Ssh – Block git user from login, but allow the user to still function as a git repo

gitpermissionsssh

I have setup a git server, by creating a user "git" and then creating a local repository in the git user's directory.

The git server works great, I can pull, push, etc. I allowed users to interact with the git repo by adding their public keys to to the 

 .ssh/authorized_keys

file. I have disabled password based logins. But the problem is that these users can login to the server via ssh since their keys are on the authorized keys list. Okay, the permissions are set to be pretty restricted for the git user, but still, I would prefer it if there was no way for git to login directly.

Is there a way to disable logins for the "git" user, but maintain the ability for the git user to accept pushes and pull through git/ssh?

Best Answer

You can use git-shell to restrict access to SSH user accounts. From the documentation page:

This is a login shell for SSH accounts to provide restricted Git access. It permits execution only of server-side Git commands implementing the pull/push functionality, plus custom commands present in a subdirectory named git-shell-commands in the user’s home directory.

git-shell is non-interactive by default. Setting a user's default shell to git-shell will allow you to prevent users from interactively logging into your server, while keeping the functionality of git intact. Some level of customization is possible, which is documented on the same page, under the 'EXAMPLES' section.

git-shell should be installed along with git at /usr/bin/git-shell. You can set this as a user's default shell using usermod:

usermod -s /usr/bin/git-shell username
Related Question