LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 09-12-2021, 02:11 AM   #1
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,787
Blog Entries: 3

Rep: Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007
Read-only access to git-shell via SSH


I've got a system account which has its login shell set to /usr/bin/git-shell and that works well for read-write access to git. What I am looking for is a way to add an additional SSH key with a forced command such that "clone" is the only option and it fires automatically if that key is used.
Addding other programs or services to that server are not an option this time. How can I provide read-only access like this with just git-shell in ~/.ssh/authorized_keys with command="..." ?

Again, the login shell is git-shell and I am looking for a way to use that with an SSH forced command.
 
Old 09-13-2021, 05:28 PM   #2
boughtonp
Senior Member
 
Registered: Feb 2007
Location: UK
Distribution: Debian
Posts: 1,618

Rep: Reputation: 1315Reputation: 1315Reputation: 1315Reputation: 1315Reputation: 1315Reputation: 1315Reputation: 1315Reputation: 1315Reputation: 1315Reputation: 1315

You only want clone? What about fetch/pull?

You might want an access-hook, though I'm not sure if you can differentiate fetch from clone (if that is the requirement).


If a non-SSH solution is an option, you can setup read-only HTTP access with git http-backend, allowing connection via "git clone https://example.com/repo.git", and I've had a situation where suppressing QUERY_STRING allowed cloning but broke fetching; haven't checked whether that was a bug/fixed yet.)

 
Old 09-13-2021, 09:32 PM   #3
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,787

Original Poster
Blog Entries: 3

Rep: Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007
Thanks, I'll read and experiment with an access hook. Though there might be a simpler option.

Fetch, pull, and clone are all fine just as long as the access is read-only.
 
Old 09-16-2021, 05:00 AM   #4
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,787

Original Poster
Blog Entries: 3

Rep: Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007Reputation: 3007
It looks like --access-hook is not a possiblity: OpenSSH executes the command="..." material using the account's default shell, which in this case is already git-shell. So the shell is already launched without any options.

As far as clone, fetch, and pull go, setting command="git-upload-pack '/path/to/repo'" seems to do the job.

For other programs, such as tar, it's looking like I may need to add a second account just for non-git-shell read-only work.
 
1 members found this post helpful.
  


Reply

Tags
git-shell


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Gitpod git-bolts git-IDE onto GitHub for in-browser code git-editing LXer Syndicated Linux News 0 09-05-2018 04:50 AM
how to change the filesystem from read only to read write while logged via kali live persistance boot usb drive? ertanuj Linux - Newbie 1 03-24-2017 07:25 AM
Installed MATE via the mateslackbuilds git and uninstalled KDE via slackpkg. Anything else I should do to clean up what's left of K? emdoubleeweel Slackware 2 08-29-2016 11:01 AM
[SOLVED] Can't install Git repo (I don't git git ) Nemus Linux - Software 3 05-20-2011 02:09 PM
SSH access problems: Can only allow users SSH access by adding to root group dhupke Slackware 10 12-21-2008 09:48 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 01:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration