I'm trying to set up a secure git repository server using ssh-keys and git-shell.
Since our user database is stored in a central LDAP directory, I can't change users' default shell to git-shell, so I've tried prepending the git-shell command to the public key in the authorized_users file like this:
command="git-shell -c $SSH_ORIGINAL_COMMAND" ssh-dss AAAAB3NzaC1kc3...
However, git-shell won't even allow me to clone the repository:
dhcp202:git-ws frank$ git clone ssh://gitserver/var/repos/git/myrepo/
Cloning into myrepo...
fatal: What do you think I am? A shell?
fatal: The remote end hung up unexpectedly
Any ideas appreciated...
Answer
You will find a similar mechanism with gitolite, based on ssh and forced command.
(including ldap queries).
It don't allow interactive shell however, which could be your issue there.
The OP Frank Brenner adds:
Ah, I figured it out - the command has to be in single quotes. I suppose
$SSH_ORIGINAL_COMMANDwas getting expanded before git-shell was started.
That is confirmed in the gitolite forced command script is a Perl one, ending with:
# ----------------------------------------------------------------------------
# over to git now
# ----------------------------------------------------------------------------
if ($ENV{REQUEST_URI}) {
log_it($ENV{REQUEST_URI});
exec $ENV{GIT_HTTP_BACKEND};
# the GIT_HTTP_BACKEND env var should be set either by the rc file, or as
# a SetEnv in the apache config somewhere
}
log_it();
$repo = "'$REPO_BASE/$repo.git'";
exec("git", "shell", "-c", "$verb $repo") unless $verb eq 'git-init';
Note the $repo = "'$REPO_BASE/$repo.git'" line: it does contains single quotes.
No comments:
Post a Comment