Git includes a git-shell command suitable for use as a Git-only login shell. It accepts exactly the following commands:

git receive-pack

git upload-pack

git upload-archive

git-receive-pack

git-upload-pack

git-upload-archive

cvs server (used for emulating a CVS server, and not required for the Git protocol)

So these are the only commands you need to allow. Every version of Git I have access to only uses the hyphenated versions.

git-shell itself may be good enough in itself for what you want to do, too.

You can verify what Git is running for any particular command by setting GIT_SSH to a shim that echoes the arguments. Make a script ssh.sh:

#!/bin/bash
echo "$@" >&2

Then run:

GIT_SSH="./ssh.sh" git push

and you will see the remote command it tried to run.

Git includes a git-shell command suitable for use as a Git-only login shell. It accepts exactly the following commands:

git receive-pack
git upload-pack
git upload-archive
git-receive-pack
git-upload-pack
git-upload-archive
cvs server (used for emulating a CVS server, and not required for the Git protocol)

So these are the only commands you need to allow. Every version of Git I have access to only uses the hyphenated versions.

git-shell itself may be good enough in itself for what you want to do, too.

You can verify what Git is running for any particular command by setting GIT_SSH to a shim that echoes the arguments. Make a script ssh.sh:

#!/bin/bash
echo "$@" >&2

Then run:

GIT_SSH="./ssh.sh" git push

and you will see the remote command it tried to run.