Running a “secure” git server over SSH without gitosis/gitolite?

后端 未结 3 2236
囚心锁ツ
囚心锁ツ 2021-02-19 17:10

Is it possible to run a git server over ssh, using authorized_keys and command= to restrict access to only the git repositories, without using gitosis/

3条回答
  •  小蘑菇
    小蘑菇 (楼主)
    2021-02-19 17:58

    EDIT: Not sure about all of the sudden negative rankings; I am obviously not saying to use Gitolite as the OP specifically asked not to use it. I am simply stating that what he is asking for is 95% of what Gitolite's tiny source code does and hence I'm telling him where in it's source he can find the snippet he would want to copy to roll his own.


    Yes, gitolite does exactly just that. It doesn't swap out the user's shell either.

    cat ~/.ssh/authorized_keys
    command="/home/git/.gitolite/src/gl-auth-command jbruce",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAD3NzaC1yc2EABBBCIwAAAQEAtRFmADxUSCX97CS/Uh7/N0y0vL...
    

    Notice this doesn't look like a normal authorized_keys on the server, it also passes the username as a parameter so that the executed script knows who this ssh key belongs to. The additional benefit of not switching the user's shell (while still keeping it secure) is that if you try to ssh directly into the machine it will not only terminate the session but tell you which repos you have access to before it terminates, if it knows who you are.

提交回复
热议问题