Git backed by object storage because you can't stop me
git object-storage kefka
10

Configure Feed

Select the types of activity you want to include in your feed.

refactor(ssh): use Session.PublicKey() instead of a redundant context stash

gliderlabs/ssh already stashes the connecting key for Session.PublicKey(),
so the pubKeyContextKey type and PublicKeyHandler SetValue call were
redundant. Read the key directly in handleSSH. Also relax the command
arity guard to len < 2 and document the intentional protocol-v2 omission.

Xe Iaso (May 28, 2026, 11:22 PM EDT) 29bde0a7 553532b4

+6 -7
+6 -7
cmd/objgitd/ssh.go
··· 96 96 } 97 97 } 98 98 99 - // pubKeyContextKey keys the authenticated public key stashed on the SSH context 100 - // by PublicKeyHandler, for handleSSH to read when authorizing. 101 - type pubKeyContextKey struct{} 102 - 103 99 // newSSHServer builds the git-over-SSH server. It accepts every public key at 104 100 // connect time and defers real authorization to handleSSH via daemon.authz. 105 101 func newSSHServer(d *daemon, addr string) (*ssh.Server, error) { ··· 110 106 srv := &ssh.Server{ 111 107 Addr: addr, 112 108 Handler: d.handleSSH, 109 + // A non-nil handler is required to enable public-key auth at all; 110 + // gliderlabs stashes the connecting key for Session.PublicKey(). 113 111 PublicKeyHandler: func(ctx ssh.Context, key ssh.PublicKey) bool { 114 - ctx.SetValue(pubKeyContextKey{}, key) 115 112 return true 116 113 }, 117 114 } ··· 124 121 // command. The session is the protocol stream (reader and writer). 125 122 func (d *daemon) handleSSH(s ssh.Session) { 126 123 cmd := s.Command() 127 - if len(cmd) != 2 { 124 + if len(cmd) < 2 { 128 125 fmt.Fprintln(s.Stderr(), "objgitd: this is a git SSH endpoint; interactive shells are not supported") 129 126 _ = s.Exit(1) 130 127 return ··· 141 138 repoPath := strings.TrimPrefix(cmd[1], "/") 142 139 143 140 var cred auth.Credential = auth.Anonymous{} 144 - if key, ok := s.Context().Value(pubKeyContextKey{}).(ssh.PublicKey); ok && key != nil { 141 + if key := s.PublicKey(); key != nil { 145 142 cred = auth.PublicKey{Key: key} 146 143 } 147 144 if d.authz.Authorize(s.Context(), auth.Request{ ··· 168 165 w := ioutil.WriteNopCloser(s) 169 166 ctx := s.Context() 170 167 168 + // Protocol v2 negotiation (GIT_PROTOCOL via s.Environ()) is intentionally not 169 + // forwarded yet; v0/v1 is sufficient. See plan. 171 170 switch service { 172 171 case transport.UploadPackService: 173 172 st, err := d.loader.Load(&url.URL{Path: repoPath})