diff options
| author | Rob Austein <sra@hactrn.net> | 2017-05-21 22:13:00 -0400 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2017-05-21 22:13:00 -0400 |
| commit | 54dc2f126d4921985211b1732d34feaaa5dcb1f8 (patch) | |
| tree | 760ba1e97191804f0b3c63efeaf076224df479ea /git-remote-only | |
First public version.
Diffstat (limited to 'git-remote-only')
| -rwxr-xr-x | git-remote-only | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/git-remote-only b/git-remote-only new file mode 100755 index 0000000..27aab6d --- /dev/null +++ b/git-remote-only @@ -0,0 +1,19 @@ +#!/usr/bin/env python +# +# Restrict an ssh authorized_keys entry to be used only for git push +# and git fetch. Use thusly: +# +# command="git-remote-only /path/to/repository.git alice@example.org" ssh-rsa ABCDEF....== alice@example.org dedicated git key +# +# You might also want options like no-port-forwarding,no-X11-forwarding,no-agent-forwarding. + +import os, sys, shlex + +os.environ.update(GIT_REMOTE_ONLY_COMMAND = " ".join(sys.argv)) + +cmd = shlex.split(os.getenv("SSH_ORIGINAL_COMMAND", "")) + +if len(cmd) == 2 and cmd[0] in ("git-upload-pack", "git-receive-pack") and cmd[1] == sys.argv[1]: + os.execv("/usr/bin/" + cmd[0], cmd) + +sys.exit("Not authorized: {}".format(" ".join(cmd))) |