Setting to disable authorized_keys backup (#1856)
* Add setting to disable authorized_keys backup when rewriting public keys Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Update default value to comply with documentation Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Use tmp-file instead of bak-file for saving manually added keys. Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Change casing Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Change casing and build bakpath with sprintf only Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Only close file once Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Do not modify calcFingerprint Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Fix casing Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Change style from disable to enable Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Change name, just SSH_BACKUP_AUTHORIZED_KEYS Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Do not check for directory existence if backup is disabled Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>
This commit is contained in:
parent
a037cd81ff
commit
79daf31058
3 changed files with 35 additions and 31 deletions
2
conf/app.ini
vendored
2
conf/app.ini
vendored
|
@ -124,6 +124,8 @@ SSH_ROOT_PATH =
|
||||||
SSH_KEY_TEST_PATH =
|
SSH_KEY_TEST_PATH =
|
||||||
; Path to ssh-keygen, default is 'ssh-keygen' and let shell find out which one to call.
|
; Path to ssh-keygen, default is 'ssh-keygen' and let shell find out which one to call.
|
||||||
SSH_KEYGEN_PATH = ssh-keygen
|
SSH_KEYGEN_PATH = ssh-keygen
|
||||||
|
; Enable SSH Authorized Key Backup when rewriting all keys, default is true
|
||||||
|
SSH_BACKUP_AUTHORIZED_KEYS = true
|
||||||
; Indicate whether to check minimum key size with corresponding type
|
; Indicate whether to check minimum key size with corresponding type
|
||||||
MINIMUM_KEY_SIZE_CHECK = false
|
MINIMUM_KEY_SIZE_CHECK = false
|
||||||
; Disable CDN even in "prod" mode
|
; Disable CDN even in "prod" mode
|
||||||
|
|
|
@ -324,8 +324,8 @@ func appendAuthorizedKeysToFile(keys ...*PublicKey) error {
|
||||||
sshOpLocker.Lock()
|
sshOpLocker.Lock()
|
||||||
defer sshOpLocker.Unlock()
|
defer sshOpLocker.Unlock()
|
||||||
|
|
||||||
fpath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
|
fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
|
||||||
f, err := os.OpenFile(fpath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600)
|
f, err := os.OpenFile(fPath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -558,53 +558,53 @@ func RewriteAllPublicKeys() error {
|
||||||
sshOpLocker.Lock()
|
sshOpLocker.Lock()
|
||||||
defer sshOpLocker.Unlock()
|
defer sshOpLocker.Unlock()
|
||||||
|
|
||||||
fpath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
|
fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
|
||||||
tmpPath := fpath + ".tmp"
|
tmpPath := fPath + ".tmp"
|
||||||
f, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
|
t, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
defer func() {
|
defer func() {
|
||||||
f.Close()
|
t.Close()
|
||||||
os.Remove(tmpPath)
|
os.Remove(tmpPath)
|
||||||
}()
|
}()
|
||||||
|
|
||||||
|
if setting.SSH.AuthorizedKeysBackup && com.IsExist(fPath) {
|
||||||
|
bakPath := fmt.Sprintf("%s_%d.gitea_bak", fPath, time.Now().Unix())
|
||||||
|
if err = com.Copy(fPath, bakPath); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
err = x.Iterate(new(PublicKey), func(idx int, bean interface{}) (err error) {
|
err = x.Iterate(new(PublicKey), func(idx int, bean interface{}) (err error) {
|
||||||
_, err = f.WriteString((bean.(*PublicKey)).AuthorizedString())
|
_, err = t.WriteString((bean.(*PublicKey)).AuthorizedString())
|
||||||
return err
|
return err
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if com.IsExist(fpath) {
|
if com.IsExist(fPath) {
|
||||||
bakPath := fpath + fmt.Sprintf("_%d.gitea_bak", time.Now().Unix())
|
f, err := os.Open(fPath)
|
||||||
if err = com.Copy(fpath, bakPath); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
p, err := os.Open(bakPath)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
defer p.Close()
|
scanner := bufio.NewScanner(f)
|
||||||
|
|
||||||
scanner := bufio.NewScanner(p)
|
|
||||||
for scanner.Scan() {
|
for scanner.Scan() {
|
||||||
line := scanner.Text()
|
line := scanner.Text()
|
||||||
if strings.HasPrefix(line, tplCommentPrefix) {
|
if strings.HasPrefix(line, tplCommentPrefix) {
|
||||||
scanner.Scan()
|
scanner.Scan()
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
_, err = f.WriteString(line + "\n")
|
_, err = t.WriteString(line + "\n")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
defer f.Close()
|
||||||
}
|
}
|
||||||
|
|
||||||
f.Close()
|
if err = os.Rename(tmpPath, fPath); err != nil {
|
||||||
if err = os.Rename(tmpPath, fpath); err != nil {
|
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -87,17 +87,18 @@ var (
|
||||||
EnablePprof bool
|
EnablePprof bool
|
||||||
|
|
||||||
SSH = struct {
|
SSH = struct {
|
||||||
Disabled bool `ini:"DISABLE_SSH"`
|
Disabled bool `ini:"DISABLE_SSH"`
|
||||||
StartBuiltinServer bool `ini:"START_SSH_SERVER"`
|
StartBuiltinServer bool `ini:"START_SSH_SERVER"`
|
||||||
Domain string `ini:"SSH_DOMAIN"`
|
Domain string `ini:"SSH_DOMAIN"`
|
||||||
Port int `ini:"SSH_PORT"`
|
Port int `ini:"SSH_PORT"`
|
||||||
ListenHost string `ini:"SSH_LISTEN_HOST"`
|
ListenHost string `ini:"SSH_LISTEN_HOST"`
|
||||||
ListenPort int `ini:"SSH_LISTEN_PORT"`
|
ListenPort int `ini:"SSH_LISTEN_PORT"`
|
||||||
RootPath string `ini:"SSH_ROOT_PATH"`
|
RootPath string `ini:"SSH_ROOT_PATH"`
|
||||||
KeyTestPath string `ini:"SSH_KEY_TEST_PATH"`
|
KeyTestPath string `ini:"SSH_KEY_TEST_PATH"`
|
||||||
KeygenPath string `ini:"SSH_KEYGEN_PATH"`
|
KeygenPath string `ini:"SSH_KEYGEN_PATH"`
|
||||||
MinimumKeySizeCheck bool `ini:"-"`
|
AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"`
|
||||||
MinimumKeySizes map[string]int `ini:"-"`
|
MinimumKeySizeCheck bool `ini:"-"`
|
||||||
|
MinimumKeySizes map[string]int `ini:"-"`
|
||||||
}{
|
}{
|
||||||
Disabled: false,
|
Disabled: false,
|
||||||
StartBuiltinServer: false,
|
StartBuiltinServer: false,
|
||||||
|
@ -703,6 +704,7 @@ func NewContext() {
|
||||||
SSH.MinimumKeySizes[strings.ToLower(key.Name())] = key.MustInt()
|
SSH.MinimumKeySizes[strings.ToLower(key.Name())] = key.MustInt()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
SSH.AuthorizedKeysBackup = sec.Key("SSH_AUTHORIZED_KEYS_BACKUP").MustBool(true)
|
||||||
|
|
||||||
if err = Cfg.Section("server").MapTo(&LFS); err != nil {
|
if err = Cfg.Section("server").MapTo(&LFS); err != nil {
|
||||||
log.Fatal(4, "Failed to map LFS settings: %v", err)
|
log.Fatal(4, "Failed to map LFS settings: %v", err)
|
||||||
|
|
Loading…
Reference in a new issue