Package: gitolite3
Version: 3.6.1-3
Severity: wishlist
Tags: patch
Hi.
I spent some time in thinking how one can ideally harden the "git" user
fromt he SSH side (i.e. rather independently of gitolite3).
I've posted my ideas upstream
https://groups.google.com/d/msg/gitolite/eLTiK8hvijo/9dKI8YfTSecJ
(with some updated version a bit more down in the thread).
I guess it would be nice if these hints could be added to e.g.
README.Debian or as stand alone example file for the benefit of other users.
Cheers,
Chris.
Instructions:
• Be sure to read the sshd_config(5) documentation to understand all directive
set below and their effects.
• This snippet must be placed at the very end (or at least below the “global
section”) of sshd_config(5).
• Adapt the user “gitolite3” with the user(s) used for git/Gitolite.
For the “Match” directive, multiple users are separated with “,”, for example:
Match User gitolite3,git
For the “AllowUsers” directive, multiple users are separated with “ ”, for
example:
AllowUsers gitolite3 git
Match User gitolite3
#Note: Gitolite via SSH must only be used with the public key
authentication method, therefore the following completely disables all others.
However, the former isn’t explicitily enabled here, but rather “inherited” from
the “global” configuration.
PasswordAuthentication no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
HostbasedUsesNameFromPacketOnly no
KerberosAuthentication no
GSSAPIAuthentication no
RSAAuthentication no
###PubkeyAuthentication yes
AuthenticationMethods publickey
#Note: As of now, Gitolite doesn’t make use of an “authorized keys
command”. It could have been “inherited” from the “global” configuration,
therefore the following disables it explicitly.
AuthorizedKeysCommand none
AuthorizedKeysCommandUser
#Note: Gitolite always expects the authorized keys to be found at
“~/.ssh/authorized_keys”. A different value could have been “inherited” from
the “global” configuration, therefore the following sets it explicitly.
AuthorizedKeysFile .ssh/authorized_keys
#Note: The following makes sure that it is really the user “gitolite3”
which is used and that it isn’t an “alias for root” (in other words: any user
name having the user ID 0).
AllowUsers gitolite3
PermitRootLogin no
#Note: The following restricts miscellaneous things which shouldn’t be
necessary for respectively used with git or Gitolite.
PermitTTY no
AllowAgentForwarding no
PermitUserRC no
AcceptEnv LANG LC_ALL LC_ADDRESS LC_COLLATE
LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME
AllowStreamLocalForwarding no
StreamLocalBindMask 0777
StreamLocalBindUnlink no
AllowTcpForwarding no
#TODO: Uncomment the following once Debian bug #777643
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777643) has been solved.
#PermitOpen none
PermitTunnel no
X11Forwarding no
X11UseLocalhost yes
GatewayPorts no
#Note: The following effectively forbids SSH channel multiplexing,
which might have security implications (simplified: further channels “inherit”
some parameters from the initiating one) if allowed.
MaxSessions 1
