38
26
I'd like to be able to use a ssh key for authentication, but still restrict the commands that can be executed over the ssh tunnel.
With Subversion, I've achieved this by using a .ssh/authorized_keys file like:
command="/usr/local/bin/svnserve -t --tunnel-user matt -r /path/to/repository",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIetc...
I've tried this with "/usr/bin/git-shell" in the command, but I just get the funky old fatal: What do you think I am? A shell?
error message.
What shell do you have the user set to in this configuration?
/bin/bash
? – M-Pixel – 2016-08-01T08:44:17.500@Qwertman, it doesn't matter. All the shell has to do is execute
./gitserve
. In my system I do have it set to/bin/bash
. If you're using/bin/true
for security, however, it's not going to work. It must be set to a real shell. – Neil Mayhew – 2016-08-01T22:48:03.223I'm wondering why it doesn't work with the restrict option. It's shorter and I usually prefer a whitelist to a blacklist but apparently
– Mouagip – 2017-09-13T17:34:14.497restrict
is more restrictive than the options of this answer. Does anyone know more?Bingo! This is works just like what I was hoping to achieve! Thanks. – Matt Connolly – 2011-10-06T21:57:12.493
In this related post on SO http://stackoverflow.com/questions/5871652/running-a-secure-git-server-over-ssh-without-gitosis-gitolite they point to another solution here: http://joey.kitenet.net/blog/entry/locking_down_ssh_authorized_keys/
– Tim – 2012-03-30T14:16:41.4531@Tim This is essentially the same solution, but squeezes the content of my ~/gitserve script into authorized keys by using perl. Personally, I prefer keeping it in a separate script. – Neil Mayhew – 2012-04-04T22:32:32.083
1I understand, I merely added it as reference. – Tim – 2012-04-09T11:42:26.293