logerrit setup: refactor key-based SSH handling

* Don't select existing ~/.ssh/id_dsa.pub. Since 7.0 (released 2015-08-11) OpenSSH servers won't accept DSA user keys anyway, so users have likely rotated their legacy key material by now. * The pubkey to copy into gerrit is derived from the first existing file among ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519, and ~/.ssh/id_rsa. These algorithms are ordered as found in PubkeyAcceptedKeyTypes' default value as of OpenSSH 8.1. (EC keys are only supported since Gerrit 1.14.) Generate an RSA key when ~/.ssh doesn't exist, as before, since it's still the default in ssh-keygen(1) from OpenSSH 8.1. * In the ssh_config(5) stanza, only include the IdentityFile when a the private key file exists. The private key material might reside somewhere else, for instance in a smartcard or in an external agent's key store; in both cases the ssh client can authenticate the user without direct access to the key material. While it's possible to set IdentityFile to a pubkey (with IdentitiesOnly={yes,no}) it's not documented and thus shouldn't be used. Change-Id: Id73a2798747ce5c394b0cf2d0dc40107a1f2c599 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/86858 Reviewed-by: Guilhem Moulin <guilhem@libreoffice.org> Tested-by: Guilhem Moulin <guilhem@libreoffice.org>
2020-01-15 06:00:36 +01:00 · 2020-01-15 06:00:36 +01:00 · 1e6428deed
commit 1e6428deed
parent 9276b11735
1 changed files with 33 additions and 28 deletions
--- a/61
+++ b/61
@ -27,7 +27,9 @@ submit() {

 logerrit() {
        echo "Host logerrit gerrit.libreoffice.org"
-        echo "    IdentityFile ~/.ssh/id_rsa"
+        if test -n "${2-}" && test -f "$HOME/.ssh/id_$2"; then
+            echo "    IdentityFile ~/.ssh/id_$2"
+        fi
        echo "    User $1"
        echo "    Port 29418"
        echo "    HostName gerrit.libreoffice.org"
@ -82,25 +84,28 @@ case "$1" in
 	    echo "Hit enter to generate an ssh key - you will need to enter a pass-phrase"
 	    echo
 	    read
-	    ssh-keygen -t rsa -f "$ssh_home/id_rsa"
+	    ssh-keygen -t rsa -f "$ssh_home/id_rsa" # default type as of OpenSSH 8.1
 	fi
-	if test -d $ssh_home; then
-	    if test -f "$ssh_home/id_rsa.pub"; then
-		ssh_key=$(cat $ssh_home/id_rsa.pub);
-	    elif test -f "$ssh_home/id_dsa.pub"; then
-		ssh_key=$(cat $ssh_home/id_dsa.pub);
-	    fi
-	fi
-        echo "Please go to https://gerrit.libreoffice.org/ and:"
-        echo "- press the 'register' button in the top right corner"
-        echo "- after login set yourself a username (it is recommended to use your IRC-nick)"
-	if test "z$ssh_key" = "z"; then
-            echo "- add your public ssh-key into the ssh keys settings."
-	else
-	    echo "- paste the key below into the 'Add SSH Public Key' box."
-	    echo
-	    echo "$ssh_key"
-	    echo
+    if test -d "$ssh_home"; then
+        # order algos based on the PubkeyAcceptedKeyTypes option from OpenSSH 8.1
+        for ssh_key_type in ecdsa ed25519 rsa; do
+            pk="$ssh_home/id_${ssh_key_type}.pub"
+            ssh_key=""
+            if test -f "$pk" && ssh_key="$(< "$pk")" && test -n "$ssh_key"; then
+                break
+            fi
+        done
+    fi
+    echo "Please go to https://gerrit.libreoffice.org/ and:"
+    echo " - press the 'register' button in the top right corner"
+    echo " - after login set yourself a username (it is recommended to use your IRC-nick)"
+	if test -z "$ssh_key"; then
+        echo " - add your public ssh-key into the ssh keys settings."
+    else
+	    echo " - paste the key below into the 'Add SSH Public Key' box."
+        echo
+        printf '%s\n' "$ssh_key"
+        echo
 	fi
        echo
        echo "Note that you need to register additional email addresses, if you want to"
@ -108,15 +113,15 @@ case "$1" in
        echo "invitation mail it sends you."
        echo
        read -p 'Which user name did you choose? ' GERRITUSER
-	if test "z$created_ssh" = "z"; then
-            echo
-            echo "Please now add the following to your ~/.ssh/config, creating the file if needed:"
-            echo
-	    logerrit $GERRITUSER
-            echo
-        else
-	    echo "Automatically creating your ssh config"
-	    (logerrit $GERRITUSER) > "$ssh_home/config"
+	if test -z "$created_ssh"; then
+        echo
+        echo "Please now add the following to your ~/.ssh/config, creating the file if needed:"
+        echo
+        logerrit "$GERRITUSER" ${ssh_key:+"$ssh_key_type"}
+        echo
+    else
+        echo "Automatically creating your ssh config"
+        logerrit "$GERRITUSER" ${ssh_key:+"$ssh_key_type"} >"$ssh_home/config"
 	fi
 	# setup the remote properly ...
 	git config remote.origin.pushurl ssh://logerrit/core