Re: [fossil-users] Merge SSH changes?
Thus said Richard Hipp on Mon, 05 Aug 2013 19:42:12 -0400: > That's the way it used to work. I think Andy's changes "fix" it so > that it doesn't work that way any more. I'm disappointed too, and > would like to find a solution that works both ways. Ok, I've reimplemented the original test-http behavior as the default while retaining the ability to have the same flexibility in using Fossil capabilities with SSH URLs: http://www.fossil-scm.org/index.html/timeline?r=ssh-test-http When you get a chance, if this works out better. Basically, the default is to spawn a remote ``fossil test-http'' command when cloning (or even in an existing open fossil). But if the remote side requires http and not test-http (e.g. SSH keys are enforcing fossil http, then the client can request that as well: fossil clone --ssh-use-http ssh://amb@remote//tmp/new.fossil clone.fossil Which of course will require that the user enter the Fossil password. Thanks, Andy -- TAI64 timestamp: 40005204a36f ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
Thus said "Andy Bradford" on 05 Aug 2013 22:42:44 -0600: > It would be better if I didn't have to rely on a script for this, > which is why I thought a new fossil subcommand would be useful. This > would mean all I have to put into my command="" is something like: Ok, scratch that. I've already conceded that this does not require a new fossil subcommand (amazing how ideas stick around sometimes). A simple special purpose binary written in C would suffice. Andy -- TAI64 timestamp: 4000520082e4 ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
Thus said Matt Welland on Mon, 05 Aug 2013 16:11:00 -0700: > Each person given access registers their public key (maybe an > administrator checks them in to an admin fossil similar to how > gitolite works) . Users do not have a fossil password (but they are > registered with the fossil). This might use or be similar to the CGI > REMOTE_USER variable workings. In fact, this is precisely how it can be accomplished. The reason why it was failing for me before is because 127.0.0.1 is treated specially, so my initial test failed: fossil clone ssh://127.0.0.1//tmp/test.fossil new.fossil But, as long as the remote IP address is not 127.0.0.1, the script I sent works just like you would expect. fossil http finds that there is no user specified, it inspects the REMOTE_USER variable and uses that instead (as long as Accept REMOTE_USER is enabled in Access). Wow, this is really cool! Thanks for pointing me to REMOTE_USER. Now it is extremely easy to setup SSH access where the SSH key provides access to the fossil via the REMOTE_USER variable. And the end user doesn't need to even know their fossil username/password. Again, the script I used was: #!/bin/sh REMOTE_USER="$1" set -- $SSH_ORIGINAL_COMMAND while [ $# -gt 1 ]; do shift; done export REMOTE_USER exec /home/amb/bin/fossil http "$1" It would be better if I didn't have to rely on a script for this, which is why I thought a new fossil subcommand would be useful. This would mean all I have to put into my command="" is something like: command="/home/amb/bin/fossil sshgate user" ssh-rsa ... sshgate would then read the SSH_ORIGINAL_COMMAND, extract the path to the requested fossil file, set the REMOTE_USER variable to the user, and then exec() ``fossil http /path/to/fossil.fossil'' Andy -- TAI64 timestamp: 400052007ee5 ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
Thus said Richard Hipp on Mon, 05 Aug 2013 19:42:12 -0400: > > Once I have my ssh key entered I should be able to do all operations > > (clone, sync, commit etc.) without entering my password but the > > remote fossil knows who I am. > > > That's the way it used to work. I think Andy's changes "fix" it so > that it doesn't work that way any more. I'm disappointed too, and > would like to find a solution that works both ways. The initial changes that I made for this change actually allowed the user to specify which method to use; http vs test-http. Choosing test-http (also the default) would have left the original behavior in-tact. I did ask whether or not to retain the original behavior, but some users indicated that test-http shouldn't really be used so I removed the option: http://www.mail-archive.com/fossil-users@lists.fossil-scm.org/msg12190.html I can certainly add back in those changes if needs be. Andy -- TAI64 timestamp: 4000520042df ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
Thus said Matt Welland on Mon, 05 Aug 2013 16:11:00 -0700: > Once I have my ssh key entered I should be able to do all operations > (clone, sync, commit etc.) without entering my password but the remote > fossil knows who I am. Yes, this should be possible by setting the REMOTE_USER environment variable in the SSH session. It looks like for some reason when I do that, the clone operation fails because it isn't inheriting the capabilities of the nobody/anonymous users and I have to explicitly give the user the clone capability. This needs fixing. I was able to accomplish it simply with the following script using an SSH key: command="/home/amb/tmp/fossil.sh guest" ssh-rsa #!/bin/sh REMOTE_USER="$1" set -- $SSH_ORIGINAL_COMMAND while [ $# -gt 1 ]; do shift; done export REMOTE_USER exec /home/amb/bin/fossil http "$1" Here's a clone: $ fossil clone ssh://remote//tmp/test.fossil guest.fossil ssh -e none -T remote fossil http /tmp/test.fossil Round-trips: 4 Artifacts sent: 0 received: 113 Clone finished with 971 bytes sent, 16469915 bytes received Rebuilding repository meta-data... 100.0% complete... project-id: 8b464ab2d3cfb91d3a8cad20977ea037940e2a79 admin-user: amb (password is "85ba82") Any commits done using this SSH key will actually show up as having been commited by guest (as per the SSH Force Command). Thanks for asking. It looks like there may be some additional work (I'm not sure why setting REMOTE_USER didn't pick up all the permissions for the user). Andy -- TAI64 timestamp: 4000520040ea ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
On Mon, Aug 5, 2013 at 7:11 PM, Matt Welland wrote: > Unfortunately even though I'm very interested I haven't had time to look > closely at this new ssh approach. Is the following use case possible to > implemen with your code? I ask because I hear some emphasis on the > many-to-one mapping and I'm interested in one-to-one mapping. > > Each person given access registers their public key (maybe an > administrator checks them in to an admin fossil similar to how gitolite > works) . Users do not have a fossil password (but they are registered with > the fossil). This might use or be similar to the CGI REMOTE_USER variable > workings. > > Once I have my ssh key entered I should be able to do all operations > (clone, sync, commit etc.) without entering my password but the remote > fossil knows who I am. > > That's the way it used to work. I think Andy's changes "fix" it so that it doesn't work that way any more. I'm disappointed too, and would like to find a solution that works both ways. -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
Unfortunately even though I'm very interested I haven't had time to look closely at this new ssh approach. Is the following use case possible to implemen with your code? I ask because I hear some emphasis on the many-to-one mapping and I'm interested in one-to-one mapping. Each person given access registers their public key (maybe an administrator checks them in to an admin fossil similar to how gitolite works) . Users do not have a fossil password (but they are registered with the fossil). This might use or be similar to the CGI REMOTE_USER variable workings. Once I have my ssh key entered I should be able to do all operations (clone, sync, commit etc.) without entering my password but the remote fossil knows who I am. Thanks. On Mon, Aug 5, 2013 at 2:52 PM, Richard Hipp wrote: > > > On Mon, Aug 5, 2013 at 4:40 PM, Andy Bradford wrote: > >> Thus said Richard Hipp on Mon, 05 Aug 2013 16:21:05 -0400: >> >> > I just tried it, and it is different, isn't it. :-|. Let me mess >> > around some and see if I can live with the change. Apparently, I'll >> > need to get real familiar with --ssh-fossil-user >> >> Yes, it's a bit different becuase now Fossil credentials are required. >> Before, the file was just opened with localauth enabled. >> >> The default behavior is SSH User = Fossil User (credentials required). >> >> But with the --ssh-fossil-user it is possible to use any number of >> Fossil users sharing the same SSH account (primarily through SSH keys). >> >> Addtionally, it is now possible to use SSH keys and Force Commands to >> restrict the SSH account to doing Fossil only activities. >> >> >> One thing that I haven't done, but might be necessary, is to change the >> password prompt from: >> >> password for user: >> >> To: >> >> Fossil password for user: >> > > Or maybe: "Password for Fossil user $USER". That would have saved me a > lot of confusion. > > > >> >> Or something like that, just so it is not ambiguous which password is >> being entered. >> >> Thanks for looking at it! >> >> Andy >> -- >> TAI64 timestamp: 400052000dc3 >> > > > > -- > D. Richard Hipp > d...@sqlite.org > > ___ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users > > -- Matt -=- 90% of the nations wealth is held by 2% of the people. Bummer to be in the majority... ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
On Mon, Aug 5, 2013 at 4:40 PM, Andy Bradford wrote: > Thus said Richard Hipp on Mon, 05 Aug 2013 16:21:05 -0400: > > > I just tried it, and it is different, isn't it. :-|. Let me mess > > around some and see if I can live with the change. Apparently, I'll > > need to get real familiar with --ssh-fossil-user > > Yes, it's a bit different becuase now Fossil credentials are required. > Before, the file was just opened with localauth enabled. > > The default behavior is SSH User = Fossil User (credentials required). > > But with the --ssh-fossil-user it is possible to use any number of > Fossil users sharing the same SSH account (primarily through SSH keys). > > Addtionally, it is now possible to use SSH keys and Force Commands to > restrict the SSH account to doing Fossil only activities. > > > One thing that I haven't done, but might be necessary, is to change the > password prompt from: > > password for user: > > To: > > Fossil password for user: > Or maybe: "Password for Fossil user $USER". That would have saved me a lot of confusion. > > Or something like that, just so it is not ambiguous which password is > being entered. > > Thanks for looking at it! > > Andy > -- > TAI64 timestamp: 400052000dc3 > -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
Thus said "Andy Bradford" on 05 Aug 2013 14:40:08 -0600: > Addtionally, it is now possible to use SSH keys and Force Commands to > restrict the SSH account to doing Fossil only activities. s/possible/easier/ It was always possible to write a wrapper script, but it's much easier if fossil is the only thing running: command="/home/amb/bin/fossil http fossils/project.fossil" ssh-rsa ... One further note regarding the SSH credentials + SSH credentials; it's not very different from using SSL Client certificates. With SSL Client certificates, you must have both the authentication via SSL and the authentication via Fossil to gain access. Andy -- TAI64 timestamp: 400052000f57 ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
Thus said Richard Hipp on Mon, 05 Aug 2013 16:21:05 -0400: > I just tried it, and it is different, isn't it. :-|. Let me mess > around some and see if I can live with the change. Apparently, I'll > need to get real familiar with --ssh-fossil-user Yes, it's a bit different becuase now Fossil credentials are required. Before, the file was just opened with localauth enabled. The default behavior is SSH User = Fossil User (credentials required). But with the --ssh-fossil-user it is possible to use any number of Fossil users sharing the same SSH account (primarily through SSH keys). Addtionally, it is now possible to use SSH keys and Force Commands to restrict the SSH account to doing Fossil only activities. One thing that I haven't done, but might be necessary, is to change the password prompt from: password for user: To: Fossil password for user: Or something like that, just so it is not ambiguous which password is being entered. Thanks for looking at it! Andy -- TAI64 timestamp: 400052000dc3 ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
On Mon, Aug 5, 2013 at 1:47 PM, Andy Bradford wrote: > Hello, > > Last week I sent out an email regarding the new SSH changes, which I > believe are ready to go: > > http://www.mail-archive.com/fossil-users@lists.fossil-scm.org/msg12579.html > > I have been using it and it feels stable. There has only been one change > since then (cleans up output during exchanges): > > http://fossil-scm.org/index.html/info/d1771cd138 > > Any objections to having this branch for changed SSH behavior merged in > and the changes published into www/changes.wiki? > I just tried it, and it is different, isn't it. :-|. Let me mess around some and see if I can live with the change. Apparently, I'll need to get real familiar with --ssh-fossil-user -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] Merge SSH changes?
Hello, Last week I sent out an email regarding the new SSH changes, which I believe are ready to go: http://www.mail-archive.com/fossil-users@lists.fossil-scm.org/msg12579.html I have been using it and it feels stable. There has only been one change since then (cleans up output during exchanges): http://fossil-scm.org/index.html/info/d1771cd138 Any objections to having this branch for changed SSH behavior merged in and the changes published into www/changes.wiki? Thanks, Andy -- TAI64 timestamp: 400051ffe53d ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users