RocketGit

catalinux / rocketgit (public) (License: Affero GPLv3) (since 2015-03-19) (hash sha1)

Main RocketGit repo

Clone URLs: https://rocketgit.com/user/catalinux/rocketgit ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit git://git.rocketgit.com/user/catalinux/rocketgit

List of commits:

Subject	Hash	Author	Date (UTC)
Disable weak keys if admin says so.	0afb8c5c5885ef504a28d02b07d040fd2c92c79a	Catalin(ux) M. BOIE	2016-11-15 20:50:54
TODO changes	f25bd7cf263f651870d880d0bb745a4cc07450cb	Catalin(ux) M. BOIE	2016-11-11 20:58:12
Add a link to the comparison on the front page	f854fce154ad713938959cd0d128f50d27711aa3	Catalin(ux) M. BOIE	2016-11-11 20:55:09
More tweaking to compare.csv	bfb8e784f829a679b2a218b5bff2eb362c1d26f0	Catalin(ux) M. BOIE	2016-11-11 20:54:11
Added tutorial for OpenSSH key settings; also template improvements	4828eb810a73e3b4f692746ee6ef998a5a833317	Catalin(ux) M. BOIE	2016-11-11 20:46:09
Functional test for Admin -> Settings -> SSH	aa0f87c101fa0ca39559992b3ef5e415920e8d0d	Catalin(ux) M. BOIE	2016-11-11 17:34:27
More SSH fixes: allow admin to limit what key types are allowed and the max number of keys.	ab10c1c851c68b399d6ef6afb2fbf362f61d328c	Catalin(ux) M. BOIE	2016-11-07 20:35:29
TODO update and typo corrections.	4f3aee242f4465d1c27dc1f171a72ab06ae8b822	Catalin(ux) M. BOIE	2016-11-06 12:39:17
Added possibility to use AuthorizedKeysCommand for performance reasons	bce5d32d2b419cb9bc53d54de2a915ac1342432e	Catalin(ux) M. BOIE	2016-11-06 12:35:15
Restart rocketgit-fpm service if needed	5742bea67f2e784e2b2bb9e97f005fc621c4119d	Catalin(ux) M. BOIE	2016-11-02 19:56:53
Added CORS headers so API will work	57b172971ff1329d02dc1220ec77fe9a875d6633	Catalin(ux) M. BOIE	2016-11-02 19:56:17
Added git hosting solution comparison page	8eca6c104373fd0dbcde54691edfd9e81a3a59be	Catalin(ux) M. BOIE	2016-11-02 19:54:26
Be sure a key is present or use a default one (api)	842d587f948ff4ec9de56e2ebfd591d96b066a43	Catalin(ux) M. BOIE	2016-10-13 22:45:51
Small correction in wording agains CLA	70dc902b1c84e6ee416d7af2af8bef319dbb7504	Catalin(ux) M. BOIE	2016-10-11 15:50:07
Make it the default: word-wrap: break-word	1512f51eba93b6dd296246bf20432ec9223148d9	Catalin(ux) M. BOIE	2016-10-08 07:53:19
Footer: reverse last two columns	d9fe4e8adf980996d5ca06387a0a2c49236e7ad4	Catalin(ux) M. BOIE	2016-10-08 07:51:55
Post configuration must include also web conf file	3583e8915579dc8e4c9a508bac7998a3e612e501	Catalin(ux) M. BOIE	2016-10-08 07:50:00
ssl_request_log -> rocketgit-ssl_request_log	639e5532748729cd8a6ac8e4cf082b24e15e2eeb	Catalin(ux) M. BOIE	2016-10-08 07:47:45
Add 'SSLCipherSuite PROFILE=SYSTEM' to the SSL configuration	100d73878b3da1718cf97c58d016ed182c690a9b	Catalin(ux) M. BOIE	2016-10-08 06:33:09
Instruct login user to create a repo if she/he has none.	f6f2f438deadb1ec80d32acbc8947dcc849dca19	Catalin(ux) M. BOIE	2016-10-08 06:24:57

Commit 0afb8c5c5885ef504a28d02b07d040fd2c92c79a - Disable weak keys if admin says so.

Also, mark them with red background in the keys list.

Author: Catalin(ux) M. BOIE
Author date (UTC): 2016-11-15 20:50
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2016-11-15 20:50
Parent(s): f25bd7cf263f651870d880d0bb745a4cc07450cb
Signer:
Signing key:
Signing status: N
Tree: a8583a75716e503be1267cbd4d1699ca243efb9f

File	Lines added	Lines deleted
inc/keys.inc.php	70	50
root/themes/default/hints/ssh/key.html	6	1
root/themes/default/user/keys/list/line.html	1	1
tools/rg_authorize	14	1

File inc/keys.inc.php changed (mode: 100644) (index 31381da..44f519f)
...	...	function rg_keys_event_notify_user($db, $event)
131	131	return $ret;	return $ret;
132	132	}	}
133	133
	134		/*
	135		* Returns TRUE if the key is too weak by the admin standards
	136		* @ki - output of rg_keys_info()
	137		*/
	138		function rg_keys_weak($db, $ki)
	139		{
	140		$ret = array('ok' => 0, 'weak' => 1);
	141
	142		if (strcmp($ki['type'], 'ssh-rsa') == 0) {
	143		$min = rg_state_get($db, 'ssh_key_min_bits_rsa');
	144		if ($min === FALSE) {
	145		rg_keys_set_error('cannot lookup state');
	146		return $ret;
	147		}
	148		if ($ki['bits'] < $min) {
	149		rg_keys_set_error('RSA key has less than '
	150		. $min . ' bits (' . $ki['bits'] . ')');
	151		$ret['ok'] = 1;
	152		return $ret;
	153		}
	154		} else if (strcmp($ki['type'], 'ssh-dss') == 0) {
	155		$r = rg_state_get($db, 'ssh_key_allow_dsa');
	156		if ($r === FALSE) {
	157		rg_keys_set_error('cannot lookup state');
	158		return $ret;
	159		}
	160		if ($r != 1) {
	161		rg_keys_set_error('DSA keys are not allowed');
	162		$ret['ok'] = 1;
	163		return $ret;
	164		}
	165		} else if (strncmp($ki['type'], 'ecdsa-', 6) == 0) {
	166		$min = rg_state_get($db, 'ssh_key_min_bits_ecdsa');
	167		if ($min === FALSE) {
	168		rg_keys_set_error('cannot lookup state');
	169		return $ret;
	170		}
	171		if ($ki['bits'] < $min) {
	172		rg_keys_set_error('ECDSA key has less than '
	173		. $min . ' bits (' . $ki['bits'] . ')');
	174		$ret['ok'] = 1;
	175		return $ret;
	176		}
	177		}
	178
	179		$ret['ok'] = 1;
	180		$ret['weak'] = 0;
	181		return $ret;
	182		}
	183
134	184	/*	/*
135	185	* Extracts info about a ssh key	* Extracts info about a ssh key
136	186	*/	*/

...	...	function rg_keys_add($db, $ui, $key)
423	473	break;	break;
424	474
425	475	$r = rg_keys_weak($db, $ki);	$r = rg_keys_weak($db, $ki);
	476		if ($r['ok'] != 1)
	477		break;
426	478	if ($r['weak'] != 0)	if ($r['weak'] != 0)
427	479	break;	break;
428	480

...	...	function rg_keys_regen($db)
697	749
698	750	$errors = 0;	$errors = 0;
699	751	foreach ($list as $row) {	foreach ($list as $row) {
	752		// Ignore invalid keys
	753		$ki = rg_keys_info($row['key']);
	754		if ($ki['ok'] != 1)
	755		continue;
	756
	757		// Ignore weak keys
	758		$r = rg_keys_weak($db, $ki);
	759		if ($r['ok'] != 1)
	760		continue;
	761		if ($r['weak'] != 0)
	762		continue;
	763
700	764	//rg_log("Writing key [" . $row['key'] . "] for uid " . $row['uid']);	//rg_log("Writing key [" . $row['key'] . "] for uid " . $row['uid']);
701	765	$buf = rg_keys_output_line($row);	$buf = rg_keys_output_line($row);
	766
702	767	if (@fwrite($f, $buf) === FALSE) {	if (@fwrite($f, $buf) === FALSE) {
703	768	rg_keys_set_error("cannot write; disk space problems? ($php_errormsg)");	rg_keys_set_error("cannot write; disk space problems? ($php_errormsg)");
704	769	$errors = 1;	$errors = 1;

...	...	function rg_keys_list($db, $ui)
755	820	continue;	continue;
756	821	}	}
757	822
	823		$r = rg_keys_weak($db, $ki);
	824		if ($r['ok'] != 1)
	825		continue;
	826		$ki['weak'] = $r['weak'];
	827
758	828	$t = $ki;	$t = $ki;
759	829	$t['key_id'] = $row['key_id'];	$t['key_id'] = $row['key_id'];
760	830	if ($row['itime'] == 0)	if ($row['itime'] == 0)

...	...	function rg_keys_search_by_fingerprint($db, $fp)
845	915	return $ret;	return $ret;
846	916	}	}
847	917
848		/*
849		* Returns TRUE if the key is too weak by the admin standards
850		* @ki - output of rg_keys_info()
851		*/
852		function rg_keys_weak($db, $ki)
853		{
854		$ret = array('ok' => 0, 'weak' => 1);
855
856		if (strcmp($ki['type'], 'ssh-rsa') == 0) {
857		$min = rg_state_get($db, 'ssh_key_min_bits_rsa');
858		if ($min === FALSE) {
859		rg_keys_set_error('cannot lookup state');
860		return $ret;
861		}
862		if ($ki['bits'] < $min) {
863		rg_keys_set_error('RSA key has less than '
864		. $min . ' bits (' . $ki['bits'] . ')');
865		$ret['ok'] = 1;
866		return $ret;
867		}
868		} else if (strcmp($ki['type'], 'ssh-dss') == 0) {
869		$r = rg_state_get($db, 'ssh_key_allow_dsa');
870		if ($r === FALSE) {
871		rg_keys_set_error('cannot lookup state');
872		return $ret;
873		}
874		if ($r != 1) {
875		rg_keys_set_error('DSA keys are not allowed');
876		$ret['ok'] = 1;
877		return $ret;
878		}
879		} else if (strncmp($ki['type'], 'ecdsa-', 6) == 0) {
880		$min = rg_state_get($db, 'ssh_key_min_bits_ecdsa');
881		if ($min === FALSE) {
882		rg_keys_set_error('cannot lookup state');
883		return $ret;
884		}
885		if ($ki['bits'] < $min) {
886		rg_keys_set_error('ECDSA key has less than '
887		. $min . ' bits (' . $ki['bits'] . ')');
888		$ret['ok'] = 1;
889		return $ret;
890		}
891		}
892
893		$ret['ok'] = 1;
894		$ret['weak'] = 0;
895		return $ret;
896		}
897
898	918	?>	?>

File root/themes/default/hints/ssh/key.html changed (mode: 100644) (index cf9a1fc..f6491be)
1	1	<br />	<br />
	2		Keys marked with <span style="background-color: #f00; padding: 2pt">red</span>
	3		are disabled by the admin because are too weak.
	4		They cannot by used anymore and should be deleted.<br />
	5		<br />
	6
2	7	How to create a SSH key for RocketGit:<br />	How to create a SSH key for RocketGit:<br />
3	8	<div class="xcode">	<div class="xcode">
4	9	cd; mkdir -p .ssh; chmod go= .ssh<br />	cd; mkdir -p .ssh; chmod go= .ssh<br />

...	...	Now, copy in clipboard starting with "ssh-...", including the comment
11	16	and paste it in the form above. Do not worry about spaces or wrapping.<br />	and paste it in the form above. Do not worry about spaces or wrapping.<br />
12	17	<br />	<br />
13	18
14		To force the use of this key when you connect to the server,<br />
	19		To force the use of this key when you connect to the server,
15	20	add the following lines to your ~/.ssh/config (use tab key to indent):<br />	add the following lines to your ~/.ssh/config (use tab key to indent):<br />
16	21	<div class="xcode">	<div class="xcode">
17	22	Host @@rg_ssh_host@@<br />	Host @@rg_ssh_host@@<br />

File root/themes/default/user/keys/list/line.html changed (mode: 100644) (index 300ddfa..b904982)
1	1	<tr>	<tr>
2	2	<td><input type="checkbox" name="key_delete_ids[@@key_id@@]" /></td>	<td><input type="checkbox" name="key_delete_ids[@@key_id@@]" /></td>
3	3	<td>@@itime@@</td>	<td>@@itime@@</td>
4		<td>@@type@@ @@bits@@</td>
	4		<td@@if(@@weak@@ == 1){{ bgcolor="#f00"}}>@@type@@ @@bits@@</td>
5	5	<td><small>SHA256:@@fingerprint_sha256@@<br />MD5:@@fingerprint_md5@@</small></td>	<td><small>SHA256:@@fingerprint_sha256@@<br />MD5:@@fingerprint_md5@@</small></td>
6	6	<td>@@comment@@</td>	<td>@@comment@@</td>
7	7	<td>@@first_use@@</td>	<td>@@first_use@@</td>

File tools/rg_authorize changed (mode: 100755) (index 0ca4cbc..e0d1680)
...	...	if ($r['ok'] !== 1) {
54	54	}	}
55	55	rg_log('DEBUG: Found ' . count($r['list']) . ' key(s)');	rg_log('DEBUG: Found ' . count($r['list']) . ' key(s)');
56	56
57		foreach ($r['list'] as $i)
	57		foreach ($r['list'] as $i) {
	58		// Ignore invalid keys
	59		$ki = rg_keys_info($i['key']);
	60		if ($ki['ok'] != 1)
	61		continue;
	62
	63		// Ignore weak keys
	64		$r = rg_keys_weak($db, $ki);
	65		if ($r['ok'] != 1)
	66		continue;
	67		if ($r['weak'] != 0)
	68		continue;
	69
58	70	echo rg_keys_output_line($i);	echo rg_keys_output_line($i);
	71		}
59	72
60	73	rg_prof_end('MAIN');	rg_prof_end('MAIN');
61	74	rg_prof_log();	rg_prof_log();

Hints:
Before first commit, do not forget to setup your git environment:

git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):

git clone https://rocketgit.com/user/catalinux/rocketgit

Clone this repository using ssh (do not forget to upload a key first):

git clone ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit

Clone this repository using git:

git clone git://git.rocketgit.com/user/catalinux/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:

... clone the repository ...
... make some changes and some commits ...
git push origin main