So I did a test to replace gitosis on the server, to allow push access to our git repos[0]. The idea was to find a simpler way that doesn't require the granularity gitosis allows, that IMO hurts our horizontal approach, but it still had some degree of security...
For this I found git-shell, a tool that comes with the git package and works as a user shell that only allows the git commands needed to push into repos. If you don't want to bother with the technical details skip to the all caps section of this email. I created a test user called "git2", with home /srv/git2 and shell /usr/bin/git-shell. Inside this home I mirrored abslibre.git to work on, and copied the .ssh from /srv/git (and cleaned up the stuff gitosis uses to work). This worked OK, except that you have to pass the full path of the repo to push, so if you cloned git://gparabola/abslibre.git you'll have to push into ssh://gparabola/srv/git2/abslibre.git Now, we needed a method to add new SSH pubkeys in an easy way. Since git2 uses git-shell I couldn't run `ssh-copy-id` unless I specifically enabled it, but it still lacked the accountability I was looking for, that is "X added the new hacker Y", instead of randomly saying on #parabola "Hey I added Y to the repos" or "fauno, when will you add Y?". I came up with this: Manage the SSH pubkeys with another git repo in a way that pushing into it gives immediate access to those keys to the git server. The history management would also allow the kind of accountability I already mentioned by using technical methods embedded on git itself ;) So I did this: I created a "hackers" git repo locally and added the authorized_keys file and a README explaining how to work with the repo. Under git2, I created "hackers.git" as a bare repo. Then I cloned hackers.git into .ssh and gave it the permissions ssh needs. On hackers.git I added a post-update hook that forces a checkout on .ssh, so anytime someone pushes a key to the server it gets immediately approved by sshd. WHAT DOES IT ALL MEAN? * Simple and secure (!) way to add new hackers. * Any hacker can give access to new hackers, no need to depend on lazy admins. * Major implications for technocracy in general, so many I won't mention. ZOMG YOU BROKE X This isn't implemented yet, I'll do this during the week. Feedback is welcome. [0]: https://projects.parabolagnulinux.org -- )
pgpra6R8SasTq.pgp
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabolagnulinux.org/mailman/listinfo/dev
