Running a “secure” git server over SSH without gitosis/gitolite?

Is it possible to run a git server over ssh, using authorized_keys and command= to restrict access to only the git repositories, without using gitosis/gitolite?

  • git sees the system profile as home instead of the user home folder (Windows 7)
  • How to create a repository with ssh:// access on a server
  • Git clone with custom SSH using GIT_SSH error
  • SSH test on local git server: Permission denied (publickey,keyboard-interactive)
  • Capistrano deploy with bitbucket - Permission denied (publickey)
  • SSH - Permission denied (cannot authenticate git@github.com) via CMD
  • PHP Github Pull script error 'permission denied (publickey)'
  • git clone project from inside docker container
  • 3 Solutions collect form web for “Running a “secure” git server over SSH without gitosis/gitolite?”

    Yes, assign the git shell as the login shell for all users which shall only have git access.

    EDIT: Not sure about all of the sudden negative rankings; I am obviously not saying to use Gitolite as the OP specifically asked not to use it. I am simply stating that what he is asking for is 95% of what Gitolite’s tiny source code does and hence I’m telling him where in it’s source he can find the snippet he would want to copy to roll his own.


    Yes, gitolite does exactly just that. It doesn’t swap out the user’s shell either.

    cat ~/.ssh/authorized_keys
    command="/home/git/.gitolite/src/gl-auth-command jbruce",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAD3NzaC1yc2EABBBCIwAAAQEAtRFmADxUSCX97CS/Uh7/N0y0vL...
    

    Notice this doesn’t look like a normal authorized_keys on the server, it also passes the username as a parameter so that the executed script knows who this ssh key belongs to. The additional benefit of not switching the user’s shell (while still keeping it secure) is that if you try to ssh directly into the machine it will not only terminate the session but tell you which repos you have access to before it terminates, if it knows who you are.

    You can put this at the beginning of each line in authorized_keys2:

    no-port-forwarding,no-agent-forwarding,command="/usr/bin/git-shell -c \"$SSH_ORIGINAL_COMMAND\"" 
    

    That’ll allow only git commands over ssh, but will still let you become that user if you need to mess around (from another account):

    sudo -u git -i
    
    Git Baby is a git and github fan, let's start git clone.