Home / server / Questions / 267915
In Process
Danny
Asked: 2011-05-10 13:05:57 +0800 CST

How do I use git-push --mirror with git-shell in SSH?

  • 772

I am attempting to setup a mirror-to-backup hook in our repositories. The hook is executing a git push --mirror backup@server:path/foo.git. However it fails stating:

fatal: What do you think I am? A shell?
fatal: The remote end hung up unexpectedly

My .ssh/authorized_keys file has the following entry:

command="/path/to/git-shell" ssh-rsa ....

# no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
# these are all set i just removed them for brevity.

I've tried various combinations but the git-shell documentation is exceedingly sparse. I'm not sure what the problem is I'm hoping someone here could point me in the right direction. What is causing this error? I was under the impression that git-shell was intended to be used with push/pull. Clearly, I must be missing something but I haven't a clue what it is.

The path on the backup server is to a set up bare repository.

ssh git mirror hook

3 Answers

  1. I think the problem lies in the fact that you've set up a command in the authorized_keys file, but man sshd's section on the authorized_keys file format clearly states:

    command="command"
    Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. (…)

    This means that whenever git-upload-pack attempts to contact git-receive-pack (by way of an ssh command including the call for git-receive-pack, it will be squashed in favour of the command specified in .ssh/authorized_keys.
    git-shell can and does accept inbound git-related communications, but because the paramaters from git-upload-pack got squashed to null, the former is assuming that someone is trying to open an ordinary terminal, and cuts it off. This is explained in man git-shell:

    name
    git-shell - Restricted login shell for Git-only SSH access
    synopsis
    git shell [-c ]
    description
    A login shell for SSH accounts to provide restricted Git access. When -c is given, the program executes non-interactively; can be one of git receive-pack, git upload-pack, git upload-archive, cvs server, or a command in COMMAND_DIR.(…)

    My advice would be (assuming you haven't done so already) to create a seperate user account for git alone, and have that account carry the appropriate public keys in <git-home>/.ssh/authorized_keys. Also, don't forget to remove the forced command from the public key(s) in question.
    In addition, I recommend you set up git's user account to use git-shell as it's default shell by modifying /etc/passwd like so:

    From "git:*:1000:1000:git systems account:/home/git:/bin/sh"
To "git:*:1000:1000:git systems account:/home/git:/usr/local/bin/git-shell"

    If git-shell is installed some place other than /usr/local/bin, which git-shell will tell you the exact path to follow.

    Hope it helps ;-)

    • 2

  2. Note a complete answer, but you can take some clues from the gitolite mirror-shell setup, where a gl-mirror-shell script is actually calling git shell.

    • 0

  3. Perhaps have a look here:

    http://joey.kitenet.net/blog/entry/locking_down_ssh_authorized_keys/

    This page suggests

    command="perl -e 'exec qw(git-shell -c), $ENV{SSH_ORIGINAL_COMMAND}'"

    to forward SSH_ORIGINAL_COMMAND to git-shell. It works at my side.

    • 0