Home / server / Questions / 250743
Accepted
Frank Brenner
Asked: 2011-03-24 03:05:43 +0800 CST

GIT, SSH, and GIT-SHELL

  • 772

I'm trying to set up a secure git repository server using ssh-keys and git-shell. Since our user database is stored in a central LDAP directory, I can't change users' default shell to git-shell, so I've tried prepending the git-shell command to the public key in the authorized_users file like this:

command="git-shell -c $SSH_ORIGINAL_COMMAND" ssh-dss AAAAB3NzaC1kc3...

However, git-shell won't even allow me to clone the repository:

    dhcp202:git-ws frank$ git clone ssh://gitserver/var/repos/git/myrepo/
    Cloning into myrepo...
    fatal: What do you think I am? A shell?
    fatal: The remote end hung up unexpectedly

Any ideas appreciated...

ssh git

3 Answers

  1. I've made a solution using LDAP, OpenSSH (>4.9) and git-shell.

    OpenSSH's ForceCommand is perfect for the job. Consider the following configuration (everyone except admins have to use git-shell):

    Match group *,!admin    
    ForceCommand /usr/bin/git-shell -c "$SSH_ORIGINAL_COMMAND"

    Access control is defined using ACL-s and reponame access groups.

    setfacl -bR -m default:group:$REPONAME:rwX -m group:$REPONAME:rwX $GITROOT/$REPONAME
setfacl -R -m default:group:$REPONAME-ro:r-X -m group:$REPONAME-ro:r-X $GITROOT/$REPONAME

    Don't forget to run "nscd -i group", after each change.

    Andor

    • 2
  2. Best Answer

    You will find a similar mechanism with gitolite, based on ssh and forced command.
    (including ldap queries).
    It don't allow interactive shell however, which could be your issue there.

    The OP Frank Brenner adds:

    Ah, I figured it out - the command has to be in single quotes. I suppose $SSH_ORIGINAL_COMMAND was getting expanded before git-shell was started.

    That is confirmed in the gitolite forced command script is a Perl one, ending with:

    # ----------------------------------------------------------------------------
#       over to git now
# ----------------------------------------------------------------------------

if ($ENV{REQUEST_URI}) {
    log_it($ENV{REQUEST_URI});
    exec $ENV{GIT_HTTP_BACKEND};
    # the GIT_HTTP_BACKEND env var should be set either by the rc file, or as
    # a SetEnv in the apache config somewhere
}

log_it();

$repo = "'$REPO_BASE/$repo.git'";
exec("git", "shell", "-c", "$verb $repo") unless $verb eq 'git-init';

    Note the $repo = "'$REPO_BASE/$repo.git'" line: it does contains single quotes.

    • 1

  3. This authorized_keys works for me and is properly shell quoted:

    restrict,command="/usr/bin/git-shell -c \"$SSH_ORIGINAL_COMMAND\"" ssh-rsa AAAAB3NzaC1yc2EAA...

    man sshd describes the authorized_keys file format:

    A quote may be included in the command by quoting it with a backslash.

    The same man page describes restrict:

    Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation and execution of ~/.ssh/rc. If any future restriction capabilities are added to authorized_keys files they will be included in this set.

    • 0