2

I'm host a git repository on my server. Anyone can push / pull from the following remote url:

ssh://[email protected]/opt/git/my-project.git

Specifically, anyone with ssh access to the [email protected] user can push/pull (i.e. I have their public key listed as an authorized_key)

I'd like continue allowing push/pull access but I'd like to disable shell/login access

Github uses this approach - if you try to ssh into any of their git servers you get:

$ ssh [email protected] PTY allocation request failed on channel 0 Hi [USER]! You've successfully authenticated, but GitHub does not provide shell access. Connection to github.com closed.

Specifically, I'd like to -

  1. Disable shell access via ssh and password for the git user
  2. Still allow myself (as root) to be able to assume the git user interactively
  3. Still allow developers to push / pull on the repository

I tried disabling the shell for the git user as follows:

root@example:~# usermod -s /usr/sbin/nologin git

This works great for #1 (ssh access is blocked) and #2 (I can still access the shell with sudo -u git -s /bin/bash)

However, #3 is not do-able. Cutting off shell access apparently also disables push/pull access (since it probably uses ssh).

Is there another solution here? How does Github themselves do this?

Thanks!

Improve this question

2 Answers 2

Reset to default
5

The easiest solution would be to use git-shell as the user's login-shell.

A detailed description on how to set this up can be found here: https://git-scm.com/docs/git-shell or alternatively on the git shell manpage man git shell

Improve this answer
0

In the authorized_keys file you can add options/restrictions to what is allowed when authenticating with a particular key pair.

Add the restrictions: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

See authorized_keys file format description in https://www.freebsd.org/cgi/man.cgi?sshd(8) for their meaning 

cat ~/.ssh/authorized_keys no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCB... comment no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDE... other comment

You can add similar restrictions to the git account by setting them in a "match user" block in the sshd_config file: 

### add this to the bottom of the sshd_config Match User git X11Forwarding no AllowTcpForwarding no PermitTunnel no
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.