0

I've got a local Debian repository server in my network and I want my clients to upgrade, update, and install packages from it through SSH.

I configured my sources.list so it would look like this :

deb ssh://root@local_repo/debian wheezy main

I also configured it with a public key authentication.

So far, everything works, but I'd like to know if it is possible to harden it even more.

  • Would it be a good idea/best practice to have the user in a chroot jail when the client connects through SSH ?
  • But since the user is root, he theorically can (easily) escape from the jail ?
  • Finally, using apt-get requires to be root to be used, so how can I create a user that has root rights, but only to use apt-get ?

I'm really confused about how to do this, I read a lot on many websites and I can't find a good way.

monkeytrouble
  • 1
  • who are you afraid of? what are you trying to achieve? why ssh? packages are signed and nobody can tamper with them... here is no need to use ssh. – Hrvoje Špoljar Jun 08 '15 at 12:55
  • Yes, packages are signed with GPG, I know SSH might be overkill, but it is part of a solution I've got to sell, and clients are very uncompromising concerning security, and they want it to be as secure as can be. – monkeytrouble Jun 08 '15 at 12:58
  • 2
    IMO there is nothing there in repo over ssh to sell except deceit. If you can explain even remotely any weakness of having repository over http which would require ssh then please do... – Hrvoje Špoljar Jun 08 '15 at 13:01
  • I'm not sure about HTTP, but I agree that HTTPS should be just as secure as SSH. – MadHatter Jun 08 '15 at 13:14
  • The problem with HTTPS, is, as far as I know, that if you try to get a package which is cached in a non HTTPS compliant proxy, you'll get an error and you won't be able to update anything. Regarding SSH, I'll talk to my boss on this, I don't think either it is critical. Thanks for the replies ! – monkeytrouble Jun 08 '15 at 13:41

1 Answers1

0

Your question revolves around the user but you need to remember that there are two user accounts in question here.

To achieve what you want, setup the apt source to be something like ssh://apt@local-repo/... - this way you still run apt-get/etc locally as root but they connect to the repo server as a non-root user, allowing you to implement whatever rules you want.

Stephen
  • 315
  • 1
  • 5
  • I did that, but I get a "permission denied, please try again" when I try to use apt-get update with user John (standard user). With user root, it does work however. What I don't understand is, what happens when user connects to local repository. Does the user simply browse the file system looking for packages, or does he use a sub-command from apt-get, thus requiring an elevation ? – monkeytrouble Jun 09 '15 at 09:43
  • It's basically just accessing the filesystem, using `find` and `cat` from memory. Try to open a shell as John from bash and browse the apt repo directory. It sounds like a simple permissions issue – Stephen Jun 09 '15 at 10:19