blob: 352d22ea3ee0805509b60b369e03a590723c88c4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
#!/usr/bin/env zsh
# example ssh force command. Use this for ssh keys which you only want to use
# for caretaker.
# Example .ssh/authorized_keys line:
# no-pty,no-port-forwarding,command=".../caretaker-ssh-command" ssh-rsa ...
#
# This _should_ restrict all ssh operations to the git/pkglist commands
# required by caretaker. However, be warned that I am no security expert, so
# there might be flaws in here. Use at own risk.
# Change this to reflect your settings
PKG_PROTO='ssh'
PKG_UAH='derf@pkgroot.finalrewind.org'
PKG_PATH='/home/derf/var/packages_root'
PKG_PORT='2222'
# Change this to the location of your pkglist script (if non-default)
PKG_LIST=${PKG_PATH}/pkglist
args=(${(z)SSH_ORIGINAL_COMMAND})
# Note: This check accepts connections on ports 22 (standard, PKG_PORT unset)
# and 2222 (non-standard, PKG_PORT set). You can remove the second block if you
# only use port 22.
if [[ \
( \
${args[1]} == "PKG_PATH=\"${PKG_PATH}\"" && \
${args[2]} == "PKG_UAH=\"${PKG_UAH}\"" && \
${args[3]} == "PKG_PROTO=\"${PKG_PROTO}\"" && \
${args[4]} == ${PKG_LIST} && \
${#args} == 4 \
) || ( \
${args[1]} == "PKG_PATH=\"${PKG_PATH}\"" && \
${args[2]} == "PKG_UAH=\"${PKG_UAH}\"" && \
${args[3]} == "PKG_PORT=\"${PKG_PORT}\"" && \
${args[4]} == "PKG_PROTO=\"${PKG_PROTO}\"" && \
${args[5]} == ${PKG_LIST} && \
${#args} == 5 \
) || ( \
${args[1]} == 'git-'(upload|receive)'-pack' && \
${args[2]} != *'../'* && \
${args[2]} == \'${PKG_ROOT}/*\' && \
${#args} == 2 \
) ]] \
{
if [[ ${#args} == 2 ]] {
args[2]=${args[2]//\'}
${args}
} else {
eval ${args}
}
}
|
