[Fusionforge-general] Restricting ssh shell access for git

Roland Mas lolando at debian.org
Fri May 25 15:44:11 CEST 2012


Olivier Berger, 2012-05-25 14:57:55 +0200 :

> Hi.
>
> I've installed a 5.1.1-6 Debian package, and we probably will only use
> Git for this forge.
>
> I'd like to restrict the use of ssh only to execution of git-related
> commands, and not full shell access (not even chrooted ! see
> http://bugs.debian.org/674559).
>
> AFAICT, the default login shell ('shell' column's default value in the
> 'users' table) is /bin/bash.
>
> As such, it opens full ssh access to the forge for its users, and that's not
> what I want for a public forge.
>
> My thinking is that this could probably be set to /usr/bin/git-shell by
> default, and I could then make sure some cron updates the user's
> "$HOME/git-shell-commands" (man git-shell).
>
> Would you have any other ideas/recommendations on how to achieve this
> (in particular about the cron update) ?

  There's also something called rush (restricted user shell) that can be
configured with a config file, which you may want to investigate.

Roland.
-- 
Roland Mas

If you spit in the air, it lands in your face.
  -- Tevye, in Fiddler on the roof



More information about the Fusionforge-general mailing list