1

I have etckeeper installed on ten servers with Centos 6 and Centos 7. It uploads / etc from the server to an individual git repository (it has its own for each server). My git is deployed based on Gitea. Since the etckeeper ssh key is installed in git (to access the repositories and download / etc there), from any server where etckeeper is installed, you can SSH access to all server repositories (this is viewing the repositories and its contents, performing various manipulations with repositories and so on). This compromises security, since the owner of any server with etckeeper installed can access the repositories of other servers that do not belong to him.

Question: how can I restrict access to repositories of "foreign" servers? It is necessary to restrict access both through the CLI and through the Gitea web interface

Aleksandr
  • 41
  • 1
  • 3

1 Answers1

1

i think outside of commercial git servers like bitbucket, you can only handle this using per-server repositories (or branches, if you could restrict those. normally thats a no, too.)

at this low count of servers it'll be the easiest to just have one repo+user+key per server.

if you had masses to think of you could segment it by application and security class.

for the record, I found your post while searching for some well-documented example of doing this automated. which seems to be hard to find.

Florian Heigl
  • 126
  • 1
  • 8
  • 1
    If I understand it correctly he is also using per server repository and the problem is buried in the user who has access to all repos. Since we are using gitlab for VCS I think in this domain. For huge networks groups could be an attempt to solve different sec levels or one group for each server. Since etckeeper is somethink you might have on a system in the beginning the creation of the repo and the user could be done via API calls automatically. How you provide the API token while installations depends. – MaKaNu May 29 '23 at 10:42