summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Magnus Lindvall <magnus@dnmgns.com>2017-06-28 03:35:35 +0200
committerLunny Xiao <xiaolunwen@gmail.com>2017-06-28 09:35:35 +0800
commit79daf31058a6de8f3763366b586a99bb4b8e632e (patch)
tree9907118748f741c2c9c4bd852d6be8539834dc36
parenta037cd81ff8fc1a1ed9a7efae6b2cd5bc4bedb86 (diff)
downloadgitea-79daf31058a6de8f3763366b586a99bb4b8e632e.tar.gz
gitea-79daf31058a6de8f3763366b586a99bb4b8e632e.zip
Setting to disable authorized_keys backup (#1856)
* Add setting to disable authorized_keys backup when rewriting public keys Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Update default value to comply with documentation Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Use tmp-file instead of bak-file for saving manually added keys. Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Change casing Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Change casing and build bakpath with sprintf only Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Only close file once Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Do not modify calcFingerprint Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Fix casing Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Change style from disable to enable Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Change name, just SSH_BACKUP_AUTHORIZED_KEYS Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Do not check for directory existence if backup is disabled Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>
-rw-r--r--conf/app.ini2
-rw-r--r--models/ssh_key.go40
-rw-r--r--modules/setting/setting.go24
3 files changed, 35 insertions, 31 deletions
diff --git a/conf/app.ini b/conf/app.ini
index 2f9c3cdb11..8f04435b5f 100644
--- a/conf/app.ini
+++ b/conf/app.ini
@@ -124,6 +124,8 @@ SSH_ROOT_PATH =
SSH_KEY_TEST_PATH =
; Path to ssh-keygen, default is 'ssh-keygen' and let shell find out which one to call.
SSH_KEYGEN_PATH = ssh-keygen
+; Enable SSH Authorized Key Backup when rewriting all keys, default is true
+SSH_BACKUP_AUTHORIZED_KEYS = true
; Indicate whether to check minimum key size with corresponding type
MINIMUM_KEY_SIZE_CHECK = false
; Disable CDN even in "prod" mode
diff --git a/models/ssh_key.go b/models/ssh_key.go
index 947b2dabfd..f70e16c62a 100644
--- a/models/ssh_key.go
+++ b/models/ssh_key.go
@@ -324,8 +324,8 @@ func appendAuthorizedKeysToFile(keys ...*PublicKey) error {
sshOpLocker.Lock()
defer sshOpLocker.Unlock()
- fpath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
- f, err := os.OpenFile(fpath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600)
+ fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
+ f, err := os.OpenFile(fPath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600)
if err != nil {
return err
}
@@ -558,53 +558,53 @@ func RewriteAllPublicKeys() error {
sshOpLocker.Lock()
defer sshOpLocker.Unlock()
- fpath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
- tmpPath := fpath + ".tmp"
- f, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+ fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
+ tmpPath := fPath + ".tmp"
+ t, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return err
}
defer func() {
- f.Close()
+ t.Close()
os.Remove(tmpPath)
}()
+ if setting.SSH.AuthorizedKeysBackup && com.IsExist(fPath) {
+ bakPath := fmt.Sprintf("%s_%d.gitea_bak", fPath, time.Now().Unix())
+ if err = com.Copy(fPath, bakPath); err != nil {
+ return err
+ }
+ }
+
err = x.Iterate(new(PublicKey), func(idx int, bean interface{}) (err error) {
- _, err = f.WriteString((bean.(*PublicKey)).AuthorizedString())
+ _, err = t.WriteString((bean.(*PublicKey)).AuthorizedString())
return err
})
if err != nil {
return err
}
- if com.IsExist(fpath) {
- bakPath := fpath + fmt.Sprintf("_%d.gitea_bak", time.Now().Unix())
- if err = com.Copy(fpath, bakPath); err != nil {
- return err
- }
-
- p, err := os.Open(bakPath)
+ if com.IsExist(fPath) {
+ f, err := os.Open(fPath)
if err != nil {
return err
}
- defer p.Close()
-
- scanner := bufio.NewScanner(p)
+ scanner := bufio.NewScanner(f)
for scanner.Scan() {
line := scanner.Text()
if strings.HasPrefix(line, tplCommentPrefix) {
scanner.Scan()
continue
}
- _, err = f.WriteString(line + "\n")
+ _, err = t.WriteString(line + "\n")
if err != nil {
return err
}
}
+ defer f.Close()
}
- f.Close()
- if err = os.Rename(tmpPath, fpath); err != nil {
+ if err = os.Rename(tmpPath, fPath); err != nil {
return err
}
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index a51e0e7599..d07dce39a0 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -87,17 +87,18 @@ var (
EnablePprof bool
SSH = struct {
- Disabled bool `ini:"DISABLE_SSH"`
- StartBuiltinServer bool `ini:"START_SSH_SERVER"`
- Domain string `ini:"SSH_DOMAIN"`
- Port int `ini:"SSH_PORT"`
- ListenHost string `ini:"SSH_LISTEN_HOST"`
- ListenPort int `ini:"SSH_LISTEN_PORT"`
- RootPath string `ini:"SSH_ROOT_PATH"`
- KeyTestPath string `ini:"SSH_KEY_TEST_PATH"`
- KeygenPath string `ini:"SSH_KEYGEN_PATH"`
- MinimumKeySizeCheck bool `ini:"-"`
- MinimumKeySizes map[string]int `ini:"-"`
+ Disabled bool `ini:"DISABLE_SSH"`
+ StartBuiltinServer bool `ini:"START_SSH_SERVER"`
+ Domain string `ini:"SSH_DOMAIN"`
+ Port int `ini:"SSH_PORT"`
+ ListenHost string `ini:"SSH_LISTEN_HOST"`
+ ListenPort int `ini:"SSH_LISTEN_PORT"`
+ RootPath string `ini:"SSH_ROOT_PATH"`
+ KeyTestPath string `ini:"SSH_KEY_TEST_PATH"`
+ KeygenPath string `ini:"SSH_KEYGEN_PATH"`
+ AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"`
+ MinimumKeySizeCheck bool `ini:"-"`
+ MinimumKeySizes map[string]int `ini:"-"`
}{
Disabled: false,
StartBuiltinServer: false,
@@ -703,6 +704,7 @@ func NewContext() {
SSH.MinimumKeySizes[strings.ToLower(key.Name())] = key.MustInt()
}
}
+ SSH.AuthorizedKeysBackup = sec.Key("SSH_AUTHORIZED_KEYS_BACKUP").MustBool(true)
if err = Cfg.Section("server").MapTo(&LFS); err != nil {
log.Fatal(4, "Failed to map LFS settings: %v", err)