SSH push/pull

[Matt Zuba]

I've created a script to handle accessing RhodeCode via SSH and would like to know if there are any volunteers that would like to play with it and test it out.

Some key features:

Admins can access the console as normal if needed (ssh hg@server) or via hg (hg clone ssh://hg@server/repo)

Verifies the user is still active/valid and they have permission to perform the action they are attempting to do.

The authorized_keys file needs to be manually modified for the time being.  I haven't yet had time to create an interface from within RhodeCode to allow users to add their own keys yet (like BitBucket).

I'll be getting the code up on BitBucket shortly.

[Marcin Kuzminski]

Sounds very cool, it could be a major step for rhodecode having this, and a nice replacement/alternative for hg-server

[Matt Zuba]

So I ran into an issue with trying to use hooks to verify a push/pull authorization and found that the pulllog hook runs before the hook to verify if a user can even pull, so it pollutes the journal with incorrect data.  I'm going to rework the code to not use hooks and just check for the raw commands being sent over SSH.  Once I get that working, I'll post the code. :(

[Matt Zuba]

Here we go... pushed the library code into my fork of RhodeCode...

https://bitbucket.org/mattzuba/rhodecode/changesets/tip/branch(%22ssh_access%22)

To use:

Plop the code below into some file (let's call it 'rhodecode_ssh').  Edit the config path and shebang path based on your environment.  Make the file executable (chmod +x rhodecode_ssh).  Then add the following before a public key in authorized_keys (changing [username] to that of the rhodecode user).  You can also add (symlink or otherwise) rhodecode_ssh to a directory on your system PATH (maybe /usr/local/bin) and then use only the script name instead of the whole path in the command line below:

command="/path/to/rhodecode_ssh [username]",no-port-forwarding,no-X11-forwarding,no-agent-forwarding

 

Code:

#!/path/to/python/exe/that/runs/rhodecode
# -*- coding: utf-8 -*-
import logging
from paste.deploy import appconfig
from rhodecode.config.environment import load_environment
from rhodecode.lib.ssh import SecureShell
from rhodecode.model import init_model
from sqlalchemy import engine_from_config 

 

if __name__ == "__main__":
    # Only log critical errors
    logging.basicConfig(level=logging.CRITICAL,
                        format="%(asctime)s %(levelname)-5.5s %(message)s")
    # Load the environment for RhodeCode so we can utilize it's database
    conf = appconfig('config:/path/to/production.ini')
    config = load_environment(conf.global_conf, conf.local_conf)
    engine = engine_from_config(conf, 'sqlalchemy.db1.')
    init_model(engine)
    shell = SecureShell(config)
    shell.serve()

[Marcin Kuzminski]

Hi Matt.

This sounds great, how it's getting alone ?

[Matt Zuba]

I haven't made much more progress.  I'm thinking I'm going to revert back to a hook based process if I can reorder the hooks in my code to force the auth hook first.  I think it's much cleaner to use the hooks than to intercept the raw wire commands.  However the current implementation is working well on my production machine (I think I needed a minor change because I coded it against 1.3, but we're running 1.2.3.

I still need to work on an admin interface for all of this though.

[Bogdan Kulbida]

Hi Matt
We love such opportunity to have an admin UI to add ssh keys. It is revolutionary to have this feature. If you will implement it RhodeCode will the real competitor for the systems like BitBucket. Our group of developers love RhodeCode. Looking forward to hear from you soon about any progress on that. Thanks.

понедельник, 9 января 2012 г., 18:18:32 UTC+2 пользователь Matt Zuba написал:

[Marcelo Bissaro]

 Just adding a thumbs up! I will love this feature too.
 

 Actually, we have some scripts that need to download the code from remote repository, and we are doing it using git clone ssh://path.to.repo instead of https. With this, we can configure public RSA keys between the servers, and everything works without the password's prompt.
 
 But with this approach, we bypass the rhodecode permissions schema (users, groups, etc)
 

 We can make it works using ~/.netrc with 700 permission as well, but as it requires the password to be placed in this file as plain text, and we decided to not use it.
 

 Add RSA public keys on Rhodecoce interface will be the most ellegant solution ever!

Marcelo

--
You received this message because you are subscribed to the Google Groups "rhodecode" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rhodecode+...@googlegroups.com.
To post to this group, send email to rhod...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Marcin Kuźmiński]

Just FYI there's another person working on ssh wrapper for rhodecode I'll update this topic when i have more info.

[Stephan Jauernick]

Hi,

Due to private needs I am working on a SSH Wrapper, supporting hg/git, for RhodeCode, it supports the rhodecode permission system by intercepting the RAW commands from SSH.

This currently works via a API request. My next step is to implement the get_repo API call to check if the repo is actually accessable with the calling vcs and if locking needs to be handled. Also i need to do some code cleaning.

I looked at your code Matt and I think its a nice approach over using the API, will see if i can adapt it easily!

My code is in my own RhodeCode instance over at http://vcs.stejau.de/stephan/rhodecode-ssh.

Feel free to comment on it!

Future plans feature an integration into the RhodeCode UI(repo and userbased ro/rw keys)!

Kind Regards,
Stephan Jauernick

[Matt Zuba]

The main thing that I needed to keep in mind when writing my SSH wrapper was the need to SSH into the account that also hosted the mercurial repositories (ie: like bitbucket, every repo goes through the 'hg' user, and the SSH key determines the user on the back end).  The SSH wrapper i wrote handles the ability to SSH in as if it was a normal SSH login, in addition to also sending mercurial commands via SSH.  Sorry I haven't been able to contribute more to this, I was hoping to get more done during my work day but we've had a lot of projects on-going and I'm the only one that uses SSH anyway, all of the other devs just use their Rhodecode logins (which is hooked to LDAP).

--
You received this message because you are subscribed to a topic in the Google Groups "rhodecode" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rhodecode/9-5ia1Q8yD4/unsubscribe?hl=en-US.
To unsubscribe from this group and all its topics, send an email to rhodecode+...@googlegroups.com.

[Илья Беда]

Hello.

I have done a lot of work for ssh integration.

https://bitbucket.org/ir4y/rhodecode/commits/all/tip/branch%28%22ssh_server_support%22%29

Now i am having:

1. Database models for RSA keys
2. UI for RSA key add
3. Auth backend for git and mercurial
4. ssh wrapper based on Matt Zuba code

I have some problems in setting up .ssh/authorized_keys handler.

Now a do it manualy, but i want to do it automaticaly.

If some one could test my code, it will be greate.

[Marcin Kuzminski]

Great work !

One thing worries me, it's 600 changesets behind the original repo, any chance this could be rebased on top of current beta branch (more specific the dev bookmark) ?

Marcin Kuzminski

--