~sircmpwn/sr.ht-discuss

1

[hg.sr.ht] ssh clone/push doesn't work out of the box

Details
Message ID
<3C2A2283-13D1-42A4-BC11-1F423227BAD9@aaoth.xyz>
DKIM signature
missing
Download raw message
Hello,

I'm testing sr.ht locally and I had some issues with the mercurial
service. My testing machine runs Alpine Linux 3.17, I've installed
*sr.ht packages as described in documentation.

After installing the hg.sr.ht package, tweaking /etc/sr.ht/config.ini
and initializing the database with provided schema I started the needed
services with rc-service(8). I've also modified the nginx config to
match my configuration. The mercurial web service worked correctly,
I was able to create new empty repository.

When it came to cloning and pushing to that repository, I faced some
issues. First of all, the dedicated 'hg' user's account is disabled,
which is expected for a system user like this. Because of that
'hg clone' command failed with this message (the actual domain
replaced with example.com for privacy reasons):

```
remote: hg@hg.example.com: Permission denied (publickey,keyboard-interactive).
abort: no suitable response from remote hg
```

In /var/log/messages I found these lines:

```
Jan 1 00:00:00 localhost auth.info sshd[xxxxx]: User hg not allowed because account is locked
Jan 1 00:00:00 localhost auth.info sshd[xxxxx]: Connection closed by invalid user hg x.x.x.x port xxxxx [preauth]
```

Maybe my sshd is not configured correctly, but here are relevant bits
from my /etc/ssh/sshd_config:

```
PasswordAuthentication no
UsePAM no
AuthorizedKeysCommand=/usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k"
AuthorizedKeysCommandUser=root
PermitUserEnvironment=SRHT_*
```

Everything else is kept at default values.

Sshd rejects users with empty password, but it can permit login for
users with a password set to '*', so I've changed hg's password to this
value:

```
# echo 'hg:*' | chpasswd
```

After this change error messages also changed. hg push says this
the second message apears after a second or two):

```
pushing to ssh://hg@hg.exmaple.com/~user/test
abort: no suitable response from remote hg
```

And here are lines from /var/log/messages:

```
Jan 1 00:00:00 localhost auth.info sshd[xxxxx]: Accepted publickey for hg from x.x.x.x port xxxxx ssh2: ED25519 SHA256:XXXXXXXXXXX
Jan 1 00:00:00 localhost auth.info sshd[xxxxx]: Received disconnect from x.x.x.x port xxxxx:11: disconnected by user
Jan 1 00:00:00 localhost auth.info sshd[xxxxx]: Disconnected from user hg x.x.x.x port xxxxx
```

I tried ssh -T hg@hg.example.com, which resulted in following message:

```
This account is not available
```

Then I found out that hg user doesn't have a valid shell, it is set to
use /sbin/nologin (and sr.ht-apkbuilds repo confirms that). When I
changed hg's shell to /bin/sh, push and pull through ssh worked.

So my question is: is this a packaging bug? I'm thinking that if
that user's shell would be set to /bin/sh in the post-install script,
the issues I've described wouldn't happen. Or maybe administrators are
supposed to do things I've described (changing user's password and
shell)?

Next question is: have anybody faced these issues when installing
hg.sr.ht from packages?

Anyway, thanks in advance for any comments on this.

---

best regards,
la ninpre.
Details
Message ID
<d35a8e0e-7d82-481d-9c13-0cfb4c1daa2c@app.fastmail.com>
In-Reply-To
<3C2A2283-13D1-42A4-BC11-1F423227BAD9@aaoth.xyz> (view parent)
DKIM signature
missing
Download raw message
> So my question is: is this a packaging bug? I'm thinking that if
> that user's shell would be set to /bin/sh in the post-install script,
> the issues I've described wouldn't happen. Or maybe administrators are
> supposed to do things I've described (changing user's password and
> shell)?

It does indeed look like a bug in the post-install script. I can't say
why it was written like this since I'm running my sourcehut instance on
Ubuntu and not Alpine, but the similar post-install script for git.sr.ht
does setup the git user with /bin/sh. It apparently used to be
/sbin/nologin, but was changed to /bin/sh with:

https://git.sr.ht/~sircmpwn/sr.ht-apkbuilds/commit/a411788b6c2472b4a74a5cc96c2d72e6400be206#sr.ht/git.sr.ht/git.sr.ht.post-install

It seems reasonable to me to change it for the hg user too, unless
someone knows more.
Reply to thread Export thread (mbox)