Fixes T2229. This sets the stage for a patch similar to D7417, but for SSH. In particular, SSH 6.2 introduced an AuthorizedKeysCommand directive, which lets us do this in a mostly-reasonable way without needing users to patch sshd (if they have a recent enough version, at least).

The way the AuthorizedKeysCommand works is that it gets run and produces an authorized_keys-style file fragment. This isn't ideal, because we have to dump every key into the result, but should be fine for most installs. The earlier patch against sshd passes the public key itself, which allows the script to just look up the key. We might use this eventually, since it can scale much better, so I haven't removed it.

Generally, auth is split into two scripts now which mostly do the same thing:

• ssh-auth is the AuthorizedKeysCommand auth, which takes nothing and dumps the whole keyfile.
• ssh-auth-key is the slightly cleaner and more scalable (but patch-dependent) version, which takes the public key and dumps only matching options.

I also reworked the argument parsing to be a bit more sane.

This is somewhat-intentionally a bit obtuse since I don't really want anyone using it yet, but basically:

• Copy phabricator-ssh-hook.sh to somewhere like /usr/libexec/openssh/, chown it root and chmod it 500.
  • This script should probably also do a username check in the future.
• Create a copy of sshd_config and fix the paths/etc. Point the KeyScript at your copy of the hook.
• Start a copy of sshd (6.2 or newer) with -f <your config file> and maybe -d -d -d to foreground and debug.
• Run ssh -p 2222 localhost or similar.

Specifically, I did this setup and then ran a bunch of commands like:

• ssh host (denied, no command)
• ssh host ls (denied, not supported)
• echo '{}' | ssh host conduit conduit.ping (works)