I'd like to set up a git server over ssh, with a single SSH account for the project. All project members should have their ssh keys listed in authorized_keys. Lockdown should restrict access to only doing git stuff, and only inside a dedicated directory.
What is the best way to create such a setup? There is git-shell, which apparently can do the lock-down to only doing git commands, but I can't find out how to restrict access to a single directory. There are also various Python and Ruby wrappers - which of these should I trust?
you could have a look at gitosis or gitolite, gitolite is kind of better in respect of granting access and so on to repositories, you wouldnt have to worry about giving users access to the server and what not either
What's your threat model?
Good guy accidentally destroys git repository or other data: Make sure your users can only write to their homedir, tmp and the git repository. Back up the repository after every commit and practice recovery procedures regularly.
Bad guy steals someone's private key and wants to own your system: Your attack surface is limited to parts of sshd protected by authentication - and whatever shell interface you use, so make it as small as possible. Python/Ruby wrappers involve a lot of code, and a lot of room for errors. Use the git-shell or consider using the Match and ChrootDirectory directives in sshd_config to limit which parts of the filesystem the users can access.
Bad guy steals someone's private key and gets your source code: Teach users how to protect their private keys and establish procedures for revoking keys fast (e.g. who to call at 4am to have keys revoked).
Don't use
.ssh/authorized_keys, instead use theAuthorizedKeyfilekeyword in sshd_config to specify a path were users don't have write access, e.g./etc/ssh/keys/%u. It's too hard to make sure users will never be able to overwrite .ssh/authorized_keys with their own copy.Also, keep the user keyfiles and sshd_config version-controlled as to allow audits.