ollibabaMay 14, 2022

Hey Fediverse: do you know of a smaller alternative to #Gitolite?

I want to restrict specific SSH users to specific Git repositories. So ideally I just want to add some "restricted shell" to the lines in authorized_keys and that's it. Basically like git-shell, but with a directory limit. Or like Gitolite, but much smaller. Ideas?

(I could also create a different system user for each repository, but that's quite some management overhead as well.)

#SelfHosted #Git #SSH

Show threadollibaba

Hm, so it looks like this can be done with #Jailkit, by adding something like this to the authorized_key file:

command="/usr/bin/jk_uchroot -j /srv/git/ -x /usr/bin/gitshellwrapper" ...

where /usr/bin/gitshellwrapper contains:

#!/bin/sh
exec git-shell -c "$SSH_ORIGINAL_COMMAND"

But I'm not yet convinced that this is really watertight; so I guess I'll just go with separate user accounts for now. Jailkit is still useful (with the ChrootDirectory option in sshd_config).

#security #SSH #Linux

May 14, 2022 at 3:31pmWeb
Show threadollibabaMay 14, 2022
Also, https://github.com/simmel/git-shell-enforce-directory looks like exactly the tool I need; but it doesn't seem to be widely used, so I don't really want to trust any security-critical tasks to that tool.
And it's written in Rust, so I couldn't even reliably audit it (not that I'm trained to audit tools for security holes anyway).
GitHub - simmel/git-shell-enforce-directory: Restrict git-shell into a directory

Restrict git-shell into a directory. Contribute to simmel/git-shell-enforce-directory development by creating an account on GitHub.

GitHub