Gitea: Proposal: get rid of the authorized_keys file with AuthorizedKeysCommand

Created on 4 Jun 2017  路  13Comments  路  Source: go-gitea/gitea

If a key supplied by AuthorizedKeysCommand does not successfully authenticate and authorize the user then public key authentication continues using the usual AuthorizedKeysFile files.

With AuthorizedKeysCommand, public keys can be verified dynamically from database like the embed golang ssh server does.

As of OpenSSH 6.9p1 (released at 2015-07-01), the openssh-for-git patch is not needed anymore (bz#2081), we can use the %f token to pass fingerprint as command line argument to AuthorizedKeysCommand which can be used to recognize the remote user.

kinfeature
Source
picture tsl0922
👍2

Most helpful comment

Maybe we could check for ssh version and work either new way or old depending on it

picture lafriks on 4 Jun 2017
👍2

All 13 comments

But maybe not all the Open SSHD has applied the patch?

lunny picture lunny on 4 Jun 2017

@lunny This patch has been applied to OpenSSH over 2 years, recent versions of major linux distributions should have come with this support.

tsl0922 picture tsl0922 on 4 Jun 2017

The only blocking distrib should be debian that is still on 6.7 on stable. But stable will upgrade in the next weeks and version will be 7.4 on debina 9 so this could be implemented and deployed after debian release maybe ?

sapk picture sapk on 4 Jun 2017

Maybe we could check for ssh version and work either new way or old depending on it

lafriks picture lafriks on 4 Jun 2017
👍2

@lafriks Yes, good idea.

lunny picture lunny on 5 Jun 2017

I _really_ don't like having 2 paths (since testing becomes hard...) but I also don't like rebuilding authorized_keys all the time, and I don't like dropping support for older versions 馃槢

bkcsoft picture bkcsoft on 11 Jun 2017

@bkcsoft there is already two ways anyway. Builtin ssh way and external ssh with rebuilding keys file

lafriks picture lafriks on 11 Jun 2017
😕1

Well, in any case we should not make assuptions about the SSH-server in use. Not everyone uses OpenSSH. So this would have to be an optional setting.

bkcsoft picture bkcsoft on 15 Jun 2017

Citing https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/#configuring-ssh:

NOTE: The Phabricator sshd service MUST be 6.2 or newer, because Phabricator relies on the AuthorizedKeysCommand option.

This version of OpenSSH has been available for quite a while, Debian oldstable and oldoldstable have it available.

For users of the Docker container, Gitea is in control of the version shipped. Others will most likely use OpenSSH as well, and should be able to upgrade their servers (I mean, if they are not, then their system is probably too outdated for anything else anyway). Dropbear etc. don't support it natively.

Another option is to create an SSH daemon for these purposes with the native ssh package. I could imagine there's projects doing that already.

TheAssassin picture TheAssassin on 2 Sep 2017

In fact, I'm using wheezy running Gitea.

lunny picture lunny on 3 Sep 2017

Which is the last supported version of Debian and for which an appropriate version of OpenSSH is available in the backports.

(Not to mention that everyone running oldoldstable should upgrade ASAP anyway.)

TheAssassin picture TheAssassin on 3 Sep 2017

Since the merge of #5236, Gitea now provides a mechanism for using AuthorizedKeysCommand.

zeripath picture zeripath on 1 Nov 2018

Fixed by #5236

lafriks picture lafriks on 1 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

haytona picture haytona  路  3Comments
internalfx picture internalfx  路  3Comments
BNolet picture BNolet  路  3Comments
lunny picture lunny  路  3Comments
BRMateus2 picture BRMateus2  路  3Comments