When hosting Git repositories on SunOS servers, security is paramount. The default SSH access grants users full shell access, which is unnecessary and potentially dangerous for Git-only users. We need a solution that:
- Allows Git operations (clone/pull/push)
- Prevents shell access
- Restricts access to specific repositories
Here's how to implement restricted Git access:
# 1. Create a dedicated Git user
sudo useradd -r -m -d /home/git -s /usr/bin/git-shell git
# 2. Set up the repository directory
sudo mkdir -p /home/git/repositories
sudo chown -R git:git /home/git/repositories
# 3. Create a new SSH key for the restricted user
ssh-keygen -t rsa -b 4096 -f ~/.ssh/git_user_rsa
# 4. Edit /etc/ssh/sshd_config
Match User git
ForceCommand /usr/bin/git-shell -c "$SSH_ORIGINAL_COMMAND"
AllowTcpForwarding no
X11Forwarding no
PermitTTY no
For finer control over specific repositories:
# Create a custom shell script (/usr/local/bin/git_restricted.sh)
#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
"git-upload-pack '/repos/project1.git'"*|"git-receive-pack '/repos/project1.git'"*)
/usr/bin/git-shell -c "$SSH_ORIGINAL_COMMAND"
;;
*)
echo "Access denied"
exit 1
;;
esac
# Then modify the ForceCommand in sshd_config:
ForceCommand /usr/local/bin/git_restricted.sh
Verify your setup works correctly:
# Test clone operation
ssh git@yourserver.com git-upload-pack '/repos/project1.git'
# Attempt shell access (should fail)
ssh git@yourserver.com
For multi-user environments, consider implementing a more sophisticated permission system:
# /usr/local/bin/git_auth.sh
#!/bin/bash
# Extract username from key fingerprint
USER=$(grep $(echo $SSH_KEY | cut -d' ' -f2) /etc/git_users | cut -d: -f1)
case "$USER:$SSH_ORIGINAL_COMMAND" in
"user1:git-upload-pack '/repos/project1.git'"*)
exec /usr/bin/git-shell -c "$SSH_ORIGINAL_COMMAND"
;;
"user2:git-receive-pack '/repos/project1.git'"*)
exec /usr/bin/git-shell -c "$SSH_ORIGINAL_COMMAND"
;;
*)
echo "Permission denied"
exit 1
;;
esac
- Regularly audit SSH access logs
- Keep Git and SSH server updated
- Consider using certificate-based authentication for larger teams
- Implement rate limiting to prevent brute force attacks
When setting up Git repositories on SunOS (or any Unix-like system), we often need to provide remote access while preventing general shell access. The standard SSH configuration allows full shell access by default, which creates security concerns when granting repository access to multiple users.
The most elegant solution involves leveraging SSH's authorized_keys file to restrict commands. Here's the complete implementation process:
# First, create a dedicated system group for Git users
sudo groupadd gitusers
# Create the restricted shell script
sudo mkdir -p /usr/local/bin/git-shell-commands
sudo nano /usr/local/bin/git-shell-wrapper
Create this wrapper script to ensure only Git commands are executed:
#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
git-upload-pack*|git-receive-pack*|git-upload-archive*)
exec $SSH_ORIGINAL_COMMAND
;;
*)
echo "Access restricted to Git operations only"
exit 1
;;
esac
Make it executable:
sudo chmod +x /usr/local/bin/git-shell-wrapper
For each Git user (e.g., 'gituser1'):
sudo useradd -m -g gitusers -s /usr/local/bin/git-shell-wrapper gituser1
sudo mkdir -p /home/gituser1/.ssh
sudo touch /home/gituser1/.ssh/authorized_keys
In each user's authorized_keys file, prepend the command restriction:
command="/usr/local/bin/git-shell-wrapper",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3Nza... user@host
Configure the repository with proper group permissions:
sudo chown -R :gitusers /path/to/repo.git
sudo chmod -R g+rwX /path/to/repo.git
Test the restrictions:
# Should work:
git clone ssh://gituser1@server/path/to/repo.git
# Should be blocked:
ssh gituser1@server
For larger deployments, consider a shared git account with forced commands based on keys:
# In /etc/ssh/sshd_config
Match User git
ForceCommand /usr/local/bin/git-shell-wrapper
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Then in the git user's authorized_keys:
command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3Nza... user1@host
command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3Nza... user2@host
- Check
/var/log/auth.logfor SSH connection attempts - Verify SELinux/AppArmor policies aren't blocking access
- Test with
ssh -vfor detailed connection debugging - Ensure the git-shell-wrapper has proper permissions (755)