3

I have been going through the code of gitlab-shell. I am unable to understand how it is invoked. If I made a pull to my server(on which gitlab-shell is installed), how does gitlab-shell knows about it? bin/gitlab-shell has this line as comment:

GitLab shell, invoked from ~/.ssh/authorized_keys

Is there any line in authorized_keys which invokes gitlab-shell? (sounds unlikely).

sonalkr132
  • 967
  • 1
  • 9
  • 25
  • Have you looked at the authorized keys file.that gitlab installs ? It should answer your question. – Doon Jul 14 '15 at 10:50
  • here is the line which does that: https://github.com/gitlabhq/gitlab-shell/blob/master/bin/install#L16 I don't see anything special with it. – sonalkr132 Jul 14 '15 at 10:51
  • Thanks doon! It was content of authorized keys indeed. Here is a clue: https://github.com/gitlabhq/gitlab-shell/blob/4d30c0c5d3d0f23a221ee507b6bd110a539b8570/spec/gitlab_keys_spec.rb#L25 – sonalkr132 Jul 14 '15 at 11:06
  • Yep :) you can run the command on connect. Quite handy for building systems like this. – Doon Jul 14 '15 at 11:24

1 Answers1

0

The blob line you mention builds the authorized_keys line as:

"command=\"#{ROOT_PATH}/bin/gitlab-shell [auserID]\",\
   no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [aPubKey]

That is taking advantage of an SSH feature (not related to Git or GitLab), called "forced command".
You can see illustrated in gitolite, which explains the forced command allows for:

  • restricting shell access
  • distinguishing one user from another

In the case of GitLab, that allows to limit SSH calls to gitlab-shell.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250