From ca72c212939a93fb042a7967e8a78d8edba43b24 Mon Sep 17 00:00:00 2001 From: Jan Lindemann Date: Sun, 7 Jun 2026 11:36:02 +0200 Subject: [PATCH] projects-dir.mk: Remove "-l user" in ssh-wrapper.sh By the time projects-dir.mk is used during onboarding, it's already cloned, and so is jw-pkg in all its glory. So better use a ssh-wrapper.sh directly under jw-pkg's version control instead of plainly generating one with echo some-script-logic > ssh-wrapper.sh. This has the main benefit of allowing a more elaborate script. The one added by this commit removes "-l user" from remotes which have a standard-user@gitserver form, typically because they differentiate users via their SSH pubkeys only, and which would deny access if both -l user and standard-user@ were specified. ssh-wrapper.sh still needs to be a target which is updated by a recipe, because the version found in jw-pkg can't be trusted to be executable during bootstrapping, because "make all" has not run, yet. Signed-off-by: Jan Lindemann --- make/projects-dir.mk | 4 +-- scripts/ssh-wrapper.sh | 62 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 2 deletions(-) create mode 100755 scripts/ssh-wrapper.sh diff --git a/make/projects-dir.mk b/make/projects-dir.mk index 683570b9..dc616693 100644 --- a/make/projects-dir.mk +++ b/make/projects-dir.mk @@ -397,8 +397,8 @@ git-commit: # --- rules -$(SSH_WRAPPER_SH): $(PROJECTS_MAKEFILE_NAME) - /bin/echo -e '#!/bin/bash $(SSH_WRAPPER_TRACE)\n\nexec /usr/bin/ssh $$JW_PKG_SSH_EXTRA_OPTS "$$@"' > $@.tmp +$(SSH_WRAPPER_SH): $(JWB_SCRIPT_DIR)/ssh-wrapper.sh + cp $< $@.tmp chmod 700 $@.tmp mv $@.tmp $@ ssh-wrapper: $(SSH_WRAPPER_SH) diff --git a/scripts/ssh-wrapper.sh b/scripts/ssh-wrapper.sh new file mode 100755 index 00000000..81ce686b --- /dev/null +++ b/scripts/ssh-wrapper.sh @@ -0,0 +1,62 @@ +#!/bin/bash + +# JW_PKG_SSH_EXTRA_OPTS in the context of CI can contain "-l someuser". For +# the ssh login to a remote ssh://otheruser@gitserver.com, this runs the ssh +# command "ssh -l someuser otheruser@gitserver.com". Since with openssh, -l +# takes precedence of the @, ssh tries to authenticate as someuser against +# gitserver, and is rightly denied access. +# +# That case happens with the janware's pub remote, so the -l needs to be +# removed from JW_PKG_SSH_EXTRA_OPTS if a remote with a username@ prefix from +# the Git configuration hits this script, and that's what most of its logic +# does. + +run_ssh() +{ + local has_user_at_host=0 + local arg + for arg in "$@"; do + case "$arg" in + -*) + ;; + ?*@?*) + has_user_at_host=1 + break + ;; + esac + done + + local -a extra_opts + read -r -a extra_opts <<< "${JW_PKG_SSH_EXTRA_OPTS:-}" + + if (( has_user_at_host )); then + local -a filtered_opts=() + local skip_next=0 + local opt + for opt in "${extra_opts[@]}"; do + if (( skip_next )); then + skip_next=0 + continue + fi + + case "$opt" in + -l) + skip_next=1 + ;; + -l?*) + ;; + *) + filtered_opts+=("$opt") + ;; + esac + done + + extra_opts=("${filtered_opts[@]}") + fi + + [[ "${JW_PKG_VERBOSE:-false}" = "true" ]] && set -x + + exec /usr/bin/ssh "${extra_opts[@]}" "$@" +} + +run_ssh "$@"