Package: gitolite3 Version: 3.6.1-3 Severity: wishlist Tags: patch
Hi. I spent some time in thinking how one can ideally harden the "git" user fromt he SSH side (i.e. rather independently of gitolite3). I've posted my ideas upstream https://groups.google.com/d/msg/gitolite/eLTiK8hvijo/9dKI8YfTSecJ (with some updated version a bit more down in the thread). I guess it would be nice if these hints could be added to e.g. README.Debian or as stand alone example file for the benefit of other users. Cheers, Chris.
Instructions: • Be sure to read the sshd_config(5) documentation to understand all directive set below and their effects. • This snippet must be placed at the very end (or at least below the “global section”) of sshd_config(5). • Adapt the user “gitolite3” with the user(s) used for git/Gitolite. For the “Match” directive, multiple users are separated with “,”, for example: Match User gitolite3,git For the “AllowUsers” directive, multiple users are separated with “ ”, for example: AllowUsers gitolite3 git Match User gitolite3 #Note: Gitolite via SSH must only be used with the public key authentication method, therefore the following completely disables all others. However, the former isn’t explicitily enabled here, but rather “inherited” from the “global” configuration. PasswordAuthentication no PermitEmptyPasswords no KbdInteractiveAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no HostbasedUsesNameFromPacketOnly no KerberosAuthentication no GSSAPIAuthentication no RSAAuthentication no ###PubkeyAuthentication yes AuthenticationMethods publickey #Note: As of now, Gitolite doesn’t make use of an “authorized keys command”. It could have been “inherited” from the “global” configuration, therefore the following disables it explicitly. AuthorizedKeysCommand none AuthorizedKeysCommandUser #Note: Gitolite always expects the authorized keys to be found at “~/.ssh/authorized_keys”. A different value could have been “inherited” from the “global” configuration, therefore the following sets it explicitly. AuthorizedKeysFile .ssh/authorized_keys #Note: The following makes sure that it is really the user “gitolite3” which is used and that it isn’t an “alias for root” (in other words: any user name having the user ID 0). AllowUsers gitolite3 PermitRootLogin no #Note: The following restricts miscellaneous things which shouldn’t be necessary for respectively used with git or Gitolite. PermitTTY no AllowAgentForwarding no PermitUserRC no AcceptEnv LANG LC_ALL LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME AllowStreamLocalForwarding no StreamLocalBindMask 0777 StreamLocalBindUnlink no AllowTcpForwarding no #TODO: Uncomment the following once Debian bug #777643 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777643) has been solved. #PermitOpen none PermitTunnel no X11Forwarding no X11UseLocalhost yes GatewayPorts no #Note: The following effectively forbids SSH channel multiplexing, which might have security implications (simplified: further channels “inherit” some parameters from the initiating one) if allowed. MaxSessions 1