From 010e9ba14caa117272ab160e18c0a8bda3a4b0e4 Mon Sep 17 00:00:00 2001 From: Alex Palaistras Date: Sun, 1 Aug 2021 23:37:30 +0100 Subject: [PATCH] git: Verify SSH keys when added --- config/service/git/spec.bu | 2 +- config/service/git/systemd/git-ssh-ed25519@.service | 1 + config/service/git/systemd/git-ssh-github@.service | 1 + config/service/git/systemd/git-ssh-pubkey@.service | 7 ++++--- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/config/service/git/spec.bu b/config/service/git/spec.bu index fe843eb..f83a424 100644 --- a/config/service/git/spec.bu +++ b/config/service/git/spec.bu @@ -14,7 +14,7 @@ systemd: enabled: true - name: git-ssh-github@.service enabled: true - - name: git-ssh-pubkey@-etc-ssh-ssh_host_rsa_key.pub.service + - name: git-ssh-pubkey@etc-ssh-ssh_host_rsa_key.pub.service enabled: true dropins: - name: wait-for-key.conf diff --git a/config/service/git/systemd/git-ssh-ed25519@.service b/config/service/git/systemd/git-ssh-ed25519@.service index bae08aa..4141c10 100644 --- a/config/service/git/systemd/git-ssh-ed25519@.service +++ b/config/service/git/systemd/git-ssh-ed25519@.service @@ -9,6 +9,7 @@ RemainAfterExit=true ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d ExecStart=/bin/podman exec git sh -c "echo 'ssh-ed25519 %I' > /var/lib/git/.ssh/authorized_keys.d/%i" +ExecStartPost=/bin/podman exec git ssh-keygen -l -f /var/lib/git/.ssh/authorized_keys.d/%i ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys" ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/%i diff --git a/config/service/git/systemd/git-ssh-github@.service b/config/service/git/systemd/git-ssh-github@.service index 94f64aa..9ae3788 100644 --- a/config/service/git/systemd/git-ssh-github@.service +++ b/config/service/git/systemd/git-ssh-github@.service @@ -10,6 +10,7 @@ ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 070 ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d ExecStartPre=/usr/bin/curl --silent --fail -o /tmp/%N.key https://github.com/%i.keys ExecStart=/bin/sh -c 'podman cp /tmp/%N.key git:/var/lib/git/.ssh/authorized_keys.d/github-%i && rm -f /tmp/%N.key' +ExecStartPost=/bin/podman exec git ssh-keygen -l -f /var/lib/git/.ssh/authorized_keys.d/github-%i ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys" ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/github-%i diff --git a/config/service/git/systemd/git-ssh-pubkey@.service b/config/service/git/systemd/git-ssh-pubkey@.service index 5930068..d01b7a1 100644 --- a/config/service/git/systemd/git-ssh-pubkey@.service +++ b/config/service/git/systemd/git-ssh-pubkey@.service @@ -1,15 +1,16 @@ [Unit] -Description=Git SSH authentication via public key file %I +Description=Git SSH authentication via public key file /%I Wants=git.service After=git.service -ConditionPathExists=%I +ConditionFileNotEmpty=/%I [Service] Type=oneshot RemainAfterExit=true ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d -ExecStart=/bin/podman cp %I git:/var/lib/git/.ssh/authorized_keys.d/%i +ExecStart=/bin/podman cp /%I git:/var/lib/git/.ssh/authorized_keys.d/%i +ExecStartPost=/bin/podman exec git ssh-keygen -l -f /var/lib/git/.ssh/authorized_keys.d/%i ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys" ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/%i