Page MenuHomePhabricator

D13719.diff
No OneTemporary

D13719.diff

diff --git a/resources/sshd/phabricator-ssh-hook.sh b/resources/sshd/phabricator-ssh-hook.sh
deleted file mode 100755
--- a/resources/sshd/phabricator-ssh-hook.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/sh
-
-# NOTE: Replace this with the username that you expect users to connect with.
-VCSUSER="vcs-user"
-
-# NOTE: Replace this with the path to your Phabricator directory.
-ROOT="/path/to/phabricator"
-
-if [ "$1" != "$VCSUSER" ];
-then
- exit 1
-fi
-
-exec "$ROOT/bin/ssh-auth" $@
diff --git a/resources/sshd/sshd_config.phabricator.example b/resources/sshd/sshd_config.phabricator.example
deleted file mode 100644
--- a/resources/sshd/sshd_config.phabricator.example
+++ /dev/null
@@ -1,23 +0,0 @@
-# NOTE: You must have OpenSSHD 6.2 or newer; support for AuthorizedKeysCommand
-# was added in this version.
-
-# NOTE: Edit these to the correct values for your setup.
-
-AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh
-AuthorizedKeysCommandUser vcs-user
-AllowUsers vcs-user
-
-# You may need to tweak these options, but mostly they just turn off everything
-# dangerous.
-
-Port 22
-Protocol 2
-PermitRootLogin no
-AllowAgentForwarding no
-AllowTcpForwarding no
-PrintMotd no
-PrintLastLog no
-PasswordAuthentication no
-AuthorizedKeysFile none
-
-PidFile /var/run/sshd-phabricator.pid
diff --git a/scripts/ssh/ssh-auth.php b/scripts/ssh/ssh-auth.php
--- a/scripts/ssh/ssh-auth.php
+++ b/scripts/ssh/ssh-auth.php
@@ -7,6 +7,7 @@
$keys = id(new PhabricatorAuthSSHKeyQuery())
->setViewer(PhabricatorUser::getOmnipotentUser())
->execute();
+$lines = array();
if (!$keys) {
echo pht('No keys found.')."\n";
diff --git a/src/docs/user/userguide/diffusion_hosting.diviner b/src/docs/user/userguide/diffusion_hosting.diviner
--- a/src/docs/user/userguide/diffusion_hosting.diviner
+++ b/src/docs/user/userguide/diffusion_hosting.diviner
@@ -35,8 +35,8 @@
| Performance | Better | Okay |
| Setup | Hard | Easy |
-Each repository can be configured individually, and you can use either protocol,
-or both, or a mixture across different repositories.
+Each repository can be configured individually, and you can use either
+protocol, or both, or a mixture across different repositories.
SSH is recommended unless you need anonymous access, or are not able to
configure it for technical reasons.
@@ -97,22 +97,26 @@
If it's present, comment it out by putting a `#` at the beginning of the line.
With this option enabled, VCS SSH sessions won't be able to use `sudo`.
+Alternatively, disable this option for the `vcs-user` and `www-user` only:
+
+ Defaults:vcs-user !requiretty
+ Defaults:www-user !requiretty
If you're planning to use SSH, you should also edit `/etc/passwd` and
`/etc/shadow` to make sure the `vcs-user` account is set up correctly.
- Open `/etc/shadow` and find the line for the `vcs-user` account.
- - The second field (which is the password field) must not be set to
- `!!`. This value will prevent login. If it is set to `!!`, edit it
- and set it to `NP` ("no password") instead.
+ - The second field (which is the password field) must not be set to `!!`.
+ This value will prevent login. If it is set to `!!`, edit it and set it
+ to `NP` ("no password") instead.
- Open `/etc/passwd` and find the line for the `vcs-user` account.
- The last field (which is the login shell) must be set to a real shell.
If it is set to something like `/bin/false`, then `sshd` will not be able
to execute commands. Instead, you should set it to a real shell, like
`/bin/sh`.
-Finally, once you've configured `/etc/sudoers`, `/etc/shadow` and `/etc/passwd`,
-set `phd.user` to the `daemon-user`:
+Finally, once you've configured `/etc/sudoers`, `/etc/shadow` and
+`/etc/passwd`, set `phd.user` to the `daemon-user`:
phabricator/ $ ./bin/config set phd.user daemon-user
@@ -123,8 +127,8 @@
= Configuring HTTP =
If you plan to use authenticated HTTP, you need to set
-`diffusion.allow-http-auth` in Config. If you don't plan to use HTTP, or plan to
-use only anonymous HTTP, you can leave this setting disabled.
+`diffusion.allow-http-auth` in Config. If you don't plan to use HTTP, or plan
+to use only anonymous HTTP, you can leave this setting disabled.
If you plan to use authenticated HTTP, you'll also need to configure a VCS
password in {nav Settings > VCS Password}. This is a different password than
@@ -135,16 +139,8 @@
= Configuring SSH =
-SSH access requires some additional setup. Here's an overview of how setup
-works:
-
- - You'll move the normal `sshd` daemon to another port, like `222`. When
- connecting to the machine to administrate it, you'll use this alternate
- port to get a normal login shell.
- - You'll run a highly restricted `sshd` on port 22, with a special locked-down
- configuration that uses Phabricator to authorize users and execute commands.
- - The `sshd` on port 22 **MUST** be 6.2 or newer, because Phabricator relies
- on the `AuthorizedKeysCommand` option.
+SSH access requires some additional setup. The `sshd` service **MUST** be 6.2
+or newer, because Phabricator relies on the `AuthorizedKeysCommand` option.
Here's a walkthrough of how to perform this configuration in detail:
@@ -157,6 +153,7 @@
To smoke-test a configuration, just start another `sshd` using the `-f` flag:
+ lang=bash
sudo /path/to/sshd -f /path/to/config_file.edited
You can then connect and make sure the edited config file is valid before
@@ -165,61 +162,32 @@
To automatically repair configuration, start a `screen` session with a command
like this in it:
- sleep 60 ; mv sshd_config.good sshd_config ; /etc/init.d/sshd restart
+ lang=bash
+ sleep 60; mv sshd_config.good sshd_config; service sshd restart
The specific command may vary for your system, but the general idea is to have
the machine automatically restore configuration after some period of time if
you don't stop it. If you lock yourself out, this will fix things automatically.
Now that you're ready to edit your configuration, open up your `sshd` config
-(often `/etc/ssh/sshd_config`) and change the `Port` setting to some other port,
-like `222` (you can choose any port other than 22).
-
- Port 222
-
-Very carefully, restart `sshd`. Verify that you can connect on the new port:
-
- ssh -p 222 ...
-
-**Configure and Start Phabricator SSHD**: Now, configure and start a second
-`sshd` instance which will run on port `22`. This instance will use a special
-locked-down configuration that uses Phabricator to handle authentication and
-command execution.
-
-There are three major steps:
-
- - Create a `phabricator-ssh-hook.sh` file.
- - Create a `sshd_phabricator` config file.
- - Start a copy of `sshd` using the new configuration.
-
-**Create `phabricator-ssh-hook.sh`**: Copy the template in
-`phabricator/resources/sshd/phabricator-ssh-hook.sh` to somewhere like
-`/usr/libexec/phabricator-ssh-hook.sh` and edit it to have the correct
-settings. Then make it owned by `root` and restrict editing:
-
- sudo chown root /path/to/phabricator-ssh-hook.sh
- sudo chmod 755 /path/to/phabricator-ssh-hook.sh
-
-If you don't do this, `sshd` will refuse to execute the hook.
-
-**Create `sshd_config` for Phabricator**: Copy the template in
-`phabricator/resources/sshd/sshd_config.phabricator.example` to somewhere like
-`/etc/ssh/sshd_config.phabricator`.
-
-Open the file and edit the `AuthorizedKeysCommand`,
-`AuthorizedKeysCommandUser`, and `AllowUsers` settings to be correct for your
-system.
-
-**Start SSHD**: Now, start the Phabricator `sshd`:
+(often `/etc/ssh/sshd_config`) and add the following configuration and then
+restart the `sshd` service:
- sudo /path/to/sshd -f /path/to/sshd_config.phabricator
+ Match User vcs-user
+ AllowUsers vcs-user
+ AuthorizedKeysCommand /path/to/phabricator/bin/ssh-auth
+ AuthorizedKeysCommandUser vcs
+ PasswordAuthentication no
+ PubkeyAuthentication yes
If you did everything correctly, you should be able to run this:
+ lang=bash
echo {} | ssh vcs-user@phabricator.yourcompany.com conduit conduit.ping
...and get a response like this:
+ lang=json
{"result":"orbital","error_code":null,"error_info":null}
(If you get an authentication error, make sure you added your public key in

File Metadata

Mime Type
text/plain
Expires
Fri, Nov 8, 12:03 PM (3 h, 43 m ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6717114
Default Alt Text
D13719.diff (8 KB)

Event Timeline