Block git user from login, but allow the user to still function as a git repo?
Clash Royale CLAN TAG#URR8PPP
I have setup a git server, by creating a user "git" and then creating a local repository in the git user's directory.
The git server works great, I can pull, push, etc. I allowed users to interact with the git repo by adding their public keys to to the
.ssh/authorized_keys
file. I have disabled password based logins. But the problem is that these users can login to the server via ssh since their keys are on the authorized keys list. Okay, the permissions are set to be pretty restricted for the git user, but still, I would prefer it if there was no way for git to login directly.
Is there a way to disable logins for the "git" user, but maintain the ability for the git user to accept pushes and pull through git/ssh?
ssh permissions git
asked Dec 18 at 21:29
Jonathan Gallagher
1166
add a comment |
I have setup a git server, by creating a user "git" and then creating a local repository in the git user's directory.
The git server works great, I can pull, push, etc. I allowed users to interact with the git repo by adding their public keys to to the
.ssh/authorized_keys
file. I have disabled password based logins. But the problem is that these users can login to the server via ssh since their keys are on the authorized keys list. Okay, the permissions are set to be pretty restricted for the git user, but still, I would prefer it if there was no way for git to login directly.
Is there a way to disable logins for the "git" user, but maintain the ability for the git user to accept pushes and pull through git/ssh?
ssh permissions git
asked Dec 18 at 21:29
Jonathan Gallagher
1166
add a comment |
I have setup a git server, by creating a user "git" and then creating a local repository in the git user's directory.
The git server works great, I can pull, push, etc. I allowed users to interact with the git repo by adding their public keys to to the
.ssh/authorized_keys
file. I have disabled password based logins. But the problem is that these users can login to the server via ssh since their keys are on the authorized keys list. Okay, the permissions are set to be pretty restricted for the git user, but still, I would prefer it if there was no way for git to login directly.
Is there a way to disable logins for the "git" user, but maintain the ability for the git user to accept pushes and pull through git/ssh?
ssh permissions git
asked Dec 18 at 21:29
Jonathan Gallagher
1166
I have setup a git server, by creating a user "git" and then creating a local repository in the git user's directory.
The git server works great, I can pull, push, etc. I allowed users to interact with the git repo by adding their public keys to to the
.ssh/authorized_keys
file. I have disabled password based logins. But the problem is that these users can login to the server via ssh since their keys are on the authorized keys list. Okay, the permissions are set to be pretty restricted for the git user, but still, I would prefer it if there was no way for git to login directly.
Is there a way to disable logins for the "git" user, but maintain the ability for the git user to accept pushes and pull through git/ssh?
ssh permissions git
ssh permissions git
asked Dec 18 at 21:29
Jonathan Gallagher
1166
asked Dec 18 at 21:29
Jonathan Gallagher
1166
asked Dec 18 at 21:29
Jonathan Gallagher
1166
asked Dec 18 at 21:29
Jonathan Gallagher
1166
asked Dec 18 at 21:29
Jonathan Gallagher
1166
1166
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
I'm not convinced that having all your users log in as the "git" user is the best idea from a security standpoint, but it's certainly possible to do what you want through the ForceCommand configuration option. For example, to only let the user named "git" run the "git" command, you'd add the following to your /etc/ssh/sshd_config file:
Match User git
ForceCommand /usr/bin/git
AllowTCPForwarding no
X11Forwarding no
Read the sshd_config man page and adjust as needed for your specific situation.
answered Dec 19 at 0:20
Mark
2,01611327
Hi Mark. You're right, I believe that what I'm doing is awful from a security point of view. I simply followed a guide from digital ocean, but the guide was for setting up a private (which I imagine means not shared) git repo. Would you mind recommending a better option? I wouldn't mind at all if users of the git repo could not login at all, but could still sync with a "main" git repo.
– Jonathan Gallagher
Dec 20 at 17:08
add a comment |
If you install gitlab-ce it explicitly states that a non-standard user-level ssh config can cause weird breakage and it wants to fix it.
What gitlab-ce does do though is that when adding a key via the web interface, it adds some config info at the same time -
# cat ~git/.ssh/authorized_keys
command="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AA...restofkeysnip!
Note the git user has no ~/.bashrc or ~/.profile or other dot files, and the shell is set to be /bin/sh, and there is no modification done to the sshd_config.
answered Dec 19 at 1:16
ivanivan
3,5071414
1
Thanks. I didn't realize you could put code in the authorized_keys file. Is that a potential security risk?
– Jonathan Gallagher
Dec 20 at 17:11
1
I don't think so, since it is using ssh's options based on what key was used to authenticate as that user. Don't know if just using the options vs. also specifying a command is what you need for your situation, since I'm not sure of a single command you could specify that would allow normal git stuff to happen but not depend on a pty, etc. I'd try wiht the options, not using a command option, and see if you can git push/pull/etc but not actually connect and spawn a shell. Thegitlab-shellI think is a busybox -like interpreter with a fixed, short, git-related only command list.
– ivanivan
Dec 20 at 21:51
add a comment |
You can use git-shell to restrict access to SSH user accounts. From the documentation page:
This is a login shell for SSH accounts to provide restricted Git
access. It permits execution only of server-side Git commands
implementing the pull/push functionality, plus custom commands present
in a subdirectory named git-shell-commands in the user’s home
directory.
git-shell is non-interactive by default. Setting a user's default shell to git-shell will allow you to prevent users from interactively logging into your server, while keeping the functionality of git intact. Some level of customization is possible, which is documented on the same page, under the 'EXAMPLES' section.
git-shell should be installed along with git at /usr/bin/git-shell. You can set this as a user's default shell using usermod:
usermod -s /usr/bin/git-shell username
answered Dec 19 at 6:37
Haxiel
1,154310
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f489771%2fblock-git-user-from-login-but-allow-the-user-to-still-function-as-a-git-repo%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
I'm not convinced that having all your users log in as the "git" user is the best idea from a security standpoint, but it's certainly possible to do what you want through the ForceCommand configuration option. For example, to only let the user named "git" run the "git" command, you'd add the following to your /etc/ssh/sshd_config file:
Match User git
ForceCommand /usr/bin/git
AllowTCPForwarding no
X11Forwarding no
Read the sshd_config man page and adjust as needed for your specific situation.
answered Dec 19 at 0:20
Mark
2,01611327
Hi Mark. You're right, I believe that what I'm doing is awful from a security point of view. I simply followed a guide from digital ocean, but the guide was for setting up a private (which I imagine means not shared) git repo. Would you mind recommending a better option? I wouldn't mind at all if users of the git repo could not login at all, but could still sync with a "main" git repo.
– Jonathan Gallagher
Dec 20 at 17:08
add a comment |
I'm not convinced that having all your users log in as the "git" user is the best idea from a security standpoint, but it's certainly possible to do what you want through the ForceCommand configuration option. For example, to only let the user named "git" run the "git" command, you'd add the following to your /etc/ssh/sshd_config file:
Match User git
ForceCommand /usr/bin/git
AllowTCPForwarding no
X11Forwarding no
Read the sshd_config man page and adjust as needed for your specific situation.
answered Dec 19 at 0:20
Mark
2,01611327
Hi Mark. You're right, I believe that what I'm doing is awful from a security point of view. I simply followed a guide from digital ocean, but the guide was for setting up a private (which I imagine means not shared) git repo. Would you mind recommending a better option? I wouldn't mind at all if users of the git repo could not login at all, but could still sync with a "main" git repo.
– Jonathan Gallagher
Dec 20 at 17:08
add a comment |
I'm not convinced that having all your users log in as the "git" user is the best idea from a security standpoint, but it's certainly possible to do what you want through the ForceCommand configuration option. For example, to only let the user named "git" run the "git" command, you'd add the following to your /etc/ssh/sshd_config file:
Match User git
ForceCommand /usr/bin/git
AllowTCPForwarding no
X11Forwarding no
Read the sshd_config man page and adjust as needed for your specific situation.
answered Dec 19 at 0:20
Mark
2,01611327
I'm not convinced that having all your users log in as the "git" user is the best idea from a security standpoint, but it's certainly possible to do what you want through the ForceCommand configuration option. For example, to only let the user named "git" run the "git" command, you'd add the following to your /etc/ssh/sshd_config file:
Match User git
ForceCommand /usr/bin/git
AllowTCPForwarding no
X11Forwarding no
Read the sshd_config man page and adjust as needed for your specific situation.
answered Dec 19 at 0:20
Mark
2,01611327
answered Dec 19 at 0:20
Mark
2,01611327
answered Dec 19 at 0:20
Mark
2,01611327
answered Dec 19 at 0:20
Mark
2,01611327
2,01611327
Hi Mark. You're right, I believe that what I'm doing is awful from a security point of view. I simply followed a guide from digital ocean, but the guide was for setting up a private (which I imagine means not shared) git repo. Would you mind recommending a better option? I wouldn't mind at all if users of the git repo could not login at all, but could still sync with a "main" git repo.
– Jonathan Gallagher
Dec 20 at 17:08
add a comment |
Hi Mark. You're right, I believe that what I'm doing is awful from a security point of view. I simply followed a guide from digital ocean, but the guide was for setting up a private (which I imagine means not shared) git repo. Would you mind recommending a better option? I wouldn't mind at all if users of the git repo could not login at all, but could still sync with a "main" git repo.
– Jonathan Gallagher
Dec 20 at 17:08
Hi Mark. You're right, I believe that what I'm doing is awful from a security point of view. I simply followed a guide from digital ocean, but the guide was for setting up a private (which I imagine means not shared) git repo. Would you mind recommending a better option? I wouldn't mind at all if users of the git repo could not login at all, but could still sync with a "main" git repo.
– Jonathan Gallagher
Dec 20 at 17:08
Hi Mark. You're right, I believe that what I'm doing is awful from a security point of view. I simply followed a guide from digital ocean, but the guide was for setting up a private (which I imagine means not shared) git repo. Would you mind recommending a better option? I wouldn't mind at all if users of the git repo could not login at all, but could still sync with a "main" git repo.
– Jonathan Gallagher
Dec 20 at 17:08
add a comment |
If you install gitlab-ce it explicitly states that a non-standard user-level ssh config can cause weird breakage and it wants to fix it.
What gitlab-ce does do though is that when adding a key via the web interface, it adds some config info at the same time -
# cat ~git/.ssh/authorized_keys
command="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AA...restofkeysnip!
Note the git user has no ~/.bashrc or ~/.profile or other dot files, and the shell is set to be /bin/sh, and there is no modification done to the sshd_config.
answered Dec 19 at 1:16
ivanivan
3,5071414
1
Thanks. I didn't realize you could put code in the authorized_keys file. Is that a potential security risk?
– Jonathan Gallagher
Dec 20 at 17:11
1
I don't think so, since it is using ssh's options based on what key was used to authenticate as that user. Don't know if just using the options vs. also specifying a command is what you need for your situation, since I'm not sure of a single command you could specify that would allow normal git stuff to happen but not depend on a pty, etc. I'd try wiht the options, not using a command option, and see if you can git push/pull/etc but not actually connect and spawn a shell. Thegitlab-shellI think is a busybox -like interpreter with a fixed, short, git-related only command list.
– ivanivan
Dec 20 at 21:51
add a comment |
If you install gitlab-ce it explicitly states that a non-standard user-level ssh config can cause weird breakage and it wants to fix it.
What gitlab-ce does do though is that when adding a key via the web interface, it adds some config info at the same time -
# cat ~git/.ssh/authorized_keys
command="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AA...restofkeysnip!
Note the git user has no ~/.bashrc or ~/.profile or other dot files, and the shell is set to be /bin/sh, and there is no modification done to the sshd_config.
answered Dec 19 at 1:16
ivanivan
3,5071414
1
Thanks. I didn't realize you could put code in the authorized_keys file. Is that a potential security risk?
– Jonathan Gallagher
Dec 20 at 17:11
1
I don't think so, since it is using ssh's options based on what key was used to authenticate as that user. Don't know if just using the options vs. also specifying a command is what you need for your situation, since I'm not sure of a single command you could specify that would allow normal git stuff to happen but not depend on a pty, etc. I'd try wiht the options, not using a command option, and see if you can git push/pull/etc but not actually connect and spawn a shell. Thegitlab-shellI think is a busybox -like interpreter with a fixed, short, git-related only command list.
– ivanivan
Dec 20 at 21:51
add a comment |
If you install gitlab-ce it explicitly states that a non-standard user-level ssh config can cause weird breakage and it wants to fix it.
What gitlab-ce does do though is that when adding a key via the web interface, it adds some config info at the same time -
# cat ~git/.ssh/authorized_keys
command="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AA...restofkeysnip!
Note the git user has no ~/.bashrc or ~/.profile or other dot files, and the shell is set to be /bin/sh, and there is no modification done to the sshd_config.
answered Dec 19 at 1:16
ivanivan
3,5071414
If you install gitlab-ce it explicitly states that a non-standard user-level ssh config can cause weird breakage and it wants to fix it.
What gitlab-ce does do though is that when adding a key via the web interface, it adds some config info at the same time -
# cat ~git/.ssh/authorized_keys
command="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AA...restofkeysnip!
Note the git user has no ~/.bashrc or ~/.profile or other dot files, and the shell is set to be /bin/sh, and there is no modification done to the sshd_config.
answered Dec 19 at 1:16
ivanivan
3,5071414
answered Dec 19 at 1:16
ivanivan
3,5071414
answered Dec 19 at 1:16
ivanivan
3,5071414
answered Dec 19 at 1:16
ivanivan
3,5071414
3,5071414
1
Thanks. I didn't realize you could put code in the authorized_keys file. Is that a potential security risk?
– Jonathan Gallagher
Dec 20 at 17:11
1
I don't think so, since it is using ssh's options based on what key was used to authenticate as that user. Don't know if just using the options vs. also specifying a command is what you need for your situation, since I'm not sure of a single command you could specify that would allow normal git stuff to happen but not depend on a pty, etc. I'd try wiht the options, not using a command option, and see if you can git push/pull/etc but not actually connect and spawn a shell. Thegitlab-shellI think is a busybox -like interpreter with a fixed, short, git-related only command list.
– ivanivan
Dec 20 at 21:51
add a comment |
1
Thanks. I didn't realize you could put code in the authorized_keys file. Is that a potential security risk?
– Jonathan Gallagher
Dec 20 at 17:11
1
I don't think so, since it is using ssh's options based on what key was used to authenticate as that user. Don't know if just using the options vs. also specifying a command is what you need for your situation, since I'm not sure of a single command you could specify that would allow normal git stuff to happen but not depend on a pty, etc. I'd try wiht the options, not using a command option, and see if you can git push/pull/etc but not actually connect and spawn a shell. Thegitlab-shellI think is a busybox -like interpreter with a fixed, short, git-related only command list.
– ivanivan
Dec 20 at 21:51
1
1
Thanks. I didn't realize you could put code in the authorized_keys file. Is that a potential security risk?
– Jonathan Gallagher
Dec 20 at 17:11
Thanks. I didn't realize you could put code in the authorized_keys file. Is that a potential security risk?
– Jonathan Gallagher
Dec 20 at 17:11
1
1
I don't think so, since it is using ssh's options based on what key was used to authenticate as that user. Don't know if just using the options vs. also specifying a command is what you need for your situation, since I'm not sure of a single command you could specify that would allow normal git stuff to happen but not depend on a pty, etc. I'd try wiht the options, not using a command option, and see if you can git push/pull/etc but not actually connect and spawn a shell. The
gitlab-shell I think is a busybox -like interpreter with a fixed, short, git-related only command list.– ivanivan
Dec 20 at 21:51
I don't think so, since it is using ssh's options based on what key was used to authenticate as that user. Don't know if just using the options vs. also specifying a command is what you need for your situation, since I'm not sure of a single command you could specify that would allow normal git stuff to happen but not depend on a pty, etc. I'd try wiht the options, not using a command option, and see if you can git push/pull/etc but not actually connect and spawn a shell. The
gitlab-shell I think is a busybox -like interpreter with a fixed, short, git-related only command list.– ivanivan
Dec 20 at 21:51
add a comment |
You can use git-shell to restrict access to SSH user accounts. From the documentation page:
This is a login shell for SSH accounts to provide restricted Git
access. It permits execution only of server-side Git commands
implementing the pull/push functionality, plus custom commands present
in a subdirectory named git-shell-commands in the user’s home
directory.
git-shell is non-interactive by default. Setting a user's default shell to git-shell will allow you to prevent users from interactively logging into your server, while keeping the functionality of git intact. Some level of customization is possible, which is documented on the same page, under the 'EXAMPLES' section.
git-shell should be installed along with git at /usr/bin/git-shell. You can set this as a user's default shell using usermod:
usermod -s /usr/bin/git-shell username
answered Dec 19 at 6:37
Haxiel
1,154310
add a comment |
You can use git-shell to restrict access to SSH user accounts. From the documentation page:
This is a login shell for SSH accounts to provide restricted Git
access. It permits execution only of server-side Git commands
implementing the pull/push functionality, plus custom commands present
in a subdirectory named git-shell-commands in the user’s home
directory.
git-shell is non-interactive by default. Setting a user's default shell to git-shell will allow you to prevent users from interactively logging into your server, while keeping the functionality of git intact. Some level of customization is possible, which is documented on the same page, under the 'EXAMPLES' section.
git-shell should be installed along with git at /usr/bin/git-shell. You can set this as a user's default shell using usermod:
usermod -s /usr/bin/git-shell username
answered Dec 19 at 6:37
Haxiel
1,154310
add a comment |
You can use git-shell to restrict access to SSH user accounts. From the documentation page:
This is a login shell for SSH accounts to provide restricted Git
access. It permits execution only of server-side Git commands
implementing the pull/push functionality, plus custom commands present
in a subdirectory named git-shell-commands in the user’s home
directory.
git-shell is non-interactive by default. Setting a user's default shell to git-shell will allow you to prevent users from interactively logging into your server, while keeping the functionality of git intact. Some level of customization is possible, which is documented on the same page, under the 'EXAMPLES' section.
git-shell should be installed along with git at /usr/bin/git-shell. You can set this as a user's default shell using usermod:
usermod -s /usr/bin/git-shell username
answered Dec 19 at 6:37
Haxiel
1,154310
You can use git-shell to restrict access to SSH user accounts. From the documentation page:
This is a login shell for SSH accounts to provide restricted Git
access. It permits execution only of server-side Git commands
implementing the pull/push functionality, plus custom commands present
in a subdirectory named git-shell-commands in the user’s home
directory.
git-shell is non-interactive by default. Setting a user's default shell to git-shell will allow you to prevent users from interactively logging into your server, while keeping the functionality of git intact. Some level of customization is possible, which is documented on the same page, under the 'EXAMPLES' section.
git-shell should be installed along with git at /usr/bin/git-shell. You can set this as a user's default shell using usermod:
usermod -s /usr/bin/git-shell username
answered Dec 19 at 6:37
Haxiel
1,154310
answered Dec 19 at 6:37
Haxiel
1,154310
answered Dec 19 at 6:37
Haxiel
1,154310
answered Dec 19 at 6:37
Haxiel
1,154310
1,154310
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f489771%2fblock-git-user-from-login-but-allow-the-user-to-still-function-as-a-git-repo%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
