Homec4science

Implement SSHD glue and Conduit SSH endpoint

Authored by epriestley <git@epriestley.com> on Dec 19 2012, 20:08.

Description

Implement SSHD glue and Conduit SSH endpoint

Summary:

  • Build "sshd-auth" (for authentication) and "sshd-exec" (for command execution) binaries. These are callable by "sshd-vcs", located in my account on GitHub. They are based on precursors here on GitHub which I deployed for TenXer about a year ago, so I have some confidence they at least basically work.
    • The problem this solves is that normally every user would need an account on a machine to connect to it, and/or their public keys would all need to be listed in ~/.authorized_keys. This is a big pain in most installs. Software like Gitosis/Gitolite solve this problem by giving you an easy way to add public keys to ~/.authorized_keys, but this is pretty gross.
    • Roughly, instead of looking in ~/.authorized_keys when a user connects, the patched sshd instead runs echo <public key> | sshd-auth. The sshd-auth script looks up the public key and authorizes the matching user, if they exist. It also forces sshd to run sshd-exec instead of a normal shell.
    • sshd-exec receives the authenticated user and any command which was passed to ssh (like git receive-pack) and can route them appropriately.
    • Overall, this permits a single account to be set up on a server which all Phabricator users can connect to without any extra work, and which can safely execute commands and apply appropriate permissions, and disable users when they are disabled in Phabricator and all that stuff.
  • Build out "sshd-exec" to do more thorough checks and setup, and delegate command execution to Workflows (they now exist, and did not when I originally built this stuff).
  • Convert @btrahan's conduit API script into a workflow and slightly simplify it (ConduitCall did not exist at the time it was written).

The next steps here on the Repository side are to implement Workflows for Git, SVN and HG wire protocols. These will mostly just proxy the protocols, but also need to enforce permissions. So the approach will basically be:

  • Implement workflows for stuff like git receive-pack.
  • These workflows will implement enough of the underlying protocol to determine what resource the user is trying to access, and whether they want to read or write it.
  • They'll then do a permissons check, and kick the user out if they don't have permission to do whatever they are trying to do.
  • If the user does have permission, we just proxy the rest of the transaction.

Next steps on the Conduit side are more simple:

  • Make ConduitClient understand "ssh://" URLs.

Test Plan: Ran sshd-exec --phabricator-ssh-user epriestley conduit differential.query, etc. This will get a more comprehensive test once I set up sshd-vcs.

Reviewers: btrahan, vrana

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603, T550

Differential Revision: https://secure.phabricator.com/D4229

Details

Committed
epriestley <git@epriestley.com>Dec 19 2012, 20:08
Pushed
aubortJan 31 2017, 17:16
Parents
rPHdb89e23761f0: Make Repositories partially policy-aware
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHe78898970ab6: Implement SSHD glue and Conduit SSH endpoint (authored by epriestley <git@epriestley.com>).Dec 19 2012, 20:08