Ubuntu – Git and SFTP – How to separate them

gitsftpssh

We have a local development server with Ubuntu 14.04.
We use SFTP with vsftp, and Git.

Some coworkers have access over SFTP (without ssh access, /usr/bin/nologin and sftponly group), and other coworkers have access to Git host (different username, shell as /usr/bin/git-shell).

I want to create the following environment: SFTP access for web front-end developer (external coworkers) and Git access (over ssh://) for our back-end developer (internal or external coworkers).

SFTP user is chrooted, and this works perfectly.

The Problem is with Git – if users have access via ssh:// to the git repository they at the same time have access for all system directories via SFTP.

How to use SFTP and Git in the same system without SFTP access for Git users?

PS.
I read almost whole Google results, but solutions don't work or are so old or advise turn off SFTP.

Best Answer

Updated post:

Using the following ForceCommand in sshd_config for your (otherwise normal) user should work:

ForceCommand /usr/bin/git-shell -c "$SSH_ORIGINAL_COMMAND"

This magic little command was originally found here. Note that the user's shell must be a normal fully featured shell in order for this to work properly.

Reason for edit:

I just realized my initial answer didn't actually work for me (so embarrassing). Sure it disables SFTP, but it seems to prevent git from working properly as well!

Original post:

Try using a ForceCommand, and use the git-shell for the command as well. ForceCommand disables sftp unless set to internal-sftp. - muru

Just decided to quote muru's comment so that others might benefit from it. It works like a charm.

I was having the exact same issue, and almost missed this gem since it was in the comments instead of posted as an answer.

Related Solutions

Ubuntu – SFTP upload script, there is no key

I think that if you create a ssh key without protecting it with a "passphrase", you can skip the keyboard interactive part and thus easily create the upload script you need. See for example here :

ssh-keygen -t rsa -C "Your Name" -f your_key

This will create the necessary files, you then just have to copy the public one (*.pub) on the remote server.

Ubuntu – Setting up ssh and sftp for multiple users

I wrote an article about that some time ago: http://en.positon.org/post/SFTP-chroot-rsync

I think what you need in /etc/ssh/sshd_config is:

# we use openssh internal sftp
# because /usr/lib/openssh/sftp-server won't be available in chroot
Subsystem sftp internal-sftp

Match group sftp
        ChrootDirectory %h
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

You can change the ChrootDirectory to your need, however, the chroot directory have to be owned by root and not writeable by the users. This is a security restriction from the OpenSSH developers.

Also, carefully check /var/log/auth.log for SSH connections problems.

Best Answer

Related Solutions

Ubuntu – SFTP upload script, there is no key

Ubuntu – Setting up ssh and sftp for multiple users

Related Question