Fossil User Forum

Sync protocol with SSO/REMOTE_USER
Login

Sync protocol with SSO/REMOTE_USER

Chronological

Sync protocol with SSO/REMOTE_USER

(1) By lvh on 2019-04-24 15:23:12 [link] [source]

I would like to gate all access to a fossil repo using SSO. Ideally OpenID Connect, but I'm flexible what that looks like. This is easy for the web UI since you can tell fossil to honor REMOTE_USER. I'd also like to be able to push without permanent credentials, and ideally without including a new protocol (SSH).

That doesn't work because HTTP pushes require a password as part of the sync protocol. I've read the sync protocol docs but it insists there are one or more login cards that add permissions. However, this doc doesn't mention SSH at all, and the code suggests that SSH users wouldn't have a login card at all. (I'm not sure what happens for ssh users.)

I guess I can rotate passwords daily or whatever and require you get a password via SSO? That seems kinda gross, but I guess at that point you're treating the password as an API key. Another answer is using an SSH CA and acquiring a temporary certificate using SSO -- but that still doesn't tell me how sync protocol permissions work when using SSH :-)

(2) By Richard Hipp (drh) on 2019-04-24 15:45:18 in reply to 1 [link] [source]

I'm not understanding your question. You seem to be asking two or three different things all at once.

Are you saying that REMOTE_USER does not work for "fossil push"? It should. The code is here: https://www.fossil-scm.org/fossil/artifact/150bd624046?ln=802-805. Can perhaps provide a more detailed test case to illustrate what is not working?

(3) By anonymous on 2019-04-24 20:01:53 in reply to 1 [link] [source] 

> However, this  doc doesn't mention SSH  at all, and the  code suggests
> that SSH users wouldn't  have a login card at all.  (I'm not sure what
> happens for ssh users.)

By  default,  Fossil  authentication  information  is  ignored  for  SSH
clients---this is  because the  default remote  SSH command  that Fossil
invokes is:

fossil test-http /path/to/repository.fossil

The test-http command effectively disables all Fossil authentication and
gives the caller full Fossil permission in the repository. Of course the
SSH user must still have file-based permissions to perform operations on
the /path/to/repository.fossil itself, so if  you intend on setting up a
shared location,  you'll need group  permissions setup correctly  on the
repositories.

This behavior  can be altered  on the  SSH server by  using ForceCommand
(and often a wrapper script) to force the client to require Fossil cards
to be  authenticated. For  example, in ~/.ssh/authorized_keys  one might
have something like:

command="fossil http /path/to/repository.fossil" ssh-rsa ...

Which would then  require not only SSH credentials, write  access to the
file and directory where Fossils are, but also Fossil credentials to use
the repository.

Search the mailing list archives for more examples and details:

https://marc.info/?l=fossil-users

(4) By anonymous on 2019-04-24 20:14:01 in reply to 1 [source] 

> This  is  easy for  the  web  UI since  you  can  tell fossil  to  honor
> REMOTE_USER.  I'd  also  like  to  be able  to  push  without  permanent
> credentials, and ideally without including a new protocol (SSH).

So it  sounds like  what you're confused  about is how  to get  a fossil
command  line  client  to  send  the right  credentials  to  cause  your
webserver to set REMOTE_USER?

Does the fossil command have access to your SSO credential?