Commit graph

58 commits

Author SHA1 Message Date
Joey Hess
df11e54788
avoid the dashed ssh hostname class of security holes
Security fix: Disallow hostname starting with a dash, which would get
passed to ssh and be treated an option. This could be used by an attacker
who provides a crafted ssh url (for eg a git remote) to execute arbitrary
code via ssh -oProxyCommand.

No CVE has yet been assigned for this hole.
The same class of security hole recently affected git itself,
CVE-2017-1000117.

Method: Identified all places where ssh is run, by git grep '"ssh"'
Converted them all to use a SshHost, if they did not already, for
specifying the hostname.

SshHost was made a data type with a smart constructor, which rejects
hostnames starting with '-'.

Note that git-annex already contains extensive use of Utility.SafeCommand,
which fixes a similar class of problem where a filename starting with a
dash gets passed to a program which treats it as an option.

This commit was sponsored by Jochen Bartl on Patreon.
2017-08-17 22:11:31 -04:00
Joey Hess
9eb10caa27
Some optimisations to string splitting code.
Turns out that Data.List.Utils.split is slow and makes a lot of
allocations. Here's a much simpler single character splitter that behaves
the same (even in wacky corner cases) while running in half the time and
75% the allocations.

As well as being an optimisation, this helps move toward eliminating use of
missingh.

(Data.List.Split.splitOn is nearly as slow as Data.List.Utils.split and
allocates even more.)

I have not benchmarked the effect on git-annex, but would not be surprised
to see some parsing of eg, large streams from git commands run twice as
fast, and possibly in less memory.

This commit was sponsored by Boyd Stephen Smith Jr. on Patreon.
2017-01-31 19:06:22 -04:00
Joey Hess
50e63f75d1
webapp: Escape unusual characters in ssh hostnames when generating mangled hostnames. This allows IPv6 addresses to be used on filesystems not supporting : in filenames. 2016-07-19 11:37:03 -04:00
Joey Hess
737e45156e
remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
Joey Hess
26d4eaa4e0 use mangled hostname for gitlab repo when using a dedicated git-annex ssh key 2015-07-27 11:03:58 -04:00
Joey Hess
343ab2e358 basic gitlab support in webapp
This works, but needs more testing and work on cases like encrypted repos,
enabling existing repositories, etc.

This commit was sponsored by Shaun Westmacott.
2015-07-22 17:50:13 -04:00
Joey Hess
c6b5f2f3c4 assistant: Fix local pairing when ssh pubkey comment contains spaces. 2015-02-04 14:05:27 -04:00
Joey Hess
afc5153157 update my email address and homepage url 2015-01-21 12:50:09 -04:00
Joey Hess
3bab5dfb1d revert parentDir change
Reverts 965e106f24

Unfortunately, this caused breakage on Windows, and possibly elsewhere,
because parentDir and takeDirectory do not behave the same when there is a
trailing directory separator.
2015-01-09 13:11:56 -04:00
Joey Hess
965e106f24 made parentDir return a Maybe FilePath; removed most uses of it
parentDir is less safe than takeDirectory, especially when working
with relative FilePaths. It's really only useful in loops that
want to terminate at /

This commit was sponsored by Audric SCHILTKNECHT.
2015-01-06 18:55:56 -04:00
Joey Hess
7b50b3c057 fix some mixed space+tab indentation
This fixes all instances of " \t" in the code base. Most common case
seems to be after a "where" line; probably vim copied the two space layout
of that line.

Done as a background task while listening to episode 2 of the Type Theory
podcast.
2014-10-09 15:09:11 -04:00
Joey Hess
71b2a0a955 webapp: Include ssh port in mangled hostname.
This avoids a collision if different ssh ports are used on the same host
for some reason.

Note that it's ok to change the format of the mangled hostname; unmangling
only extracts the hostname from it, and once ssh is configured for a
mangled hostname, that config is not changed.
2014-06-05 12:50:15 -04:00
Joey Hess
39996f8222 assistant: Adjust ssh authorized keys line generated in local pairing or for a remote ssh server to set environment variables in an alternative way that works with the non-POSIX fix shell, as well as POSIX shells. 2014-04-02 15:30:10 -04:00
Joey Hess
74d3949cd0 webapp: Include no-pty in ssh authorized_keys lines.
git-annex-shell does not need a pty, so this speeds things up.
Also, it may avoid weird misconfigured systems that try to run screen or
tmux on every ssh login from doing so.
2014-03-05 13:53:21 -04:00
Joey Hess
27c4d5cd1b Revert "work around what is likely a bug in a new version of ssh"
This reverts commit f626d73442.

Bug was fixed in -2 of debian package, and is fixed upstream
(unsure what upstream release specificically)
2014-02-14 22:39:59 -04:00
Joey Hess
f626d73442 work around what is likely a bug in a new version of ssh
This avoids running into it for new setups, but does not transition old
setups. Just a quick fix; I hope to get ssh fixed.
2014-02-14 16:45:39 -04:00
Joey Hess
fdcc04096c assistant: Ensure that .ssh/config and .ssh/authorized_keys are not group or world writable when writing to those files, as that can make ssh refuse to use them, if it allows another user to write to them. 2014-01-03 17:44:12 -04:00
Joey Hess
3a6e0d1215 assistant: Set StrictHostKeyChecking yes when creating ssh remotes, and add it to the configuration for any ssh remotes previously created by the assistant. This avoids repeated prompts by ssh if the host key changes, instead syncing with such a remote will fail. Closes: #732602 2013-12-20 20:58:36 -04:00
Joey Hess
b9b5e3370d build assistant and watcher on windows (doesn't work yet) 2013-11-12 17:22:34 -04:00
Joey Hess
5f9f7024e9 enabling ssh gcrypt now works 2013-10-01 16:08:01 -04:00
Joey Hess
61e06c972f webapp can now set up gcrypt repos on ssh servers 2013-10-01 13:43:35 -04:00
Joey Hess
d83a244986 UI for making encrypted ssh remotes with gcrypt
Improved probing the remote server, so it gathers a list of the
capabilities it has. From that list, we can determine which types
of remotes are supported, and display an appropriate UI.

The new buttons for making gcrypt repos don't work yet, but the old buttons
for unencrypted git repo and encrypted rsync repo have been adapted to the
new data types and are working.

This commit was sponsored by David Schmitt.
2013-09-29 15:14:09 -04:00
Joey Hess
d1ed337035 webapp: Improve handling of remotes whose setup has stalled.
This includes recovery from the ssh-agent problem that led to many reporting
http://git-annex.branchable.com/bugs/Internal_Server_Error:_Unknown_UUID/
(Including fixing up .ssh/config to set IdentitiesOnly.)

Remotes that have no known uuid are now displayed in the webapp as
"unfinished". There's a link to check their status, and if the remote
has been set annex-ignore, a retry button can be used to unset that and
try again to set up the remote.

As this bug has shown, the process of adding a ssh remote has some failure
modes that are not really ideal. It would certianly be better if, when
setting up a ssh remote it would detect if it's failed to get the UUID,
and handle that in the remote setup process, rather than waiting until
later and handling it this way.

However, that's hard to do, particularly for local pairing, since the
PairListener runs as a background thread. The best it could do is pop up an
alert if there's a problem. This solution is not much different.

Also, this solution handles cases where the user has gotten their repo into
a mess manually and let's the assistant help with cleaning it up.

This commit was sponsored by Chia Shee Liang. Thanks!
2013-07-31 16:36:29 -04:00
Joey Hess
cbfdf3ab21 set IdentitiesOnly
When setting up a dedicated ssh key to access the annex on a host,
set IdentitiesOnly to prevent the ssh-agent from forcing use of a different
ssh key.

That behavior could result in unncessary password prompts. I remember
getting a message or two from people who got deluged with password
prompts and I couldn't at the time see why.

Also, it would prevent git-annex-shell from being run on the remote host,
when git-annex was installed there by unpacking the standalone tarball,
since the authorized_keys line for the dedicated ssh key, which sets
up calling git-annex-shell when it's not in path, wouldn't be used.

This fixes
http://git-annex.branchable.com/bugs/Internal_Server_Error:_Unknown_UUID
but I've not closed that bug yet since I should still:

1. Investigate why the ssh remote got set up despite being so broken.
2. Make the webapp not handle the NoUUID state in such an ugly way.
3. Possibly add code to fix up systems that encountered the problem.
   Although since it requires changes to .ssh/config this may be one for
   the release notes.

Thanks to TJ for pointing me in the right direction to understand what
was happening here.
2013-07-31 13:30:49 -04:00
Joey Hess
2d7b4517ab got hdevtools working again
Fix comment to not make cpp unhappy
2013-07-27 13:00:49 -04:00
Joey Hess
c8e6947693 webapp: Ensure that ssh keys generated for different directories on a server are always different. 2013-06-25 15:31:04 -04:00
Joey Hess
81d6f96cd9 sanity check 2013-06-11 23:12:01 -04:00
Joey Hess
768f7c87f2 display any illegal character found in ssh comment 2013-06-10 23:55:54 -04:00
Joey Hess
25a8d4b11c rename module 2013-05-12 19:19:28 -04:00
Joey Hess
749c197947 fix use of wrong shebang when android is installing git-annex-shell wrapper on server 2013-05-06 15:58:13 -04:00
Joey Hess
8a2d1988d3 expose Control.Monad.join
I think I've been looking for that function for some time.
Ie, I remember wanting to collapse Just Nothing to Nothing.
2013-04-22 20:24:53 -04:00
Joey Hess
7956177445 webapp: Include the repository directory in the mangled hostname and ssh key name, so that a locked down ssh key for one repository is not re-used when setting up additional repositories on the same server. 2013-04-16 13:49:39 -04:00
Joey Hess
21f93de33c use git-annex for ssh directory name 2013-04-14 20:00:32 -04:00
Joey Hess
aca9e4f0b4 random ssh keys (╯°□°)╯︵ ┻━┻ gnome-keyring
assistant: Work around horrible, terrible, very bad behavior of
gnome-keyring, by not storing special-purpose ssh keys in ~/.ssh/*.pub.

Apparently gnome-keyring apparently will load and indiscriminately use such
keys in some cases, even if they are not using any of the standard ssh key
names. Instead store the keys in ~/.ssh/annex/, which gnome-keyring will
not check.

Note that neither I nor #debian-devel were able to quite reproduce this
problem, but I believe it exists, and that this fixes it. And it certianly
won't hurt anything..
2013-04-14 15:34:59 -04:00
Joey Hess
796f1d806f assistant: Fix ~/.ssh/git-annex-shell wrapper to work when the ssh key does not force a command.
Without a forced command, SSH_ORIGINAL_COMMAND is not set.
So instead, in this case, run $@
2013-03-12 07:12:39 -04:00
Joey Hess
cbd53b4a8c Makefile now builds using cabal, taking advantage of cabal's automatic detection of appropriate build flags.
The only thing lost is ./ghci

Speed: make fast used to take 20 seconds here, when rebuilding from
touching Command/Unused.hs. With cabal, it's 29 seconds.
2013-02-27 02:39:22 -04:00
Joey Hess
9d6fd5b927 webapp: Display any error message from git init if it fails to create a repository. 2013-02-26 13:04:37 -04:00
Joey Hess
f40180f033 deal with Android's nonstandard shell location
This is so gratutious and pointless. It's a shame that everything we
learned about Unix portability and the importance of standards has been
thrown out the window by these guys.
2013-02-13 14:30:04 -04:00
Joey Hess
4c0fb330eb fix typo in name of authorized_keys file when canceling adding a key 2013-01-03 16:11:19 -04:00
Joey Hess
551924e6be webapp: Allow user to specify the ssh port when setting up a remote. 2012-12-06 17:09:38 -04:00
Joey Hess
3fdb78a51e assistant: Allow periods in ssh key comments. 2012-12-06 10:39:51 -04:00
Joey Hess
f6bcab3f57 cleanup 2012-11-06 16:08:36 -04:00
Joey Hess
0b8027e527 webapp: When setting up authorized_keys, use GIT_ANNEX_SHELL_DIRECTORY. 2012-11-05 12:35:05 -04:00
Joey Hess
39e82b1af8 webapp: Generate better git remote names.
Wrote a better git remote name sanitizer. Git blows up on lots of weird
stuff, especially if it starts the remote name, but I managed to get
some common punctuation working.
2012-10-31 15:26:19 -04:00
Joey Hess
88d1907278 where indentation 2012-10-31 02:34:03 -04:00
Joey Hess
7ee0ffaeb9 Use USER and HOME environment when set, and only fall back to getpwent, which doesn't work with LDAP or NIS. 2012-10-25 18:17:54 -04:00
Joey Hess
12efabf070 webapp: Allow dashes in ssh key comments when pairing. 2012-10-22 11:18:19 -04:00
Joey Hess
813b28aa49 removed 3 partial !! and got a much nicer implementation
Yay, monadic Either!
2012-10-20 16:21:39 -04:00
Joey Hess
7f78bc92b6 webapp: Avoid crashing when ssh-keygen -F chokes on an invalid known_hosts file. 2012-09-27 11:27:16 -04:00
Joey Hess
3979086035 use ~/.ssh/git-annex-shell wrapper
This was needed for the OSX self-contained app, but is a generally good
idea. It avoids needing perl; is probably faster; and could eventually
be replaced by something faster yet.
2012-09-26 18:59:18 -04:00