diff options
| author | Guilhem Moulin <guilhem@libreoffice.org> | 2020-01-15 06:00:36 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@libreoffice.org> | 2020-01-16 00:01:03 +0100 |
| commit | 1e6428deed42a1ede1d5adbef5676438e6e9e898 (patch) | |
| tree | 51a7f9c119c0b730c3fdfae0860aa5cbfe58dfcf /logerrit | |
| parent | 9276b117355c098bdfbe3cfa207aca869bf4bd01 (diff) | |
logerrit setup: refactor key-based SSH handling
* Don't select existing ~/.ssh/id_dsa.pub. Since 7.0 (released
2015-08-11) OpenSSH servers won't accept DSA user keys anyway, so
users have likely rotated their legacy key material by now.
* The pubkey to copy into gerrit is derived from the first existing file
among ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519, and ~/.ssh/id_rsa. These
algorithms are ordered as found in PubkeyAcceptedKeyTypes' default
value as of OpenSSH 8.1. (EC keys are only supported since Gerrit
1.14.) Generate an RSA key when ~/.ssh doesn't exist, as before,
since it's still the default in ssh-keygen(1) from OpenSSH 8.1.
* In the ssh_config(5) stanza, only include the IdentityFile when a
the private key file exists. The private key material might reside
somewhere else, for instance in a smartcard or in an external agent's
key store; in both cases the ssh client can authenticate the user
without direct access to the key material. While it's possible to
set IdentityFile to a pubkey (with IdentitiesOnly={yes,no}) it's not
documented and thus shouldn't be used.
Change-Id: Id73a2798747ce5c394b0cf2d0dc40107a1f2c599
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/86858
Reviewed-by: Guilhem Moulin <guilhem@libreoffice.org>
Tested-by: Guilhem Moulin <guilhem@libreoffice.org>
Diffstat (limited to 'logerrit')
| -rwxr-xr-x | logerrit | 61 |
1 files changed, 33 insertions, 28 deletions
@@ -27,7 +27,9 @@ submit() { logerrit() { echo "Host logerrit gerrit.libreoffice.org" - echo " IdentityFile ~/.ssh/id_rsa" + if test -n "${2-}" && test -f "$HOME/.ssh/id_$2"; then + echo " IdentityFile ~/.ssh/id_$2" + fi echo " User $1" echo " Port 29418" echo " HostName gerrit.libreoffice.org" @@ -82,25 +84,28 @@ case "$1" in echo "Hit enter to generate an ssh key - you will need to enter a pass-phrase" echo read - ssh-keygen -t rsa -f "$ssh_home/id_rsa" - fi - if test -d $ssh_home; then - if test -f "$ssh_home/id_rsa.pub"; then - ssh_key=$(cat $ssh_home/id_rsa.pub); - elif test -f "$ssh_home/id_dsa.pub"; then - ssh_key=$(cat $ssh_home/id_dsa.pub); - fi + ssh-keygen -t rsa -f "$ssh_home/id_rsa" # default type as of OpenSSH 8.1 fi - echo "Please go to https://gerrit.libreoffice.org/ and:" - echo "- press the 'register' button in the top right corner" - echo "- after login set yourself a username (it is recommended to use your IRC-nick)" - if test "z$ssh_key" = "z"; then - echo "- add your public ssh-key into the ssh keys settings." - else - echo "- paste the key below into the 'Add SSH Public Key' box." - echo - echo "$ssh_key" - echo + if test -d "$ssh_home"; then + # order algos based on the PubkeyAcceptedKeyTypes option from OpenSSH 8.1 + for ssh_key_type in ecdsa ed25519 rsa; do + pk="$ssh_home/id_${ssh_key_type}.pub" + ssh_key="" + if test -f "$pk" && ssh_key="$(< "$pk")" && test -n "$ssh_key"; then + break + fi + done + fi + echo "Please go to https://gerrit.libreoffice.org/ and:" + echo " - press the 'register' button in the top right corner" + echo " - after login set yourself a username (it is recommended to use your IRC-nick)" + if test -z "$ssh_key"; then + echo " - add your public ssh-key into the ssh keys settings." + else + echo " - paste the key below into the 'Add SSH Public Key' box." + echo + printf '%s\n' "$ssh_key" + echo fi echo echo "Note that you need to register additional email addresses, if you want to" @@ -108,15 +113,15 @@ case "$1" in echo "invitation mail it sends you." echo read -p 'Which user name did you choose? ' GERRITUSER - if test "z$created_ssh" = "z"; then - echo - echo "Please now add the following to your ~/.ssh/config, creating the file if needed:" - echo - logerrit $GERRITUSER - echo - else - echo "Automatically creating your ssh config" - (logerrit $GERRITUSER) > "$ssh_home/config" + if test -z "$created_ssh"; then + echo + echo "Please now add the following to your ~/.ssh/config, creating the file if needed:" + echo + logerrit "$GERRITUSER" ${ssh_key:+"$ssh_key_type"} + echo + else + echo "Automatically creating your ssh config" + logerrit "$GERRITUSER" ${ssh_key:+"$ssh_key_type"} >"$ssh_home/config" fi # setup the remote properly ... git config remote.origin.pushurl ssh://logerrit/core |