-
-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: get rid of the authorized_keys file with AuthorizedKeysCommand #1870
Comments
But maybe not all the Open SSHD has applied the patch? |
@lunny This patch has been applied to OpenSSH over 2 years, recent versions of major linux distributions should have come with this support. |
The only blocking distrib should be debian that is still on 6.7 on stable. But stable will upgrade in the next weeks and version will be 7.4 on debina 9 so this could be implemented and deployed after debian release maybe ? |
Maybe we could check for ssh version and work either new way or old depending on it |
@lafriks Yes, good idea. |
I really don't like having 2 paths (since testing becomes hard...) but I also don't like rebuilding |
@bkcsoft there is already two ways anyway. Builtin ssh way and external ssh with rebuilding keys file |
Well, in any case we should not make assuptions about the SSH-server in use. Not everyone uses OpenSSH. So this would have to be an optional setting. |
Citing https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/#configuring-ssh:
This version of OpenSSH has been available for quite a while, Debian oldstable and oldoldstable have it available. For users of the Docker container, Gitea is in control of the version shipped. Others will most likely use OpenSSH as well, and should be able to upgrade their servers (I mean, if they are not, then their system is probably too outdated for anything else anyway). Dropbear etc. don't support it natively. Another option is to create an SSH daemon for these purposes with the native ssh package. I could imagine there's projects doing that already. |
In fact, I'm using wheezy running Gitea. |
Which is the last supported version of Debian and for which an appropriate version of OpenSSH is available in the backports. (Not to mention that everyone running oldoldstable should upgrade ASAP anyway.) |
Since the merge of #5236, Gitea now provides a mechanism for using AuthorizedKeysCommand. |
Fixed by #5236 |
With
AuthorizedKeysCommand
, public keys can be verified dynamically from database like the embed golang ssh server does.As of OpenSSH 6.9p1 (released at 2015-07-01), the openssh-for-git patch is not needed anymore (bz#2081), we can use the
%f
token to pass fingerprint as command line argument toAuthorizedKeysCommand
which can be used to recognize the remote user.The text was updated successfully, but these errors were encountered: