Is your feature request related to a problem? Please describe.
Currently hosting soft serve requires to host it in another port, different from your regular ssh traffic. I want users to be able to just use git@my.server/my-repo.git like most git servers allow.
Describe the solution you'd like
By using a custom shell or by specifying a command via .ssh/authorized_keys or AuthorizedKeysCommand one can execute a command when a certain user is trying to log in with a specific key (or even without a specific key when using the shell as a fallback). This can be used to launch any TTY program when logged in. The code required to do this is fairly easy to write and so far i have managed to write a script for this which works just invoking the command ssh localhost -p 23231 ${SSH_ORIGINAL_COMMAND[@]}. This is a bit annoying however, since i need to add an extra ssh key to the user i want to authenticate as. Adding a command like soft browse --as-user nea ${SSH_ORIGINAL_COMMAND[@]} would make this a lot easier and less intrusive.
Current workflow:
user connects to my-server:22
ssh daemon accepts that connection
ssh daemon invokes AuthorizedKeysCommand, which is set to key-provider-script
key-provider-script calls ssh localhost -p23231 user list using an admin key
key-provider-script calls ssh localhost -p23231 user info <user> for each user using an admin key
for each found ssh key (ignoring the scripts generated ones, see later), the key-provider-script emits a directive
this directive contains the original ssh key
this directive forces a command to be executed and prohibits all other activity (like port forwarding, x11 forwarding)
ssh daemon finds all of those generated authorized key directives and tries to authenticate with one of them. if it cannot then it invokes the normal shell (which falls back to just a normal keyless ssh localhost -p23231).
otherwise ssh daemon uses that key to find the proper command to be executed and provides that command with the variable SSH_ORIGINAL_COMMAND which shows the original ssh command
the command is aware which original user it belongs to
it tries to find a server side ssh key for that user
alternatively it generates a new ssh key on the server, saves the private key and uses ssh localhost -p23231 user add-pubkey to add that public key to the user
once it has a key it calls ssh localhost -p23231 -i the_private_key_file $SSH_ORIGINAL_COMMAND in order to connect the user to soft serve
This workflow could be massively improved with changes in soft serve. While implementing all of this to the proper satisfaction of whatever standards this project might have might be a bit much, implementing just the last step of impersonating a user on the current tty using a soft browse --as-user <user> (or soft impersonate <user>) command would be pretty big step in making this easier to implement on my side, while also being a step that soft serve would eventually need to do itself anyway, if it wants to support a workflow like this.
Describe alternatives you've considered
I can also host soft serve on port 22 and my other stuff on a non standard port. I would consider that a downgrade since git isnt the only public facing ssh feature i might have and most other git servers dont need me to do this.
I can also specify a Host in my client sided ssh config. I would consider this a downgrade since no other git server requires editing the ssh config in every client.
Is your feature request related to a problem? Please describe. Currently hosting soft serve requires to host it in another port, different from your regular ssh traffic. I want users to be able to just use
git@my.server/my-repo.gitlike most git servers allow.Describe the solution you'd like By using a custom shell or by specifying a command via
.ssh/authorized_keysorAuthorizedKeysCommandone can execute a command when a certain user is trying to log in with a specific key (or even without a specific key when using the shell as a fallback). This can be used to launch any TTY program when logged in. The code required to do this is fairly easy to write and so far i have managed to write a script for this which works just invoking the commandssh localhost -p 23231 ${SSH_ORIGINAL_COMMAND[@]}. This is a bit annoying however, since i need to add an extra ssh key to the user i want to authenticate as. Adding a command likesoft browse --as-user nea ${SSH_ORIGINAL_COMMAND[@]}would make this a lot easier and less intrusive.Current workflow:
ssh localhost -p23231 user listusing an admin keyssh localhost -p23231 user info <user>for each user using an admin keyssh localhost -p23231).ssh localhost -p23231 user add-pubkeyto add that public key to the userssh localhost -p23231 -i the_private_key_file $SSH_ORIGINAL_COMMANDin order to connect the user to soft serveThis workflow could be massively improved with changes in soft serve. While implementing all of this to the proper satisfaction of whatever standards this project might have might be a bit much, implementing just the last step of impersonating a user on the current tty using a
soft browse --as-user <user>(orsoft impersonate <user>) command would be pretty big step in making this easier to implement on my side, while also being a step that soft serve would eventually need to do itself anyway, if it wants to support a workflow like this.Describe alternatives you've considered I can also host soft serve on port 22 and my other stuff on a non standard port. I would consider that a downgrade since git isnt the only public facing ssh feature i might have and most other git servers dont need me to do this.
I can also specify a
Hostin my client sided ssh config. I would consider this a downgrade since no other git server requires editing the ssh config in every client.Additional context
.ssh/authorized_keysfile instead of usingAuthorizedKeysCommand): https://github.com/gogs/gogs/blob/5bdf91e73c7733d92e80f6ea9e3fbba60490c9cf/internal/database/ssh_key.go#L32