Block SSH shell access to git repositories #374
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ggwadera
changed the title
hwong0305
approved these changes
Aug 30, 2020
ggwadera
commented
Sep 1, 2020
| @@ -30,6 +30,8 @@ if [ ! -d "/home/myproxy" ] ; then | |||
| cp ./scripts/post-receive /home/myproxy/.scripts/post-receive | |||
| cp ./scripts/pre-receive /home/myproxy/.scripts/pre-receive | |||
| cp ./scripts/gitignore /home/myproxy/.scripts/.gitignore | |||
| # Disable SSH MOTD message for git user | |||
| touch /home/git/.hushlogin | |||
There was a problem hiding this comment.
This disables the MOTD sent from the server when someone tries to SSH in. For example:
$ ssh [email protected]
PTY allocation request failed on channel 0
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-42-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Sep 1 13:15:29 UTC 2020
System load: 0.72 Users logged in: 1
Usage of /: 18.9% of 24.06GB IPv4 address for docker0: 172.17.0.1
Memory usage: 48% IPv4 address for eth0: 157.245.253.104
Swap usage: 0% IPv4 address for eth0: 10.10.0.5
Processes: 130
13 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
fatal: Interactive git shell is not enabled.
hint: ~/git-shell-commands should exist and have read and execute access.
Connection to challenges.ggwadera.xyz closed.Becomes:
$ ssh [email protected]
PTY allocation request failed on channel 0
fatal: Interactive git shell is not enabled.
hint: ~/git-shell-commands should exist and have read and execute access.
Connection to challenges.ggwadera.xyz closed.
songz
approved these changes
Sep 1, 2020
|
everything worked out for me, running https://huevon.club/ with new server. Cannot ssh in (good security)
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request contains changes to block shell access to the server through the SSH link used as the git repository for domains.
The access is blocked by setting up a
gituser account restricted to only Git-related activities through a limited shell tool calledgit-shellthat comes with Git. Reference.What this PR does:
Modify the
setup.shscript to create thegituser account in themyproxygroup, and set the correct file permissions.gituser has restricted shell access throughgit-shellgituser can runsudo -u myproxy pm2without passwordgituser so it doesn't print when someone tries to SSH into the server.Modify the
post-receivescript so the app is started by themyproxyuser instead ofgit.Change the
execcommands in/src/api/mappings.tsoptions to use the correct group id. (Added new helper function for this)Change the
authorized_keysfunction to save the SSH keys under thegituser and with additional options.