Hey. Okay upstream has changed his opinion again an no longer wants to provide hardening hints to gitolite users in general.
So attached is a text based version based on the latest version I've presented upstream using the default Debian gitolite3 username. Please include to within /u/s/doc/gitolite3 Cheers, Chris.
******************************************************************************** *** “Hardening” OpenSSH for the use with git/Gitolite *** ******************************************************************************** This is some documentation about how to “harden” the configuration of OpenSSH’s server sshd(8) for the use with git/Gitolite. • Be sure to read sshd_config(5) in order to understand all the used directives, their effects as well as whether and how they might affect your system. • The configuration snippet must be placed below the “global section” (or simply at the very end) of sshd_config(5). • Adapt the example user “gitolite3” to the user(s) for git/Gitolite. For the “Match” directive, multiple users are separated with “,” (U+002C COMMA), for example: Match User gitolite3,git For the “AllowUsers” directive, multiple users are separated with “ ” (U+0020 SPACE), for example: AllowUsers gitolite3 git • The “Match-block” can be further restricted (for example to the incoming IP address or TCP port if desired). See sshd_config(5) for details. • Currently, there may be a bug in OpenSSH (or at least the Debian packaging of it) which leads issues when the directive “PermitOpen” is set to “none”. See OpenSSH bug #2355 (https://bugzilla.mindrot.org/show_bug.cgi?id=2355) respectively Debian bug #778807 (http://bugs.debian.org/778807). ******************************************************************************** *** sshd_config Snippet *** ******************************************************************************** Match User gitolite3 #Note: Gitolite via SSH must only be used with the public key authentication method, therefore the following completely disables all others. However, the former isn’t explicitly enabled here, but rather “inherited” from the “global” configuration. PasswordAuthentication no PermitEmptyPasswords no KbdInteractiveAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no HostbasedUsesNameFromPacketOnly no KerberosAuthentication no GSSAPIAuthentication no RSAAuthentication no ###PubkeyAuthentication yes AuthenticationMethods publickey #Note: As of now, Gitolite doesn’t make use of an “authorized keys command”. It could have been “inherited” from the “global” configuration, therefore the following disables it explicitly. AuthorizedKeysCommand none AuthorizedKeysCommandUser #Note: Gitolite always expects the authorized keys to be found at “~/.ssh/authorized_keys”. A different value could have been “inherited” from the “global” configuration, therefore the following sets it explicitly. AuthorizedKeysFile .ssh/authorized_keys #Note: The following makes sure that it is really the user “git” which is used and that it isn’t an “alias for root” (in other words: any user name having the user ID 0). AllowUsers gitolite3 PermitRootLogin no #Note: The following restricts miscellaneous things which shouldn’t be necessary for respectively used with git or Gitolite. PermitTTY no AllowAgentForwarding no PermitUserRC no AcceptEnv LANG LC_ALL LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME AllowStreamLocalForwarding no StreamLocalBindMask 0777 StreamLocalBindUnlink no AllowTcpForwarding no #TODO: Uncomment the following once OpenSSH bug #2355 (https://bugzilla.mindrot.org/show_bug.cgi?id=2355) has been solved. #PermitOpen none PermitTunnel no X11Forwarding no X11UseLocalhost yes GatewayPorts no #Note: The following effectively forbids SSH channel multiplexing, which might have security implications (simplified: further channels “inherit” some parameters from the initiating one) if allowed. MaxSessions 1 ******************************************************************************** *** License *** ******************************************************************************** Copyright © 2015, Christoph Anton Mitterer <m...@christoph.anton.mitterer.name>. All rights reserved. This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/. This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Germany License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/de/. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front- Cover Texts, and no Back-Cover Texts. You should have received a copy of the GNU Free Documentation License along with this work. If not, see <http://www.gnu.org/licenses/>.
smime.p7s
Description: S/MIME cryptographic signature