diff options
author | 2016-03-12 12:57:18 -0400 | |
---|---|---|
committer | 2016-03-12 12:57:18 -0400 | |
commit | ca10c06819aacc50d4423836ce51fc4486803789 (patch) | |
tree | e96072aef36f12d28d715fd4b7396d3fea4eef4c /doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote | |
parent | 024dd384140b25f69defd762e41fd5e4af4f3567 (diff) |
rename files containing :
This is mostly to let the repo check out on windows w/o using cygwin's git.
But, bash completion is also crap with : , so ..
Diffstat (limited to 'doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote')
4 files changed, 140 insertions, 0 deletions
diff --git a/doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote/comment_1_13737dc99aa877b309f7ebe44ecbafee._comment b/doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote/comment_1_13737dc99aa877b309f7ebe44ecbafee._comment new file mode 100644 index 000000000..d8e3f9337 --- /dev/null +++ b/doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote/comment_1_13737dc99aa877b309f7ebe44ecbafee._comment @@ -0,0 +1,16 @@ +[[!comment format=mdwn + username="http://olivier.mehani.name/" + nickname="olivier-mehani" + subject="comment 1" + date="2014-01-22T13:08:21Z" + content=""" +Hum, fair enough. The webapp might not be the best target. However, there might already be some logic to deploy the key, only not exposed in any UI (web or CLI). + +However, I was under the impression that the key thath git-annex installs remotely is also limited to running git-annex-related tasks (using the command option; I cannot find any example in my configurations at the moment), rather than providing a generic login shell which happens to be used for git-annex. + +The command to run on the remote server did not seem to be trivial (this is what I'm currently bumping against), and I guess there already are a few functions which create and install the authorized_files entry. Maybe providing, e.g., a + + git-annex installkey REMOTE + +command, automating only this key-setup step for the user, would be good? +"""]] diff --git a/doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote/comment_2_06230669218541ac392d674bedd43176._comment b/doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote/comment_2_06230669218541ac392d674bedd43176._comment new file mode 100644 index 000000000..79ebb5e7c --- /dev/null +++ b/doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote/comment_2_06230669218541ac392d674bedd43176._comment @@ -0,0 +1,43 @@ +[[!comment format=mdwn + username="http://olivier.mehani.name/" + nickname="olivier-mehani" + subject="Manual solution" + date="2014-06-14T13:59:38Z" + content=""" +My problem stems from the fact that I manually git clone the git-annex repo, which prevents the assistant from creating the setup to use passwordless keys. I just reverse-engineered a working setup to work up what I was missing. I jot it down here for reference, but I guess the bottomline is that if you want to use the assistant with a repo, do it from the start. + +I assume that the client has a clone of the git(-annex) repo of the server. + + client$ git clone server:annex + +Our goal is to let git-annex on the client know that there is a specific key to use when connecting to server that will let it access the git-annex-shell (without a password). We first create the key. + + client:~$ ssh-keygen -t rsa -f ~/.ssh/git-annex/key.git-annex-server-user_annex + [enter an empty passphrase] + +We can then create a virtual SSH host on the client that will use this key to connect to the server, in client:~/.ssh/config: + + # Added manually for git-annex + Host git-annex-server-user_annex + Hostname server + Port 22 + IdentityFile ~/.ssh/git-annex/key.git-annex-server-user_annex + IdentitiesOnly yes + StrictHostKeyChecking yes + +(git-annex seems to use .2F (%2F) to encode path separators in the filenames.) + +The server then needs to know to let the key in, but only for git-annex in the specific folder. This is done in server:.ssh/authorized_keys: + + command=\"GIT_ANNEX_SHELL_DIRECTORY='annex' ~/.ssh/git-annex-shell\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAA... user@client + +The bit starting with ssh-rsa is the public key created in client:.ssh/git-annex/key.git-annex-server-user_annex.pub at the same time as the private key. + +Finally, all that remains is to change the remote in the client clone to use the virtual SSH host. + + client:~/annex $ git remote set-url origin ssh://user@git-annex-server-user_annex/~/annex + client:~/annex $ git remote set-url origin --push ssh://user@git-annex-server-user_annex/~/annex + +If everything worked, a sync from the client should now work without asking for a password, and starting the assistant will not either. + +"""]] diff --git a/doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote/comment_3_002afd775b82a0ced609c8305803a6c2._comment b/doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote/comment_3_002afd775b82a0ced609c8305803a6c2._comment new file mode 100644 index 000000000..2515349a6 --- /dev/null +++ b/doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote/comment_3_002afd775b82a0ced609c8305803a6c2._comment @@ -0,0 +1,22 @@ +[[!comment format=mdwn + username="http://olivier.mehani.name/" + nickname="olivier-mehani" + subject="comment 3" + date="2014-06-14T14:15:55Z" + content=""" +After having done that on my first test repo, git-annex could sync, but failed to get the files. + + client:~/annex$ git annex get file + get file (not available) + Try making some of these repositories available: + 12345678-90ab-cdef-1234567890abcdef1 -- user@server:~/annex [origin] + + (Note that these git remotes have annex-ignore set: origin) + failed + git-annex: get: 1 failed + +The note helps: the problem is with the origin remote having annex-ignore set. git-annex therefore ignores it. This is easily fixed by just setting the flag to false. + + client:~/annex$ git config remote.origin.annex-ignore false + +"""]] diff --git a/doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote/comment_4_9e8fdc41fdefcb8be0d6bae7cd4a04a9._comment b/doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote/comment_4_9e8fdc41fdefcb8be0d6bae7cd4a04a9._comment new file mode 100644 index 000000000..06d16239a --- /dev/null +++ b/doc/todo/wishlist__91__webapp__93____58___add_an_option_to_install__SSH_key_on_remote/comment_4_9e8fdc41fdefcb8be0d6bae7cd4a04a9._comment @@ -0,0 +1,59 @@ +[[!comment format=mdwn + username="http://olivier.mehani.name/" + nickname="olivier-mehani" + subject="comment 4" + date="2014-07-09T01:09:33Z" + content=""" +And the ultimate, copy/pastable one, using shell variables: + + export GASERVER=server + export GAUSER=user + export GAPATH=/path + +For the new client (using bash): + + export GASANEPATH=${GAPATH//\//.2F} + export GASSHHOSTNAME=${GASERVER}-${GAUSER}_${GASANEPATH} + ssh-keygen -t rsa -f ~/.ssh/git-annex/key.git-annex-$GASSHHOSTNAME + cat << EOF >> ~/.ssh/config + # Added manually for git-annex + Host git-annex-$GASSHHOSTNAME + Hostname $GASERVER + IdentityFile ~/.ssh/git-annex/key.git-annex-$GASSHHOSTNAME + IdentitiesOnly yes + StrictHostKeyChecking yes + EOF + ssh-copy-id -i ~/.ssh/git-annex/key.git-annex-$GASSHHOSTNAME $GAUSER@$GASERVER + git remote add ${GASERVER/.*/} ssh://${GAUSER}@git-annex-${GASSHHOSTNAME}${GAPATH} + git config remote.${GASERVER/.*/}.annex-ignore false + +After the `ssh-copy-id` stage, the key can be used to get a full session. This +needs to be limited on the server, by prepending the following to the newly +added key in `.ssh/authorized_keys`, replacing `GAPATH` by the value of `$GAPATH`: + + command=\"GIT_ANNEX_SHELL_DIRECTORY='GAPATH' ~/.ssh/git-annex-shell\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty + +From the client, one can make sure this has been limite properly by trying to log in with the key: + + ssh -i ~/.ssh/git-annex/key.git-annex-$GASSHHOSTNAME $GAUSER@$GASERVER -o IdentitiesOnly=yes + +It should reply with the `git-annex-shell` helper complaing: + + git-annex-shell: bad parameters + + Usage: git-annex-shell [-c] command [parameters ...] [option ...] + + Plumbing commands: + + commit DIRECTORY commits any staged changes to the git-annex branch + configlist DIRECTORY outputs relevant git configuration + dropkey DIRECTORY KEY ... drops annexed content for specified keys + gcryptsetup DIRECTORY VALUE sets up gcrypt repository + inannex DIRECTORY KEY ... checks if keys are present in the annex + notifychanges DIRECTORY sends notification when git refs are changed + recvkey DIRECTORY KEY runs rsync in server mode to receive content + sendkey DIRECTORY KEY runs rsync in server mode to send content + transferinfo DIRECTORY KEY updates sender on number of bytes of content received + +... and this should be all set. +"""]] |