[Savannah-cvs] [177] UserAuthentication: mention pubkey checks, project-

savannah-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-cvs] [177] UserAuthentication: mention pubkey checks, project-

From:	Assaf Gordon
Subject:	[Savannah-cvs] [177] UserAuthentication: mention pubkey checks, project-membership requirement
Date:	Sat, 16 Jan 2016 21:12:44 +0000

Revision: 177
          
http://svn.sv.gnu.org/viewvc/?view=rev&root=administration&revision=177
Author:   agn
Date:     2016-01-16 21:12:35 +0000 (Sat, 16 Jan 2016)
Log Message:
-----------
UserAuthentication: mention pubkey checks, project-membership requirement

Modified Paths:
--------------
    trunk/sviki/UserAuthentication.mdwn

Modified: trunk/sviki/UserAuthentication.mdwn
===================================================================
--- trunk/sviki/UserAuthentication.mdwn 2016-01-09 23:58:18 UTC (rev 176)
+++ trunk/sviki/UserAuthentication.mdwn 2016-01-16 21:12:35 UTC (rev 177)
@@ -1,5 +1,3 @@
-## User authentication on GNU Savannah systems
-
 ### User account creation
 
 1. Anyone can register a Savannah user account using the web interface:
@@ -80,6 +78,18 @@
     vcs:~# getent group gawk
     gawk:x:6731:ajschorr,arnold,eliz,jkahrs,scldad,wb8tyw
 
+> **NOTE:**
+>
+> Savannah users who are not members of any projects (i.e. do not have
+> write-access to any repository) will *not* have SSH login access on
+> `vcs` even if they've setup their SSH pubkeys. `getent passwd USER` will
+> return empty results for such users, even if they are valid users in the
+> database (i.e. they exist in the `users` mysql table).
+>
+> Techinically, this is due to the libnss-mysql (see below) script doing
+> an SQL join on the `user` and `user_group` tables, and requiring having
+> at least one record in the `user_group` table).
+
 ### Authentication mechanisms
 
 For VCS repositories (git/hg/bzr/svn/cvs on `vcs.sv.gnu.org`) and
@@ -165,6 +175,22 @@
     ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvs [...]
     ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ [...]
 
+To validate the user's keys on `vcs`, use the following script:
+
+    vcs:~# ~/bin/check-user-pubkeys.sh agn
+    address@hidden     2048 fe:61:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 
/tmp/pubkey.check.9WvGnA/key.00 (RSA)
+    address@hidden     2048 87:21:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 
/tmp/pubkey.check.9WvGnA/key.01 (RSA)
+    address@hidden     2048 3d:00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 
/tmp/pubkey.check.9WvGnA/key.02 (RSA)
+
+    vcs:~# ~/bin/check-user-pubkeys.sh someuser
+    address@hidden   4096 6b:36:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 
/tmp/pubkey.check.DmNCzP/key.00 (RSA)
+    address@hidden   4096 0b:c3:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 
/tmp/pubkey.check.DmNCzP/key.01 (RSA)
+    Invalid key: /tmp/pubkey.check.DmNCzP/key.02
+    Errors found in ssh pubkeys for user 'someuser'.
+    to troubleshoot, check files in /tmp/pubkey.check.DmNCzP .
+
+The above script can help with troubleshooting user's SSH login problems.
+
 ### mgt and root access
 
 `mgt.sv.gnu.org` is the management server (see [[SavannahArchitecture]] for

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-cvs] [177] UserAuthentication: mention pubkey checks, project-membership requirement, Assaf Gordon <=

Prev by Date: [Savannah-cvs] [176] wording
Next by Date: [Savannah-cvs] [178] wording, typos
Previous by thread: [Savannah-cvs] [176] wording
Next by thread: [Savannah-cvs] [178] wording, typos
Index(es):
- Date
- Thread