| 123456789101112131415161718192021222324252627282930313233 |
- #!/usr/bin/env python3
- #
- # Restrict an ssh authorized_keys entry to be used only for git push
- # and git fetch. Use thusly:
- #
- # command="git-remote-only /path/to/repository.git alice@example.org" ssh-rsa ABCDEF....== alice@example.org dedicated git key
- #
- # You might also want options like no-port-forwarding,no-X11-forwarding,no-agent-forwarding.
- #
- # Copyright (c) 2017, Grunchweather Associates
- #
- # Permission to use, copy, modify, and/or distribute this software for any
- # purpose with or without fee is hereby granted, provided that the above
- # copyright notice and this permission notice appear in all copies.
- #
- # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
- # REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- # AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
- # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- # LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- # PERFORMANCE OF THIS SOFTWARE.
- import os, sys, shlex
- os.environ.update(GIT_REMOTE_ONLY_COMMAND = " ".join(sys.argv))
- cmd = shlex.split(os.getenv("SSH_ORIGINAL_COMMAND", ""))
- if len(cmd) == 2 and cmd[0] in ("git-upload-pack", "git-receive-pack") and cmd[1] == sys.argv[1]:
- os.execv("/usr/bin/" + cmd[0], cmd)
- sys.exit("Not authorized: {}".format(" ".join(cmd)))
|
