Secure, Private Git Repositories With Many Developers

Description

The purpose of this document is to help you setup as many Git projects on a remote server that multiple developers can access, checkout, push to and pull from. This keeps all of your code off of public servers and allows you to control and restrict interaction in a fine-grained and simple setup.

This method can also be adapted to incorporate plugins or themes on a live development site so that code changes can be pushed and viewed in action immediately. Stay tuned for a supplemental document that outlines how to accomplish this.

Also, see this great tool (gitk) for viewing all the details of your local repositories, just run it from the command line within any local git repository, most major Linux distributions have it.

Step 1 – Remote Server

Everything in this section is done on the remote server. We’re using ‘johndoe’ and ‘janedoe’ as our developers and ‘gitrepo’ as our user for the Git repository.

  1. Create a new Git user & initial ssh directory setup.
    • Add the Git user to the system and set a password if you want, it’s not necessary for keyed entry though.

      • adduser gitrepo
      passwd gitrepo
      su - gitrepo

    • Create the .ssh directory and authorized_keys keyring file and set proper permissions on each.

      • mkdir .ssh && chmod 700 .ssh
      cd .ssh
      touch authorized_keys && chmod 600 authorized_keys

  2. Setup sshd authentication Into the Git repository for multiple users
    • Create the group ‘sshusers’ and add all of your users to that group:

      • groupadd sshusers
      usermod -a -G janedoe sshusers
      usermod -a -G johndoe sshusers
      usermod -a -G gitrepo sshusers

    • Copy their ssh public keys into user ‘gitrepo’ authorized_keys keyring:

      • cat /tmp/id_rsa.johndoe.pub >> ~/.ssh/authorized_keys
      cat /tmp/id_rsa.janedoe.pub >> ~/.ssh/authorized_keys

  3. Edit the sshd configuration.

    4. We’re going to set this sshd server up more securely than most but we won’t go overboard here, if you want to read more see the Securing sshd document here. Change the values in the sshd_config like the example below.

    nano /etc/ssh/sshd_config

  4. Open port 33936 in the firewall.

    5. iptables -A INPUT -p tcp -m tcp --dport 33936 -j ACCEPT

  5. Setup 1st Empty Repository

    6. cd ~
    mkdir -p repos/project
    cd repos/project1
    git init --bare

    Extra Security

    If you don’t want the developers logging in with an ssh shell and pulling files from projects outside of Git or potentially damaging or deleting things, you can easily restrict the Git user to only doing Git activities with a limited shell tool called git-shell that comes with Git. If you set this as your git user’s login shell, then the git user can’t have normal shell access to your server. To use this, specify git-shell instead of bash for your user’s login shell. To do so, you must first add git-shell to /etc/shells if it’s not already there:

    • Check see if git-shell is already in there.

      • cat /etc/shells

    • If not.. make sure git-shell is installed on your system.

      • which git-shell

    • Add the path to git-shell from last command.

      • sudo nano /etc/shells

    • Change the Git users shell by entering the path to git-shell, usually: /usr/bin/git-shell

      • sudo chsh git

    Now, the git user can only use the SSH connection to push and pull Git repositories and can’t shell onto the machine. If you try, you’ll see a login rejection like this:

    Step 2 – John Doe’s Local Computer

  6. Setup ‘project1’ and push to the git master.

    7. cd ~
    mkdir -p git/repos/project1
    git init
    git add *
    git commit -m "Initial Commit"
    git remote add master ssh://gitrepo@192.168.126.1:33936/home/gitdeploy/repos/project1/
    git remote set-url master ssh://gitrepo@192.168.126.1:33936/home/gitdeploy/repos/project1/
    git push -u origin master

  7. Verify Your Local Git Configuration For ‘project1’

    8. cat .git/config

    Step 3 – Clone The New Repo for Jane Doe’s Local System or Any Other User

  8. At this point, the others can clone it down and push changes back up just as easily:

    9. git clone ssh://gitrepo@192.168.126.1:33936/home/gitrepo/repos/protect1/
    cd project
    nano README
    git commit -am 'fix for the README file'
    git push origin master

And that brings us full circle, to add, remove or temporarily lockout users from this setup see the Quick Reference below.

Quick Reference

Add another user
  1. adduser jimdoe
  2. usermod -a -G jimdoe sshusers
  3. Copy their ssh public keys into user ‘gitrepo‘ authorized_keys keyring:

    4. cat /tmp/id_rsa.jimdoe.pub >> ~/.ssh/authorized_keys

Remove a user
  1. userdel -f jimdoe

    2. Important: see steps below also for total removal.

Temporarily Lock out a user without changing any passwords

There are at least two methods that will work here; remove the ssh pubkey of the user, or remove the user from the sshd_config ‘AllowUsers’ directive.

Remove users ssh key. (if you wish to restore this later, make a backup of authorized_hosts or have an archive copy of the users .pub keyfile handy)

  1. nano /home/gitdeploy/.ssh/authorized_hosts
  2. Find the line with the users RSA key, their username@machine name will be at the end of the string.
  3. CNTL + K will cut the line out.
  4. CNTL + X will exit the nano editor, say Y to write the new file.

Remove user ‘johndoe‘ from the sshd_config and the ‘sshusers‘ group.

  1. nano /etc/ssh/sshd_config
  2. Locate the ‘AllowUsers’ and find the name of the user you want to revoke and erase it with the backspace key.
  3. CNTL + X will exit the nano editor, say Y to write the new file.
  4. gpasswd -d johndoe sshusers
  5. Restart sshd:

    6. C6: service sshd restart
    C7: systemctl restart sshd.service

Additional Reading

http://rogerdudler.github.io/git-guide/
https://www.kernel.org/pub/software/scm/git/docs/git-pull.html#URLS

Last Modified: 19 Apr, 2023 at 09:34:38