Re: [fossil-users] Merge SSH changes?
Thus said Richard Hipp on Mon, 05 Aug 2013 19:42:12 -0400: That's the way it used to work. I think Andy's changes fix it so that it doesn't work that way any more. I'm disappointed too, and would like to find a solution that works both ways. Ok, I've reimplemented the original test-http behavior as the default while retaining the ability to have the same flexibility in using Fossil capabilities with SSH URLs: http://www.fossil-scm.org/index.html/timeline?r=ssh-test-http When you get a chance, if this works out better. Basically, the default is to spawn a remote ``fossil test-http'' command when cloning (or even in an existing open fossil). But if the remote side requires http and not test-http (e.g. SSH keys are enforcing fossil http, then the client can request that as well: fossil clone --ssh-use-http ssh://amb@remote//tmp/new.fossil clone.fossil Which of course will require that the user enter the Fossil password. Thanks, Andy -- TAI64 timestamp: 40005204a36f ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
On Mon, Aug 5, 2013 at 1:47 PM, Andy Bradford amb-fos...@bradfords.orgwrote: Hello, Last week I sent out an email regarding the new SSH changes, which I believe are ready to go: http://www.mail-archive.com/fossil-users@lists.fossil-scm.org/msg12579.html I have been using it and it feels stable. There has only been one change since then (cleans up output during exchanges): http://fossil-scm.org/index.html/info/d1771cd138 Any objections to having this branch for changed SSH behavior merged in and the changes published into www/changes.wiki? I just tried it, and it is different, isn't it. :-|. Let me mess around some and see if I can live with the change. Apparently, I'll need to get real familiar with --ssh-fossil-user -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
Thus said Richard Hipp on Mon, 05 Aug 2013 16:21:05 -0400: I just tried it, and it is different, isn't it. :-|. Let me mess around some and see if I can live with the change. Apparently, I'll need to get real familiar with --ssh-fossil-user Yes, it's a bit different becuase now Fossil credentials are required. Before, the file was just opened with localauth enabled. The default behavior is SSH User = Fossil User (credentials required). But with the --ssh-fossil-user it is possible to use any number of Fossil users sharing the same SSH account (primarily through SSH keys). Addtionally, it is now possible to use SSH keys and Force Commands to restrict the SSH account to doing Fossil only activities. One thing that I haven't done, but might be necessary, is to change the password prompt from: password for user: To: Fossil password for user: Or something like that, just so it is not ambiguous which password is being entered. Thanks for looking at it! Andy -- TAI64 timestamp: 400052000dc3 ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
Thus said Andy Bradford on 05 Aug 2013 14:40:08 -0600: Addtionally, it is now possible to use SSH keys and Force Commands to restrict the SSH account to doing Fossil only activities. s/possible/easier/ It was always possible to write a wrapper script, but it's much easier if fossil is the only thing running: command=/home/amb/bin/fossil http fossils/project.fossil ssh-rsa ... One further note regarding the SSH credentials + SSH credentials; it's not very different from using SSL Client certificates. With SSL Client certificates, you must have both the authentication via SSL and the authentication via Fossil to gain access. Andy -- TAI64 timestamp: 400052000f57 ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
On Mon, Aug 5, 2013 at 4:40 PM, Andy Bradford amb-fos...@bradfords.orgwrote: Thus said Richard Hipp on Mon, 05 Aug 2013 16:21:05 -0400: I just tried it, and it is different, isn't it. :-|. Let me mess around some and see if I can live with the change. Apparently, I'll need to get real familiar with --ssh-fossil-user Yes, it's a bit different becuase now Fossil credentials are required. Before, the file was just opened with localauth enabled. The default behavior is SSH User = Fossil User (credentials required). But with the --ssh-fossil-user it is possible to use any number of Fossil users sharing the same SSH account (primarily through SSH keys). Addtionally, it is now possible to use SSH keys and Force Commands to restrict the SSH account to doing Fossil only activities. One thing that I haven't done, but might be necessary, is to change the password prompt from: password for user: To: Fossil password for user: Or maybe: Password for Fossil user $USER. That would have saved me a lot of confusion. Or something like that, just so it is not ambiguous which password is being entered. Thanks for looking at it! Andy -- TAI64 timestamp: 400052000dc3 -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
Unfortunately even though I'm very interested I haven't had time to look closely at this new ssh approach. Is the following use case possible to implemen with your code? I ask because I hear some emphasis on the many-to-one mapping and I'm interested in one-to-one mapping. Each person given access registers their public key (maybe an administrator checks them in to an admin fossil similar to how gitolite works) . Users do not have a fossil password (but they are registered with the fossil). This might use or be similar to the CGI REMOTE_USER variable workings. Once I have my ssh key entered I should be able to do all operations (clone, sync, commit etc.) without entering my password but the remote fossil knows who I am. Thanks. On Mon, Aug 5, 2013 at 2:52 PM, Richard Hipp d...@sqlite.org wrote: On Mon, Aug 5, 2013 at 4:40 PM, Andy Bradford amb-fos...@bradfords.orgwrote: Thus said Richard Hipp on Mon, 05 Aug 2013 16:21:05 -0400: I just tried it, and it is different, isn't it. :-|. Let me mess around some and see if I can live with the change. Apparently, I'll need to get real familiar with --ssh-fossil-user Yes, it's a bit different becuase now Fossil credentials are required. Before, the file was just opened with localauth enabled. The default behavior is SSH User = Fossil User (credentials required). But with the --ssh-fossil-user it is possible to use any number of Fossil users sharing the same SSH account (primarily through SSH keys). Addtionally, it is now possible to use SSH keys and Force Commands to restrict the SSH account to doing Fossil only activities. One thing that I haven't done, but might be necessary, is to change the password prompt from: password for user: To: Fossil password for user: Or maybe: Password for Fossil user $USER. That would have saved me a lot of confusion. Or something like that, just so it is not ambiguous which password is being entered. Thanks for looking at it! Andy -- TAI64 timestamp: 400052000dc3 -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- Matt -=- 90% of the nations wealth is held by 2% of the people. Bummer to be in the majority... ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
Thus said Richard Hipp on Mon, 05 Aug 2013 19:42:12 -0400: Once I have my ssh key entered I should be able to do all operations (clone, sync, commit etc.) without entering my password but the remote fossil knows who I am. That's the way it used to work. I think Andy's changes fix it so that it doesn't work that way any more. I'm disappointed too, and would like to find a solution that works both ways. The initial changes that I made for this change actually allowed the user to specify which method to use; http vs test-http. Choosing test-http (also the default) would have left the original behavior in-tact. I did ask whether or not to retain the original behavior, but some users indicated that test-http shouldn't really be used so I removed the option: http://www.mail-archive.com/fossil-users@lists.fossil-scm.org/msg12190.html I can certainly add back in those changes if needs be. Andy -- TAI64 timestamp: 4000520042df ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Merge SSH changes?
Thus said Andy Bradford on 05 Aug 2013 22:42:44 -0600: It would be better if I didn't have to rely on a script for this, which is why I thought a new fossil subcommand would be useful. This would mean all I have to put into my command= is something like: Ok, scratch that. I've already conceded that this does not require a new fossil subcommand (amazing how ideas stick around sometimes). A simple special purpose binary written in C would suffice. Andy -- TAI64 timestamp: 4000520082e4 ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users