Thus said Stephan Beal on Sun, 11 Aug 2013 15:26:50 +0200: > One of the devs (Andy?) has been working on integrating ssh forced > commands with fossil so that ssh connections can use fossil's > authentication. i'm not sure what the status of that is, but from what > i've read it sounds like a promising solution.
Most of the foundational work is pretty much done. The biggest part was simply removing fossil's dependency on whatever shell might exist in the SSH account. Now it's simply a matter of figuring out when, and when not, to prompt for a Fossil account, and consequently, when to send and when not to send login credentials. And finally how much of that should be exposed in the global config database. I could use some feedback for the latter, but it might require a lengthy discussion of the cases in which the different behaviors might be desirable. :-) [lengthy discussion follows] The latest is here: http://www.fossil-scm.org/index.html/timeline?r=ssh-test-http Basically it restores the original test-http interface (for the 1 to 1 case) which will not prompt you for a Fossil username/password and uses test-http on the remoe side to provide localauth: fossil clone ssh://amb@remote//tmp/proj.fossil clone.fossil It retains all the new functionality which allows the user to use Fossil credentials with SSH by calling ``fossil http'' as the remote command. Cases in which it will prompt for password: # will prompt for Fossil user amb and login with SSH user amb: fossil clone -h on ssh://amb@remote//tmp/proj.fossil clone.fossil # will prompt for Fossil user otheruser but login to SSH user amb: fossil clone -h on -l otheruser ssh://amb@remote//tmp/proj.fossil clone.fossil # will prompt for Fossil user otheruser but login to SSH using local USER fossil clone -h on -l otheruser ssh://remote//tmp/proj.fossil clone.fossil The username specified with -l can currently be set in the global config and leads to the following behaviors: # set global ssh-fossil-user fossil settings ssh-fossil-user otheruser # will prompt for Fossil user otheruser but login to SSH user amb: fossil clone -h on ssh://amb@remote//tmp/proj.fossil clone.fossil # will prompt for Fossil user otheruser but login to SSH using local USER fossil clone -h on ssh://remote//tmp/proj.fossil clone.fossil All of the above work well both with and without SSH keys (and in some cases SSH keys that force a command) because the SSH user is the same as the remote SSH user. In the case where the remote SSH account requires SSH keys, and a force command that implements REMOTE_USER authentication (because we identify the Fossil user by their key), I suppose I could trick Fossil into not prompting using -h off. Then the fossil client will think it's doing ``fossil test-http'' on the remote connection, even though the remote side will really do something like ``fossil http /repos'' and setup REMOTE_USER. # will *correctly* not prompt for any Fossil remote user fossil clone -h off ssh://fossil@remote//tmp/proj.fossil clone.fossil Maybe this latter is the best way to deal with this case? If so, then I think it's mostly ready (just need some testers other than myself). Andy -- TAI64 timestamp: 400000005207aacb _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
