jw-pkg/scripts/ssh-wrapper.sh

#!/bin/bash

# JW_PKG_SSH_EXTRA_OPTS in the context of CI can contain "-l someuser".  For
# the ssh login to a remote ssh://otheruser@gitserver.com, this runs the ssh
# command "ssh -l someuser otheruser@gitserver.com".  Since with openssh, -l
# takes precedence of the @, ssh tries to authenticate as someuser against
# gitserver, and is rightly denied access.
#
# That case happens with the janware's pub remote, so the -l needs to be
# removed from JW_PKG_SSH_EXTRA_OPTS if a remote with a username@ prefix from
# the Git configuration hits this script, and that's what most of its logic
# does.

run_ssh()
{
	local has_user_at_host=0
	local arg
	for arg in "$@"; do
		case "$arg" in
			-*)
				;;
			?*@?*)
				has_user_at_host=1
				break
				;;
		esac
	done

	local -a extra_opts
	read -r -a extra_opts <<< "${JW_PKG_SSH_EXTRA_OPTS:-}"

	if (( has_user_at_host )); then
		local -a filtered_opts=()
		local skip_next=0
		local opt
		for opt in "${extra_opts[@]}"; do
			if (( skip_next )); then
				skip_next=0
				continue
			fi

			case "$opt" in
				-l)
					skip_next=1
					;;
				-l?*)
					;;
				*)
					filtered_opts+=("$opt")
					;;
			esac
		done

		extra_opts=("${filtered_opts[@]}")
	fi

	[[ "${JW_PKG_VERBOSE:-false}" = "true" ]] && set -x

	exec /usr/bin/ssh "${extra_opts[@]}" "$@"
}

run_ssh "$@"
projects-dir.mk: Remove "-l user" in ssh-wrapper.sh By the time projects-dir.mk is used during onboarding, it's already cloned, and so is jw-pkg in all its glory. So better use a ssh-wrapper.sh directly under jw-pkg's version control instead of plainly generating one with echo some-script-logic > ssh-wrapper.sh. This has the main benefit of allowing a more elaborate script. The one added by this commit removes "-l user" from remotes which have a standard-user@gitserver form, typically because they differentiate users via their SSH pubkeys only, and which would deny access if both -l user and standard-user@ were specified. ssh-wrapper.sh still needs to be a target which is updated by a recipe, because the version found in jw-pkg can't be trusted to be executable during bootstrapping, because "make all" has not run, yet. Signed-off-by: Jan Lindemann <jan@janware.com> 2026-06-07 11:36:02 +02:00			`#!/bin/bash`

			`# JW_PKG_SSH_EXTRA_OPTS in the context of CI can contain "-l someuser". For`
			`# the ssh login to a remote ssh://otheruser@gitserver.com, this runs the ssh`
			`# command "ssh -l someuser otheruser@gitserver.com". Since with openssh, -l`
			`# takes precedence of the @, ssh tries to authenticate as someuser against`
			`# gitserver, and is rightly denied access.`
			`#`
			`# That case happens with the janware's pub remote, so the -l needs to be`
			`# removed from JW_PKG_SSH_EXTRA_OPTS if a remote with a username@ prefix from`
			`# the Git configuration hits this script, and that's what most of its logic`
			`# does.`

			`run_ssh()`
			`{`
			`local has_user_at_host=0`
			`local arg`
			`for arg in "$@"; do`
			`case "$arg" in`
			`-*)`
			`;;`
			`?@?)`
			`has_user_at_host=1`
			`break`
			`;;`
			`esac`
			`done`

			`local -a extra_opts`
			`read -r -a extra_opts <<< "${JW_PKG_SSH_EXTRA_OPTS:-}"`

			`if (( has_user_at_host )); then`
			`local -a filtered_opts=()`
			`local skip_next=0`
			`local opt`
			`for opt in "${extra_opts[@]}"; do`
			`if (( skip_next )); then`
			`skip_next=0`
			`continue`
			`fi`

			`case "$opt" in`
			`-l)`
			`skip_next=1`
			`;;`
			`-l?*)`
			`;;`
			`*)`
			`filtered_opts+=("$opt")`
			`;;`
			`esac`
			`done`

			`extra_opts=("${filtered_opts[@]}")`
			`fi`

			`[[ "${JW_PKG_VERBOSE:-false}" = "true" ]] && set -x`

			`exec /usr/bin/ssh "${extra_opts[@]}" "$@"`
			`}`

			`run_ssh "$@"`