Changeset - a9e71e61cedf
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Mads Kiilerich - 6 years ago 2020-04-29 15:00:59
mads@kiilerich.com
ssh: mention in docs how to use multiple authorized_keys files
1 file changed with 10 insertions and 0 deletions:
docs/setup.rst
10
0 comments (0 inline, 0 general)
docs/setup.rst
Show inline comments
 
@@ -144,24 +144,34 @@ be writeable by the Kallithea user.
 
    each update. If it already exists with other data, Kallithea will not
 
    overwrite the existing ``authorized_keys``, and the server process will
 
    instead throw an exception. The system administrator thus cannot ssh
 
    directly to the Kallithea user but must use su/sudo from another account.
 

			




	
	
	
		
 
    If ``/home/kallithea/.ssh/`` (the directory of the path specified in the

			




	
	
	
		
 
    ``ssh_authorized_keys`` setting of the ``.ini`` file) does not exist as a

			




	
	
	
		
 
    directory, Kallithea will attempt to create it. If that path exists but is

			




	
	
	
		
 
    *not* a directory, or is not readable-writable-executable by the server

			




	
	
	
		
 
    process, the server process will raise an exception each time it attempts to

			




	
	
	
		
 
    write the ``authorized_keys`` file.

			




	
	
	
		
 

			




	
	
	
		
 
.. note:: It is possible to configure the SSH server to look for authorized

			




	
	
	
		
 
   keys in multiple files, for example reserving ``ssh/authorized_keys`` to be

			




	
	
	
		
 
   used for normal SSH and with Kallithea using

			




	
	
	
		
 
   ``.ssh/authorized_keys_kallithea``. In ``/etc/ssh/sshd_config`` set

			




	
	
	
		
 
   ``AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys_kallithea``

			




	
	
	
		
 
   and restart sshd, and in ``my.ini`` set ``ssh_authorized_keys =

			




	
	
	
		
 
   /home/kallithea/.ssh/authorized_keys_kallithea``. Note that this new

			




	
	
	
		
 
   location will apply to all system users, and that multiple entries for the

			




	
	
	
		
 
   same SSH key will shadow each other.

			




	
	
	
		
 

			




	
	
	
		
 
.. warning:: The handling of SSH access is steered directly by the command

			




	
	
	
		
 
    specified in the ``authorized_keys`` file. There is no interaction with the

			




	
	
	
		
 
    web UI.  Once SSH access is correctly configured and enabled, it will work

			




	
	
	
		
 
    regardless of whether the Kallithea web process is actually running. Hence,

			




	
	
	
		
 
    if you want to perform repository or server maintenance and want to fully

			




	
	
	
		
 
    disable all access to the repositories, disable SSH access by setting

			




	
	
	
		
 
    ``ssh_enabled = false`` in the correct ``.ini`` file (i.e. the ``.ini`` file

			




	
	
	
		
 
    specified in the ``authorized_keys`` file.)

			




	
	
	
		
 

			




	
	
	
		
 
The ``authorized_keys`` file can be updated manually with ``kallithea-cli

			




	
	
	
		
 
ssh-update-authorized-keys -c my.ini``. This command is not needed in normal

			




	
	
	
		
 
operation but is for example useful after changing SSH-related settings in the

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.