[Piuparts-commits] [SCM] piuparts git repository branch, master, updated. 0.51

Wed May 15 10:09:51 UTC 2013

The following commit has been merged in the master branch:
commit 971f699f4463e5b260e1e98579297b8292c5d8ec
Author: Andreas Beckmann <anbe at debian.org>
Date:   Sat Mar 9 17:07:07 2013 +0100

    p-s.deb: restrict slave's ssh key to only allow running piuparts-master
    
    Signed-off-by: Andreas Beckmann <anbe at debian.org>

diff --git a/README.txt b/README.txt
index 9a86b30..4a282c1 100644
--- a/README.txt
+++ b/README.txt
@@ -272,19 +272,22 @@ To set this up for yourself, the following steps should suffice:
 . Pick a machine to run the master. It cannot be a chroot, but
  basically any real (or properly virtualized) Debian system is good
  enough.
-. Install piuparts on it.
-. Create an account for the master.
+. Install the package piuparts-master on it.
+. Create an account for the master (the package creates piupartsm).
 . Configure '/etc/piuparts/piuparts.conf' appropriately.
 . Pick one or more slaves to run the slave. You can use the machine
  running the master also as a slave. Etch is fine, it can even be
  in a chroot.
-. Install piuparts on it.
+. Install the package piuparts-slave on it.
 . Configure '/etc/piuparts/piuparts.conf' appropriately - if master
  and slave share the machine, they also share the config file.
 . Create an account for the slave. This must be different from the
- master account.
+ master account. (The package creates piupartss.)
 . Create an ssh keypair for the slave. No passphrase.
 . Add the slave's public key to the master's '.ssh/authorized_keys'
+ The key should be restricted to only allow running
+ 'piuparts-master' by prefixing it with
+ 'command="/usr/share/piuparts/piuparts-master",no-pty,no-port-forwarding '
 . Configure sudo on the slave machine to allow the slave account
  run '/usr/sbin/piuparts' as root without password (otherwise
  you'll be typing in a password all the time).
diff --git a/debian/changelog b/debian/changelog
index d866206..e16e681 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -18,6 +18,8 @@ piuparts (0.51) UNRELEASED; urgency=low
     - Get the 'master-directory' from piuparts.conf and chdir there.
     - Get the (global) 'log-file' from piuparts.conf and handle the error
       logging. No longer uses the section specific logfile name for errors.
+  * Allow the master-command to be set in ~piupartsm/.ssh/authorized_keys to
+    restrict ssh keys to only run piuparts-master.
   * piuparts-master-backend.py:
     - Raise CommandSyntaxError on unknown commands.
     - Add "section" command:
@@ -45,6 +47,9 @@ piuparts (0.51) UNRELEASED; urgency=low
   * Makefile:
   * detect_well_known_errors:
     - Skip sections that don't exist in piuparts.conf.
+  * piuparts-slave.deb:
+    - Restrict the ssh key added to master's authorized_keys to only run
+      piuparts-master.
   * scripts-wheezy/post_setup_wheezy-fake-essential: New custom script to
     suppress some purge failures in wheezy.
   * New known problem: Database setup failure (issue).
@@ -169,6 +174,8 @@ piuparts (0.50) unstable; urgency=low
     - Use /var/cache/piuparts/tmp as tmpdir.
     - Use /var/cache/piuparts/basetgz as basetgz-directory.
     - Populate ~piupartss/.ssh/known_hosts with localhost's hostkey.
+    - Restrict the ssh key added to master's authorized_keys to only run
+      piuparts-master.
   * slave_{run,join}: Rename the screen session to "piuparts_slave_screen".
   * slave_cleanup: Use pgrep to find running piuparts-slave processes.
   * slave_{run,join}: Use screen -ls to find running screen sessions.
diff --git a/debian/piuparts-slave.postinst b/debian/piuparts-slave.postinst
index 6ef46d0..ba09c70 100644
--- a/debian/piuparts-slave.postinst
+++ b/debian/piuparts-slave.postinst
@@ -55,7 +55,8 @@ if [ "$1" = "configure" ] ; then
     fi
 
     if [ -d $userhome/$muser/.ssh ] && [ ! -e $userhome/$muser/.ssh/authorized_keys ] ; then
-        cat $userhome/$suser/.ssh/id_rsa.pub >>$userhome/$muser/.ssh/authorized_keys
+        sed 's#^#command="'"$scriptroot"'/piuparts-master",no-pty,no-port-forwarding #' \
+		$userhome/$suser/.ssh/id_rsa.pub >>$userhome/$muser/.ssh/authorized_keys
         chown $muser:$pgroup $userhome/$muser/.ssh/authorized_keys
         chmod 0600 $userhome/$muser/.ssh/authorized_keys
     fi

-- 
piuparts git repository

