so it can be run on remote servers over - - ssh. -} + - ssh. + - + - The ~/.ssh/git-annex-shell wrapper script is created if not already + - present. + -} addAuthorizedKeysCommand :: Bool -> SshPubKey -> String addAuthorizedKeysCommand rsynconly pubkey = join "&&" [ "mkdir -p ~/.ssh" + , join "; " + [ "if [ ! -e " ++ wrapper ++ " ]" + , "then (" ++ join ";" (map echoval script) ++ ") > " ++ wrapper + , "fi" + ] + , "chmod 700 " ++ wrapper , "touch ~/.ssh/authorized_keys" , "chmod 600 ~/.ssh/authorized_keys" , unwords @@ -131,15 +141,23 @@ addAuthorizedKeysCommand rsynconly pubkey = join "&&" , ">>~/.ssh/authorized_keys" ] ] + where + echoval v = "echo " ++ shellEscape v + wrapper = "~/.ssh/git-annex-shell" + script = + [ "#!/bin/sh" + , "set -e" + , "exec git-annex-shell -c \"$SSH_ORIGINAL_COMMAND\"" + ] authorizedKeysLine :: Bool -> SshPubKey -> String authorizedKeysLine rsynconly pubkey {- TODO: Locking down rsync is difficult, requiring a rather - long perl script. -} | rsynconly = pubkey - | otherwise = limitcommand "git-annex-shell -c" ++ pubkey + | otherwise = limitcommand ++ pubkey where - limitcommand c = "command=\"perl -e 'exec qw(" ++ c ++ "), $ENV{SSH_ORIGINAL_COMMAND}'\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding " + limitcommand = "command=\"~/.ssh/git-annex-shell\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding " {- Generates a ssh key pair. -} genSshKeyPair :: IO SshKeyPair |