projects-dir.mk: Remove "-l user" in ssh-wrapper.sh
By the time projects-dir.mk is used during onboarding, it's already cloned, and so is jw-pkg in all its glory. So better use a ssh-wrapper.sh directly under jw-pkg's version control instead of plainly generating one with echo some-script-logic > ssh-wrapper.sh.
This has the main benefit of allowing a more elaborate script. The one added by this commit removes "-l user" from remotes which have a standard-user@gitserver form, typically because they differentiate users via their SSH pubkeys only, and which would deny access if both -l user and standard-user@ were specified.
ssh-wrapper.sh still needs to be a target which is updated by a recipe, because the version found in jw-pkg can't be trusted to be executable during bootstrapping, because "make all" has not run, yet.
Signed-off-by: Jan Lindemann <jan@janware.com>
|
|
@ -397,8 +397,8 @@ git-commit:
|
||||||
|
|
||||||
# --- rules
|
# --- rules
|
||||||
|
|
||||||
$(SSH_WRAPPER_SH): $(PROJECTS_MAKEFILE_NAME)
|
$(SSH_WRAPPER_SH): $(JWB_SCRIPT_DIR)/ssh-wrapper.sh
|
||||||
/bin/echo -e '#!/bin/bash $(SSH_WRAPPER_TRACE)\n\nexec /usr/bin/ssh $$JW_PKG_SSH_EXTRA_OPTS "$$@"' > $@.tmp
|
cp $< $@.tmp
|
||||||
chmod 700 $@.tmp
|
chmod 700 $@.tmp
|
||||||
mv $@.tmp $@
|
mv $@.tmp $@
|
||||||
ssh-wrapper: $(SSH_WRAPPER_SH)
|
ssh-wrapper: $(SSH_WRAPPER_SH)
|
||||||
|
|
|
||||||
62
scripts/ssh-wrapper.sh
Executable file
|
|
@ -0,0 +1,62 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# JW_PKG_SSH_EXTRA_OPTS in the context of CI can contain "-l someuser". For
|
||||||
|
# the ssh login to a remote ssh://otheruser@gitserver.com, this runs the ssh
|
||||||
|
# command "ssh -l someuser otheruser@gitserver.com". Since with openssh, -l
|
||||||
|
# takes precedence of the @, ssh tries to authenticate as someuser against
|
||||||
|
# gitserver, and is rightly denied access.
|
||||||
|
#
|
||||||
|
# That case happens with the janware's pub remote, so the -l needs to be
|
||||||
|
# removed from JW_PKG_SSH_EXTRA_OPTS if a remote with a username@ prefix from
|
||||||
|
# the Git configuration hits this script, and that's what most of its logic
|
||||||
|
# does.
|
||||||
|
|
||||||
|
run_ssh()
|
||||||
|
{
|
||||||
|
local has_user_at_host=0
|
||||||
|
local arg
|
||||||
|
for arg in "$@"; do
|
||||||
|
case "$arg" in
|
||||||
|
-*)
|
||||||
|
;;
|
||||||
|
?*@?*)
|
||||||
|
has_user_at_host=1
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
local -a extra_opts
|
||||||
|
read -r -a extra_opts <<< "${JW_PKG_SSH_EXTRA_OPTS:-}"
|
||||||
|
|
||||||
|
if (( has_user_at_host )); then
|
||||||
|
local -a filtered_opts=()
|
||||||
|
local skip_next=0
|
||||||
|
local opt
|
||||||
|
for opt in "${extra_opts[@]}"; do
|
||||||
|
if (( skip_next )); then
|
||||||
|
skip_next=0
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "$opt" in
|
||||||
|
-l)
|
||||||
|
skip_next=1
|
||||||
|
;;
|
||||||
|
-l?*)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
filtered_opts+=("$opt")
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
extra_opts=("${filtered_opts[@]}")
|
||||||
|
fi
|
||||||
|
|
||||||
|
[[ "${JW_PKG_VERBOSE:-false}" = "true" ]] && set -x
|
||||||
|
|
||||||
|
exec /usr/bin/ssh "${extra_opts[@]}" "$@"
|
||||||
|
}
|
||||||
|
|
||||||
|
run_ssh "$@"
|
||||||