Hi John,
On Tue, Jun 16, 2009 at 10:49 PM, John Koleszar<[email protected]> wrote:
>
> Hi,
>
> I'm considering setting up Gitorious at work, but I don't want to use
> public key authentication. We already have centralized user management
> and authentication through LDAP and Kerberos, and using a shared user
> and public keys wouldn't go over well with our IT group (there's no way
> to enforce non-empty passphrases or that passphrases are strong or
> rotated regularly, for example)
>
> In principle, this seems like it should be reasonably easy -- basically
> just set the users' shell to be the gitorious wrapper that is normally
> invoked by ssh. Probably need to wrap the wrapper to pass the userid on
> the giorious command line and chdir to the repository directory. I
> haven't looked at what is actually written to the authorized_keys file.
The gitorious script (the one in script/gitorious, which does the auth
checking) is invoked from the authorized_keys file using the command
straining feature of the sshd. Basically the key is written as:
command="gitorious
johan",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
ssh-rsa <base64key>
which invokes the gitorious script with the associated user as an
argument ("johan" in this case). I'm not too well known in the world
of LDAP+SSH authentication, but could something similar be done there?
JS
>
> Obviously this wouldn't affect the webapp side, and that would have its
> own authentication realm, unless I can hack the rails app to add LDAP
> authn, but I don't speak Ruby atm. This split-authn situation would be
> ok for now.
>
> My question is, what else do I have to look out for? Gitorious has
> enough dependencies that I don't want to get started on hacking this
> together without a better idea of what lies ahead.
>
> Thanks,
>
> John
>
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Gitorious" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/gitorious?hl=en
-~----------~----~----~----~------~----~------~--~---
