6

Using command="" in authorized_keys, I can restrict the commands that can be run by a particular key.

What commands do I need to allow in order to have a functioning git remote?

From the Pro Git book I can infer that git-upload-pack and git-receive-pack are required, but is there anything else?

Note I still want to be able to log into the user normally, just not with this key.

2 Answers 2

10

Git includes a git-shell command suitable for use as a Git-only login shell. It accepts exactly the following commands:

git receive-pack
git upload-pack
git upload-archive
git-receive-pack
git-upload-pack
git-upload-archive
cvs server (used for emulating a CVS server, and not required for the Git protocol)

So these are the only commands you need to allow. Every version of Git I have access to only uses the hyphenated versions.

git-shell itself may be good enough in itself for what you want to do, too.


You can verify what Git is running for any particular command by setting GIT_SSH to a shim that echoes the arguments. Make a script ssh.sh:

#!/bin/bash
echo "$@" >&2

Then run:

GIT_SSH="./ssh.sh" git push

and you will see the remote command it tried to run.

3
  • So command="git-shell" ssh-rsa ... will work? Commented Jul 1, 2014 at 5:38
  • 1
    No, you'll want to list each of those commands above. git-shell is intended to be the login shell of a restricted git only user. Commented Jul 1, 2014 at 5:41
  • Be aware that if you are using git-lfs, it will use additional commands Commented Nov 3, 2017 at 20:39
1

If you didn't want to use the user account for anything else you could just run chsh for the user and select /usr/bin/git-shell (or where it is located) as the login shell for the user.

However as you want to only restrict the user only when using a specific key, we need to create a helper script to do the same.

Create a file in for example the home directory (of the target host) called git-ssh-remote-command, containing:

#!/bin/sh
exec git-shell -c "$SSH_ORIGINAL_COMMAND"

Run chmod a+rx /path/to/git-ssh-remote-command to make it executable and then use it in your .ssh/authorized_keys file for the key you want to restrict to git-only access, for example:

restrict,command="/path/to/git-ssh-remote-command" ssh-dss 1478912c844...

With the help of the script, this will limit the key to execute only the commands allowed by git-shell.

NOTE: By default git-shell does not allow additional commands needed by e.g. git-lfs; see man git-shell for instructions how to do that if needed.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.