16

I have a git repository hosted on my SunOS server, that I remotely use through ssh

git clone ssh://myUser@mydomain.com/path/to/git

Now I need to add more users to be able to access that repository, but not sure how.

I have added one testUser to ssh, but I can't seem to limit that user privileges to only use git.

testUser is able to ssh through and browse the entire server.

How can I create users that can only access git remotely, to clone/pull/push etc...

thanks

Bach
  • 343
  • 1
  • 3
  • 9

4 Answers4

16

You basically have two options.

  1. As topdog mentioned, when you create users on the server, set their shell to git-shell (book entry here). This will allow the user to login in via SSH, but instead of running a normal, fully-featured shell (e.g. sh,bash,etc.) it will run, git-shell, which only provides access to git functionality.

  2. Alternatively, you can make your repositories available via another protocol, such as TCP (using git-deamon) or HTTP/HTTPS. I'd only recommend such a scenario for read-only access though.

You mention wanting to support 'push' functionality for your users, so you should really go with option #1.

David Tonhofer
  • 960
  • 1
  • 10
  • 31
chuckx
  • 1,150
  • 6
  • 8
13

You might consider using gitolite under a single user instead of setting up multiple git-shell users (and the required group and group permissions so they can share access to the repositories).

gitolite runs under a single, normal user on the server and uses SSH public keys to differentiate access to Git repositories (see “how gitolite uses ssh” for some of the details of how gitolite does its SSH-based identification). gitolite offers per-repository, per-branch, and even some per-path access control.

Chris Johnsen
  • 1,688
  • 1
  • 15
  • 18
7

you need to change their shell to git-shell, that will only give them access to git functions only.

topdog
  • 3,520
  • 17
  • 13
  • Thanks topdog. Basically the user will be using his own git shell on his Mac. I don't really want him to be able to ssh to the server. So if the git repo is on mydomain.com from testUser computer/Mac, in the terminal he could just git clone ssh://myUser@mydomain.com/path/to/git be prompted for his password, then download the repo. I just tried now setting his shell to git-shell. It prompts when calling clone but the password is being rejected. – Bach Aug 13 '10 at 05:09
  • you need to set myUsers shell to git-shell if all you want them to do on the server is run git commands and not be able to shell in. for the password prompts please use keys. For more detailed coverage of git on a server look at the free git book http://progit.org/book/ch4-0.html – topdog Aug 13 '10 at 07:13
  • thanks for the book reference! very helpful. Ended up using gitolite, still having issues with the setup though. – Bach Aug 31 '10 at 05:44
  • _git-shell_: "This is a login shell for SSH accounts to provide restricted Git access. It permits execution only of server-side Git commands implementing the pull/push functionality, plus custom commands present in a subdirectory named git-shell-commands in the user’s home directory." On Linux, add "/bin/git-shell" to "/etc/shells" and then "usermod --shell /bin/git-shell $USER". Btw, the git book is now at http://git-scm.com/book/en/ch4-0.html – David Tonhofer Jun 08 '14 at 11:10
0

Another way to do it is by limit access of the users within ssh.

(http://prefetch.net/blog/index.php/2006/09/05/limiting-access-to-openssh-directives/)

The example is just by using only one user, but if the users are on the same group you can filter them out by using group directive. Something like

AllowTcpForwarding yes
X11Forwarding yes

Match Group Users
         AllowTcpForwarding no
         X11Forwarding no
         $Here is a directive for git$
Nikolaidis Fotis
  • 2,032
  • 11
  • 13