Running a “secure” git server over SSH without gitosis/gitolite?

Is it possible to run a git server over ssh, using authorized_keys and command= to restrict access to only the git repositories, without using gitosis/gitolite?

  • Merge two commits where commits are between
  • Git clone failed with “refs/heads/master does not point to a valid object”
  • AWS - 'Failed to get bucket name' when doing git aws.push
  • how to rename a master branch when using gitolite
  • How to set diff options (--compaction-heuristic) in gitk
  • Sync Github Repo to Dreamhost Site
  • Github Branches
  • What are the implications of ISO 9001/CMMI for source control in general, and Git/Mercurial/DVCS in particular?
  • Initializing repository from an existing one
  • How fast is git over subversion with remote operations?
  • Create branch from current working tree and reset to HEAD
  • Use Git dependencies with npm and Node on Heroku
  • 3 Solutions collect form web for “Running a “secure” git server over SSH without gitosis/gitolite?”

    Yes, assign the git shell as the login shell for all users which shall only have git access.

    EDIT: Not sure about all of the sudden negative rankings; I am obviously not saying to use Gitolite as the OP specifically asked not to use it. I am simply stating that what he is asking for is 95% of what Gitolite’s tiny source code does and hence I’m telling him where in it’s source he can find the snippet he would want to copy to roll his own.

    Yes, gitolite does exactly just that. It doesn’t swap out the user’s shell either.

    cat ~/.ssh/authorized_keys
    command="/home/git/.gitolite/src/gl-auth-command jbruce",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAD3NzaC1yc2EABBBCIwAAAQEAtRFmADxUSCX97CS/Uh7/N0y0vL...

    Notice this doesn’t look like a normal authorized_keys on the server, it also passes the username as a parameter so that the executed script knows who this ssh key belongs to. The additional benefit of not switching the user’s shell (while still keeping it secure) is that if you try to ssh directly into the machine it will not only terminate the session but tell you which repos you have access to before it terminates, if it knows who you are.

    You can put this at the beginning of each line in authorized_keys2:

    no-port-forwarding,no-agent-forwarding,command="/usr/bin/git-shell -c \"$SSH_ORIGINAL_COMMAND\"" 

    That’ll allow only git commands over ssh, but will still let you become that user if you need to mess around (from another account):

    sudo -u git -i
    Git Baby is a git and github fan, let's start git clone.