Browse Source

authorize keys in `SSH_CLIENT_PUBLIC_KEYS_ALL` to access all repositories

Fabian Peter Hammerle 1 year ago
parent
commit
c532b69d3e
4 changed files with 25 additions and 4 deletions
  1. 1 0
      CHANGELOG.md
  2. 12 1
      README.md
  3. 3 0
      docker-compose.yml
  4. 9 3
      entrypoint.sh

+ 1 - 0
CHANGELOG.md

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   `SSH_CLIENT_PUBLIC_KEYS_[NAME]`, and `SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_[NAME]`.
   keeping functionality of `BORG_REPO`, `SSH_CLIENT_PUBLIC_KEYS`,
   and `SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY` for downward compatibility.
+  keys in `SSH_CLIENT_PUBLIC_KEYS_ALL` are authorized to access all repositories.
 - add sshd's `restrict` option to all key authorizations
   (redundant as port forwarding etc is already disabled in `sshd_config`)
 

+ 12 - 1
README.md

@@ -46,7 +46,18 @@ $ sudo docker run --name borgbackup_sshd \
     ...
 ```
 
-Currently, keys may only be authorized for a single repository.
+Currently, individual keys may be authorized either for a single repository
+or for *all repositories* via `SSH_CLIENT_PUBLIC_KEYS_ALL`:
+```sh
+$ sudo docker run --name borgbackup_sshd \
+    -v repo_foo:/some/where/repo-foo \
+    -e REPO_PATH_foo=/some/where/repo-foo \
+    -v repo_bar:/some/where/else/bar \
+    -e REPO_PATH_bar=/some/where/else/bar \
+    ...
+    -e SSH_CLIENT_PUBLIC_KEYS_ALL="$(cat ~/.ssh/id_*.pub)" \
+    ...
+```
 
 ### Docker Compose 🐙
 

+ 3 - 0
docker-compose.yml

@@ -28,6 +28,9 @@ services:
       #SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_bar: |
       #  ssh-rsa ...
       #  ssh-rsa ...
+      #SSH_CLIENT_PUBLIC_KEYS_ALL: |
+      #  ssh-rsa ...
+      #  ssh-rsa ...
     read_only: true
     volumes:
     - type: volume

+ 9 - 3
entrypoint.sh

@@ -12,19 +12,20 @@ fi
 unset SSHD_HOST_KEYS_DIR
 
 authorize_key() {
-    if echo -E "$2" | grep -q '^[a-z]'; then
-        echo "command=\"/usr/bin/borg serve --restrict-to-repository '$1'$3\",restrict $2" >> ~/.ssh/authorized_keys
+    if echo -E "$1" | grep -q '^[a-z]'; then
+        echo "command=\"/usr/bin/borg serve$2\",restrict $1" >> ~/.ssh/authorized_keys
     fi
 }
 authorize_keys() {
     printenv "$1" | while IFS=$'\n' read -r key; do
-        authorize_key "$2" "$key" "$3"
+        authorize_key "$key" " --restrict-to-repository '$2'$3"
     done
     unset "$1"
 }
 authorize_keys SSH_CLIENT_PUBLIC_KEYS "$REPO_PATH" ""
 # https://borgbackup.readthedocs.io/en/stable/usage/notes.html#append-only-mode
 authorize_keys SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY "$REPO_PATH" " --append-only"
+all_repo_restrictions=" --restrict-to-repository '$REPO_PATH'"
 unset REPO_PATH
 while IFS=$'\n' read line; do
     repo_name="$(echo -E "$line" | cut -d = -f 1 | cut -d _ -f 3-)"
@@ -33,10 +34,15 @@ while IFS=$'\n' read line; do
         exit 1
     fi
     repo_path="$(printenv "REPO_PATH_${repo_name}")"
+    all_repo_restrictions="$all_repo_restrictions --restrict-to-repository '$repo_path'"
     unset "REPO_PATH_${repo_name}"
     authorize_keys "SSH_CLIENT_PUBLIC_KEYS_${repo_name}" "$repo_path" ""
     authorize_keys "SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_${repo_name}" "$repo_path" " --append-only"
 done < <(printenv | grep '^REPO_PATH_')
+printenv SSH_CLIENT_PUBLIC_KEYS_ALL | while IFS=$'\n' read -r key; do
+    authorize_key "$key" "$all_repo_restrictions"
+done
+unset SSH_CLIENT_PUBLIC_KEYS_ALL
 
 set -x