gotwebd ssh host key fingerprints

Add options to gotwebd.conf which set SSH host key fingeprints to be displayed beneath the clone URL. In gotwebd.conf the clone URL is arbitrary, which means the admin needs to be able to specify key fingerprints per clone-URL, rather than per server. So, for now, ssh fingerprints must be set per repository. If this causes too much copy-pasting we can introduce equivalent server-scope options later. gotsysd will be able to make assumptions about how the server is set up and generate appropriate gotwebd.conf stanzas automatically. A patch for gotsysd will follow. ok? M gotwebd/gotweb.c | 21+ 0- M gotwebd/gotwebd.conf.5 | 12+ 0- M gotwebd/gotwebd.h | 8+ 0- M gotwebd/pages.tmpl | 12+ 0- M gotwebd/parse.y | 70+ 0- 5 files changed, 123 insertions(+), 0 deletions(-) commit - 8e075c1ec8542ad827b525234bea2eba76a011ad commit + 896f2e7025bdfa07698b31229ccfdd7de5984ba4 blob - f4dc9ee62c67b484e6013abf9d57672569a9f3b9 blob + 2dcdf486c002a5a2a948db88611b6912fc1de984 --- gotwebd/gotweb.c +++ gotwebd/gotweb.c @@ -1124,11 +1124,15 @@ gotweb_free_repo_commit(struct repo_commit *rc) static void gotweb_free_repo_dir(struct repo_dir *repo_dir) { + size_t i; + if (repo_dir != NULL) { free(repo_dir->name); free(repo_dir->owner); free(repo_dir->description); free(repo_dir->url); + for (i = 0; i < nitems(repo_dir->sshfp); i++) + free(repo_dir->sshfp[i]); free(repo_dir->path); } free(repo_dir); @@ -1708,6 +1712,23 @@ gotweb_load_got_path(struct repo_dir **rp, const char error = gotweb_get_clone_url(&repo_dir->url, srv, repo_dir->path, dirfd(dt)); } + + if (srv->show_repo_cloneurl && repo) { + size_t i; + + for (i = 0; i < nitems(repo->clone_url_hostkey); i++) { + if (repo->clone_url_hostkey[i][0] == '\0') + continue; + + repo_dir->sshfp[i] = strdup(repo->clone_url_hostkey[i]); + if (repo_dir->sshfp[i] == NULL) { + error = got_error_from_errno("strdup"); + goto err; + } + } + + } + err: free(dir_test); if (dt != NULL && closedir(dt) == EOF && error == NULL) blob - dd2a181f36cae86843ad2bd1da24552cfd704f34 blob + 213c5b4be700f2eab0b7e9c32341ac7d848a4123 --- gotwebd/gotwebd.conf.5 +++ gotwebd/gotwebd.conf.5 @@ -497,6 +497,18 @@ then URLs stored in the repository's .Pa cloneurl file will be shown instead. This file may contain multiple URLs, one per line. +.It Ic ssh_hostkey_ecdsa Ar string +Set the server's SSH ECDSA host key fingerprint to be displayed beneath +the clone URL. +Should be set when the clone URL uses the SSH protocol. +.It Ic ssh_hostkey_ed25519 Ar string +Set the server's SSH ED25519 host key fingerprint to be displayed beneath +the clone URL. +Should be set when the clone URL uses the SSH protocol. +.It Ic ssh_hostkey_rsa Ar string +Set the server's SSH RSA host key fingerprint to be displayed beneath +the clone URL. +Should be set when the clone URL uses the SSH protocol. .It Ic description Ar string Sets the repository description shown on the repository listing page. The blob - af216fb97464e9ca56a9e377fdd5fc49502ebd0f blob + 69c2896f72735357062dc4f09af598567a4aa339 --- gotwebd/gotwebd.h +++ gotwebd/gotwebd.h @@ -54,7 +54,13 @@ #define GOTWEBD_MAXPORT 6 #define GOTWEBD_NUMPROC 3 #define GOTWEBD_SOCK_FILENO 3 +#define GOTWEBD_MAX_SSHFP 64 +#define GOTWEBD_SSHFP_ECDSA 0 +#define GOTWEBD_SSHFP_ED25519 1 +#define GOTWEBD_SSHFP_RSA 2 +#define GOTWEBD_NUM_SSHFP 3 + #define PROC_MAX_INSTANCES 32 /* GOTWEB DEFAULTS */ @@ -206,6 +212,7 @@ struct repo_dir { char *owner; char *description; char *url; + char *sshfp[GOTWEBD_NUM_SSHFP]; time_t age; char *path; }; @@ -398,6 +405,7 @@ struct gotwebd_repo { char name[NAME_MAX]; char description[GOTWEBD_MAXDESCRSZ]; char clone_url[GOTWEBD_MAXCLONEURLSZ]; + char clone_url_hostkey[GOTWEBD_NUM_SSHFP][GOTWEBD_MAX_SSHFP]; enum gotwebd_auth_config auth_config; struct gotwebd_access_rule_list access_rules; blob - cebcb17ddb34bf214026aa7e215c0e0f358e0824 blob + e146964ba1ffd06404dc161bd891095107b8ecc8 --- gotwebd/pages.tmpl +++ gotwebd/pages.tmpl @@ -1133,7 +1133,19 @@ nextsep(char *s, char **t) {{ if srv->show_repo_cloneurl }} <dt>Clone URL:</dt> <dd><pre class="clone-url">{{ t->repo_dir->url }}</pre></dd> + {{ if t->repo_dir->sshfp[GOTWEBD_SSHFP_ECDSA] }} + <dt>ECDSA:</dt> + <dd><pre class="clone-url">{{ t->repo_dir->sshfp[GOTWEBD_SSHFP_ECDSA] }}</pre></dd> {{ end }} + {{ if t->repo_dir->sshfp[GOTWEBD_SSHFP_ED25519] }} + <dt>ED25519:</dt> + <dd><pre class="clone-url">{{ t->repo_dir->sshfp[GOTWEBD_SSHFP_ED25519] }}</pre></dd> + {{ end }} + {{ if t->repo_dir->sshfp[GOTWEBD_SSHFP_RSA] }} + <dt>RSA:</dt> + <dd><pre class="clone-url">{{ t->repo_dir->sshfp[GOTWEBD_SSHFP_RSA] }}</pre></dd> + {{ end }} + {{ end }} </dl> <div class="summary-briefs"> {{ render gotweb_render_briefs(tp) }} blob - 03821d0d02b8707a48377d243fee6f91c949727b blob + 06d0fa8ac5221e0906bb1adb03a35e49c67c6f35 --- gotwebd/parse.y +++ gotwebd/parse.y @@ -157,6 +157,7 @@ mediatype_ok(const char *s) %token ENABLE DISABLE INSECURE REPOSITORY REPOSITORIES PERMIT DENY HIDE %token WEBSITE PATH BRANCH REPOS_URL_PATH DESCRIPTION %token TYPES INCLUDE GOTWEBD_CONTROL +%token SSH_HOSTKEY_ECDSA SSH_HOSTKEY_ED25519 SSH_HOSTKEY_RSA %token <v.string> STRING %token <v.number> NUMBER @@ -978,6 +979,72 @@ repoopts1 : DISABLE AUTHENTICATION { YYERROR; } } + | SSH_HOSTKEY_ECDSA STRING { + int i = GOTWEBD_SSHFP_ECDSA; + + if (*$2 == '\0') { + yyerror("ssh host key fingerprint cannot be " + "an empty string"); + free($2); + YYERROR; + } + + if (strlcpy(new_repo->clone_url_hostkey[i], $2, + sizeof(new_repo->clone_url_hostkey[i])) >= + sizeof(new_repo->clone_url_hostkey[i])) { + yyerror("ssh host key fingerprint too long, " + "exceeds " "%zd bytes: %s", + sizeof(new_repo->clone_url_hostkey[i]), $2); + free($2); + YYERROR; + } + + free($2); + } + | SSH_HOSTKEY_ED25519 STRING { + int i = GOTWEBD_SSHFP_ED25519; + + if (*$2 == '\0') { + yyerror("ssh host key fingerprint cannot be " + "an empty string"); + free($2); + YYERROR; + } + + if (strlcpy(new_repo->clone_url_hostkey[i], $2, + sizeof(new_repo->clone_url_hostkey[i])) >= + sizeof(new_repo->clone_url_hostkey[i])) { + yyerror("ssh host key fingerprint too long, " + "exceeds " "%zd bytes: %s", + sizeof(new_repo->clone_url_hostkey[i]), $2); + free($2); + YYERROR; + } + + free($2); + } + | SSH_HOSTKEY_RSA STRING { + int i = GOTWEBD_SSHFP_RSA; + + if (*$2 == '\0') { + yyerror("ssh host key fingerprint cannot be " + "an empty string"); + free($2); + YYERROR; + } + + if (strlcpy(new_repo->clone_url_hostkey[i], $2, + sizeof(new_repo->clone_url_hostkey[i])) >= + sizeof(new_repo->clone_url_hostkey[i])) { + yyerror("ssh host key fingerprint too long, " + "exceeds " "%zd bytes: %s", + sizeof(new_repo->clone_url_hostkey[i]), $2); + free($2); + YYERROR; + } + + free($2); + } ; types : TYPES '{' optnl mediaopts_l '}' @@ -1129,6 +1196,9 @@ lookup(char *s) { "site_name", SITE_NAME }, { "site_owner", SITE_OWNER }, { "socket", SOCKET }, + { "ssh_hostkey_ecdsa", SSH_HOSTKEY_ECDSA}, + { "ssh_hostkey_ed25519", SSH_HOSTKEY_ED25519}, + { "ssh_hostkey_rsa", SSH_HOSTKEY_RSA}, { "summary_commits_display", SUMMARY_COMMITS_DISPLAY }, { "summary_tags_display", SUMMARY_TAGS_DISPLAY }, { "types", TYPES },

2026-02-06 10:02 Stefan Sperling:
gotwebd ssh host key fingerprints
- 2026-02-06 17:28 Omar Polo:
  gotwebd ssh host key fingerprints