From 54dc2f126d4921985211b1732d34feaaa5dcb1f8 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Sun, 21 May 2017 22:13:00 -0400
Subject: First public version.

---
 git-remote-only | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100755 git-remote-only

(limited to 'git-remote-only')

diff --git a/git-remote-only b/git-remote-only
new file mode 100755
index 0000000..27aab6d
--- /dev/null
+++ b/git-remote-only
@@ -0,0 +1,19 @@
+#!/usr/bin/env python
+#
+# Restrict an ssh authorized_keys entry to be used only for git push
+# and git fetch.  Use thusly:
+#
+#  command="git-remote-only /path/to/repository.git alice@example.org" ssh-rsa ABCDEF....== alice@example.org dedicated git key
+#
+# You might also want options like no-port-forwarding,no-X11-forwarding,no-agent-forwarding.
+
+import os, sys, shlex
+
+os.environ.update(GIT_REMOTE_ONLY_COMMAND = " ".join(sys.argv))
+
+cmd = shlex.split(os.getenv("SSH_ORIGINAL_COMMAND", ""))
+
+if len(cmd) == 2 and cmd[0] in ("git-upload-pack", "git-receive-pack") and cmd[1] == sys.argv[1]:
+    os.execv("/usr/bin/" + cmd[0], cmd)
+
+sys.exit("Not authorized: {}".format(" ".join(cmd)))
-- 
cgit v1.2.3