[gentoo-dev] [PSA] If you ssh interactively to git.gentoo.org (somehow) let me know.

[gentoo-dev] [PSA] If you ssh interactively to git.gentoo.org (somehow) let me know.

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 1234 bytes --]

TL;DR: if all you do is use git to commit to git.gentoo.org, you are not
affected and can stop reading; I know folks use git+ssh://git@git.gentoo.org
... to push commits, that will not change.

In the olden times Gentoo used cvs as its source control and people would
push their commits to the cvs server over ssh. The setup at the time was
that everyone who pushed had ssh access to cvs.gentoo.org.

However, Gentoo doesn't use cvs (and has not for many years[1]). The git
system uses 'gitolite' and people who push do so as 'git@git.gentoo.org'
(not as themselves.) Gitolite handles the per-user multiplexing and
everything is happy.

However, we never took the ssh access to 'cvs.gentoo.org' away, most devs
can still ssh to "git.gentoo.org" as themselves. Now the access doesn't get
you much (ForceCommand in the authorized_keys file just runs a commit
wrapper, so you could try to commit to cvs or svn I guess ;p)

Thus I now plan to remove this access[0]. If you need access to ssh as
something not-git to git.gentoo.org, let me know in the next week.

[0] Infra users are not affected; they always had normal ssh access to this
host.
[1] Anonymous access to source trees (e.g. via anon* services) is
unaffected by this change.

[-- Attachment #2: Type: text/html, Size: 1689 bytes --]

Re: [gentoo-dev] [PSA] If you ssh interactively to git.gentoo.org (somehow) let me know.

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 405 bytes --]

On Sat, 25 Apr 2020 14:12:02 -0700
Alec Warner <antarus@gentoo.org> wrote:

> Thus I now plan to remove this access[0]. If you need access to ssh as
> something not-git to git.gentoo.org, let me know in the next week.

Will this affect people who set up no-op SSH connections for a
persistent connection master, so that following git actions don't have
to pay the SSH connection startup penalty?

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] [PSA] If you ssh interactively to git.gentoo.org (somehow) let me know.

[Mike Gilbert]

On Sun, Apr 26, 2020 at 8:38 AM Kent Fredric <kentnl@gentoo.org> wrote:
>
> On Sat, 25 Apr 2020 14:12:02 -0700
> Alec Warner <antarus@gentoo.org> wrote:
>
> > Thus I now plan to remove this access[0]. If you need access to ssh as
> > something not-git to git.gentoo.org, let me know in the next week.
>
> Will this affect people who set up no-op SSH connections for a
> persistent connection master, so that following git actions don't have
> to pay the SSH connection startup penalty?

If you are authenticating that master connection as the "git" user, I
suspect it will not affect you. If you are using it to push to
gentoo.git, that is almost certainly the case.

Re: [gentoo-dev] [PSA] If you ssh interactively to git.gentoo.org (somehow) let me know.

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 796 bytes --]

On Sun, Apr 26, 2020 at 11:22 AM Mike Gilbert <floppym@gentoo.org> wrote:

> On Sun, Apr 26, 2020 at 8:38 AM Kent Fredric <kentnl@gentoo.org> wrote:
> >
> > On Sat, 25 Apr 2020 14:12:02 -0700
> > Alec Warner <antarus@gentoo.org> wrote:
> >
> > > Thus I now plan to remove this access[0]. If you need access to ssh as
> > > something not-git to git.gentoo.org, let me know in the next week.
> >
> > Will this affect people who set up no-op SSH connections for a
> > persistent connection master, so that following git actions don't have
> > to pay the SSH connection startup penalty?
>
> If you are authenticating that master connection as the "git" user, I
> suspect it will not affect you. If you are using it to push to
> gentoo.git, that is almost certainly the case.
>
>
This is correct.

-A

[-- Attachment #2: Type: text/html, Size: 1403 bytes --]

Re: [gentoo-dev] [PSA] If you ssh interactively to git.gentoo.org (somehow) let me know.

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 322 bytes --]

On Sun, 26 Apr 2020 18:00:19 -0700
Alec Warner <antarus@gentoo.org> wrote:

> This is correct.

Surely then, this is a reduction in fuctionality.

That's a handy tool to put up your sleeve when you're trying to avoid
getting thrashed by slow network connects when some contributor is
pushing every 30 seconds :)

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] [PSA] If you ssh interactively to git.gentoo.org (somehow) let me know.

[Mike Gilbert]

On Mon, Apr 27, 2020 at 9:13 AM Kent Fredric <kentnl@gentoo.org> wrote:
>
> On Sun, 26 Apr 2020 18:00:19 -0700
> Alec Warner <antarus@gentoo.org> wrote:
>
> > This is correct.
>
> Surely then, this is a reduction in fuctionality.
>
> That's a handy tool to put up your sleeve when you're trying to avoid
> getting thrashed by slow network connects when some contributor is
> pushing every 30 seconds :)

He was replying to me. Your master connection will continue to work
just fine, as I said in my previous message.

Re: [gentoo-dev] [PSA] If you ssh interactively to git.gentoo.org (somehow) let me know.

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 955 bytes --]

On Mon, 27 Apr 2020 09:43:44 -0400
Mike Gilbert <floppym@gentoo.org> wrote:

> He was replying to me. Your master connection will continue to work
> just fine, as I said in my previous message.

I must have lost something in grammar, because no matter how many times I read:

> If you are authenticating that master connection as the "git" user, I
> suspect it will not affect you. If you are using it to push to
> gentoo.git, that is almost certainly the case.

I interpret that as:

- Anonymous fetch is fine
- Authorised Push will fail

But I guess my mistake is in that we don't push with "user@git ...", we
push with "git@ ... ", and the SSH key is the gate keeper of "push will
work", not the UID.

Right?

So assuming you're using git@ for fetch *and* push, *then* it will
continue to work.

Right?

Forgive me for any potential idiocy, language and remembering the
details of everything all the time is hard.





[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] [PSA] If you ssh interactively to git.gentoo.org (somehow) let me know.

[Mike Gilbert]

On Mon, Apr 27, 2020 at 10:03 AM Kent Fredric <kentnl@gentoo.org> wrote:
>
> On Mon, 27 Apr 2020 09:43:44 -0400
> Mike Gilbert <floppym@gentoo.org> wrote:
>
> > He was replying to me. Your master connection will continue to work
> > just fine, as I said in my previous message.
>
> I must have lost something in grammar, because no matter how many times I read:
>
> > If you are authenticating that master connection as the "git" user, I
> > suspect it will not affect you. If you are using it to push to
> > gentoo.git, that is almost certainly the case.
>
> I interpret that as:
>
> - Anonymous fetch is fine
> - Authorised Push will fail

There's no such thing as an "anonymous fetch" from git.gentoo.org. You
must be authenticated to do anything.

> But I guess my mistake is in that we don't push with "user@git ...", we
> push with "git@ ... ", and the SSH key is the gate keeper of "push will
> work", not the UID.
>
> Right?

Correct.

> So assuming you're using git@ for fetch *and* push, *then* it will
> continue to work.
>
> Right?

Correct.

Re: [gentoo-dev] [PSA] If you ssh interactively to git.gentoo.org (somehow) let me know.

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 1495 bytes --]

On Mon, Apr 27, 2020 at 7:04 AM Kent Fredric <kentnl@gentoo.org> wrote:

> On Mon, 27 Apr 2020 09:43:44 -0400
> Mike Gilbert <floppym@gentoo.org> wrote:
>
> > He was replying to me. Your master connection will continue to work
> > just fine, as I said in my previous message.
>
> I must have lost something in grammar, because no matter how many times I
> read:
>
> > If you are authenticating that master connection as the "git" user, I
> > suspect it will not affect you. If you are using it to push to
> > gentoo.git, that is almost certainly the case.
>
> I interpret that as:
>
> - Anonymous fetch is fine
> - Authorised Push will fail
>

"If you are authenticating the master connection as the 'git' user then
this change will not affect you.
"If you are using controlmaster to push to git.gentoo.org, then you are
definitely authenticating as user=git because there is no other way to
commit to ::gentoo."


>
> But I guess my mistake is in that we don't push with "user@git ...", we
> push with "git@ ... ", and the SSH key is the gate keeper of "push will
> work", not the UID.
>
> Right?
>

A working ssh key for user=git is a necessary (but not sufficient)
component of a successful git push.


>
> So assuming you're using git@ for fetch *and* push, *then* it will
> continue to work.
>
> Right?
>

Correct.


>
> Forgive me for any potential idiocy, language and remembering the
> details of everything all the time is hard.
>

I don't actually expect people to know these details.

[-- Attachment #2: Type: text/html, Size: 2571 bytes --]

Re: [gentoo-dev] [PSA] If you ssh interactively to git.gentoo.org (somehow) let me know.

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 1725 bytes --]

A bit late, but this change is now live. Please contact me if anything has
broken.

-A

On Mon, Apr 27, 2020 at 10:34 AM Alec Warner <antarus@gentoo.org> wrote:

> On Mon, Apr 27, 2020 at 7:04 AM Kent Fredric <kentnl@gentoo.org> wrote:
>
>> On Mon, 27 Apr 2020 09:43:44 -0400
>> Mike Gilbert <floppym@gentoo.org> wrote:
>>
>> > He was replying to me. Your master connection will continue to work
>> > just fine, as I said in my previous message.
>>
>> I must have lost something in grammar, because no matter how many times I
>> read:
>>
>> > If you are authenticating that master connection as the "git" user, I
>> > suspect it will not affect you. If you are using it to push to
>> > gentoo.git, that is almost certainly the case.
>>
>> I interpret that as:
>>
>> - Anonymous fetch is fine
>> - Authorised Push will fail
>>
>
> "If you are authenticating the master connection as the 'git' user then
> this change will not affect you.
> "If you are using controlmaster to push to git.gentoo.org, then you are
> definitely authenticating as user=git because there is no other way to
> commit to ::gentoo."
>
>
>>
>> But I guess my mistake is in that we don't push with "user@git ...", we
>> push with "git@ ... ", and the SSH key is the gate keeper of "push will
>> work", not the UID.
>>
>> Right?
>>
>
> A working ssh key for user=git is a necessary (but not sufficient)
> component of a successful git push.
>
>
>>
>> So assuming you're using git@ for fetch *and* push, *then* it will
>> continue to work.
>>
>> Right?
>>
>
> Correct.
>
>
>>
>> Forgive me for any potential idiocy, language and remembering the
>> details of everything all the time is hard.
>>
>
> I don't actually expect people to know these details.
>

[-- Attachment #2: Type: text/html, Size: 3078 bytes --]