Your message dated Tue, 24 Feb 2015 08:18:04 +0100
with message-id <[email protected]>
and subject line no plans for http backend support in Debian
has caused the Debian Bug report #778928,
regarding gitolite3: please include ssh "hardening" hints in README.Debian
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
778928: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778928
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gitolite3
Version: 3.6.1-3
Severity: wishlist
Tags: patch
Hi.
I spent some time in thinking how one can ideally harden the "git" user
fromt he SSH side (i.e. rather independently of gitolite3).
I've posted my ideas upstream
https://groups.google.com/d/msg/gitolite/eLTiK8hvijo/9dKI8YfTSecJ
(with some updated version a bit more down in the thread).
I guess it would be nice if these hints could be added to e.g.
README.Debian or as stand alone example file for the benefit of other users.
Cheers,
Chris.
Instructions:
• Be sure to read the sshd_config(5) documentation to understand all directive
set below and their effects.
• This snippet must be placed at the very end (or at least below the “global
section”) of sshd_config(5).
• Adapt the user “gitolite3” with the user(s) used for git/Gitolite.
For the “Match” directive, multiple users are separated with “,”, for example:
Match User gitolite3,git
For the “AllowUsers” directive, multiple users are separated with “ ”, for
example:
AllowUsers gitolite3 git
Match User gitolite3
#Note: Gitolite via SSH must only be used with the public key
authentication method, therefore the following completely disables all others.
However, the former isn’t explicitily enabled here, but rather “inherited” from
the “global” configuration.
PasswordAuthentication no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
HostbasedUsesNameFromPacketOnly no
KerberosAuthentication no
GSSAPIAuthentication no
RSAAuthentication no
###PubkeyAuthentication yes
AuthenticationMethods publickey
#Note: As of now, Gitolite doesn’t make use of an “authorized keys
command”. It could have been “inherited” from the “global” configuration,
therefore the following disables it explicitly.
AuthorizedKeysCommand none
AuthorizedKeysCommandUser
#Note: Gitolite always expects the authorized keys to be found at
“~/.ssh/authorized_keys”. A different value could have been “inherited” from
the “global” configuration, therefore the following sets it explicitly.
AuthorizedKeysFile .ssh/authorized_keys
#Note: The following makes sure that it is really the user “gitolite3”
which is used and that it isn’t an “alias for root” (in other words: any user
name having the user ID 0).
AllowUsers gitolite3
PermitRootLogin no
#Note: The following restricts miscellaneous things which shouldn’t be
necessary for respectively used with git or Gitolite.
PermitTTY no
AllowAgentForwarding no
PermitUserRC no
AcceptEnv LANG LC_ALL LC_ADDRESS LC_COLLATE
LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME
AllowStreamLocalForwarding no
StreamLocalBindMask 0777
StreamLocalBindUnlink no
AllowTcpForwarding no
#TODO: Uncomment the following once Debian bug #777643
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777643) has been solved.
#PermitOpen none
PermitTunnel no
X11Forwarding no
X11UseLocalhost yes
GatewayPorts no
#Note: The following effectively forbids SSH channel multiplexing,
which might have security implications (simplified: further channels “inherit”
some parameters from the initiating one) if allowed.
MaxSessions 1
--- End Message ---
--- Begin Message ---
I'm sorry to say I have no plans to support the http backend in the
Debian package. I don't have enough experience with web applications to
be comfortable maintaining one, especially one with a security focus.
--- End Message ---
