1

I have a git repo on my server that I can push/pull through SSH just fine like:

git clone ssh://user@domain.com/repositories/myrepo.git

It prompts me with my public key passcode and I'm able to fetch or push changes to it, but I was wondering if there was a way where I could set it up so people can clone it only with read access so they don't have to enter any SSH credentials.

Thanks in advance!

Javier Villanueva
  • 3,886
  • 13
  • 48
  • 80

4 Answers4

4

Not through ssh; unless you wanted to distribute a public is they could log in with, and that is a terrible idea.

The way we got this functionality on our gitolite was to use git-daemon; you need to open a new port, but can specify per-repository which ones it will serve, and can specify read-only. Users would clone with the git protocol i.e.

git clone git://domain.com/repositories/myrepo.git

Another way is to set the repository to be shared over a web server directly; then the user could access over standard http.

The page on the git community book here is a good overview, along with the man pages for git-daemon.

misnomer
  • 2,136
  • 2
  • 13
  • 14
  • Thanks, I ended up moving it to my public_html folder so I could use standard http, I was getting some problems trying to set up git-daemon maybe because of my shared hosting. – Javier Villanueva Mar 08 '12 at 16:36
  • I hope this necropost is okay. I have two (dumb?) questions. 1) If a person wanted the encryption offered by the ssh protocol, doesn't this answer remove that advantage, because the git protocol doesn't encrypt? 2) Why is it a terrible idea to distribute a public key to whomever needs read-only access? Is it not possible to prevent shell access and anything else that the RO user shouldn't have? I ask because I'm looking for a solution, myself. – Craig Silver Feb 20 '22 at 18:37
  • 1) Yes, it would remove the SSH protocol safety. I don't think git:// access is really a good solution in 2022! 2) The literal interpretation of the original question would imply giving ssh shell access - which is almost certainly a bad idea. It's possible to restrict shell access, manually - but - probably a good idea to leave this job to something like gitolite (if still recommended - I haven't kept up with current best practice for this style of personal access) or GitLab, rather than trying to roll your own. – misnomer Feb 21 '22 at 19:21
1

You can use git-shell, set only read permissions on the repository, and use key authentication. This is feasible when you are in control of who gets the key.

Johan Ehnberg
  • 131
  • 2
1

Given that:

  • git clone ssh://remote/src/proj1 and subsequent git pull / git fetch execute git-upload-pack 'src/proj1' (with the quotes)
  • git push etc executes git-receive-pack 'src/proj1' on the remote server

in your ~/.ssh/authorized_keys you can setup a line beginning with:

command="/home/yourusername/bin/checker" ssh-…

where the … part is the public key of the private SSH key you will give your users.

The /home/yourusername/bin/checker can be a shell script along the lines:

case $SSH_ORIGINAL_COMMAND in
(git-upload-pack*)
     # run git-upload-pack after unquoting its argument, optionally further restricting
     # access to specific directories
     ;;
(git-receive-pack*)
     exit 1 # deny access
     ;;
(*)
     exit 1 # allow nothing else
     ;;
esac

Please check the authorized_keys man page for extra security options like no-port-forwarding which most probably you want to include along the command="…" option in your authorized_keys file.

tzot
  • 92,761
  • 29
  • 141
  • 204
1

You could use git-daemon. That will remove the dependency on having valid ssh credentials.

Chris Stryczynski
  • 30,145
  • 48
  • 175
  • 286
Andy
  • 44,610
  • 13
  • 70
  • 69