I'm host a git repository on my server. Anyone can push / pull from the following remote url:
ssh://git@example.com/opt/git/my-project.git
Specifically, anyone with ssh access to the git@example.com user can push/pull (i.e. I have their public key listed as an authorized_key)
I'd like continue allowing push/pull access but I'd like to disable shell/login access
Github uses this approach – if you try to ssh into any of their git servers you get:
$ ssh git@github.com
PTY allocation request failed on channel 0
Hi [USER]! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.
Specifically, I'd like to –
- Disable shell access via ssh and password for the
gituser - Still allow myself (as
root) to be able to assume thegituser interactively - Still allow developers to
push/pullon the repository
I tried disabling the shell for the git user as follows:
root@example:~# usermod -s /usr/sbin/nologin git
This works great for #1 (ssh access is blocked) and #2 (I can still access the shell with sudo -u git -s /bin/bash)
However, #3 is not do-able. Cutting off shell access apparently also disables push/pull access (since it probably uses ssh).
Is there another solution here? How does Github themselves do this?
Thanks!
Best Answer
The easiest solution would be to use git-shell as the user's login-shell.
A detailed description on how to set this up can be found here: https://git-scm.com/docs/git-shell or alternatively on the git shell manpage
man git shell