From dd98407114763762f9356ed08391338552138aca Mon Sep 17 00:00:00 2001 From: Daniel Musketa Date: Mon, 14 Jan 2019 15:30:44 +0100 Subject: [PATCH] add a security warning about SSH port forwarding and show how to prevent it --- .../sections/setting-up-server.asc | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/book/04-git-server/sections/setting-up-server.asc b/book/04-git-server/sections/setting-up-server.asc index 642f43dda..22bb411cc 100644 --- a/book/04-git-server/sections/setting-up-server.asc +++ b/book/04-git-server/sections/setting-up-server.asc @@ -107,7 +107,7 @@ Now you can edit the shell for a user using `chsh -s `: $ sudo chsh git -s $(which git-shell) ---- -Now, the `git` user can only use the SSH connection to push and pull Git repositories and can't shell onto the machine. +Now, the `git` user can still use the SSH connection to push and pull Git repositories but can't shell onto the machine. If you try, you'll see a login rejection like this: [source,console] @@ -118,6 +118,33 @@ hint: ~/git-shell-commands should exist and have read and execute access. Connection to gitserver closed. ---- +At this point users are still able to use SSH port forwarding to access any +host the git server is able to reach. If you want to prevent that you can edit +the `authorized_keys` file and prepend the following options to each key you'd +like to restrict: + +[source,console] +---- +no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty +---- + +The result should look like this: + +[source,console] +---- +$ cat ~/.ssh/authorized_keys +no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa +AAAAB3NzaC1yc2EAAAADAQABAAABAQCB007n/ww+ouN4gSLKssMxXnBOvf9LGt4LojG6rs6h +PB09j9R/T17/x4lhJA0F3FR1rP6kYBRsWj2aThGw6HXLm9/5zytK6Ztg3RPKK+4kYjh6541N +YsnEAZuXz0jTTyAUfrtU3Z5E003C4oxOj6H0rfIF1kKI9MAQLMdpGW1GYEIgS9EzSdfd8AcC +IicTDWbqLAcU4UpkaX8KyGlLwsNuuGztobF8m72ALC/nLF6JLtPofwFBlgc+myivO7TCUSBd +LQlgMVOFq1I2uPWQOkOWQAHukEOmfjy2jctxSDBQ220ymjaNsHT4kgtZg2AYYgPqdAv8JggJ +ICUvax2T9va5 gsg-keypair + +no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa +AAAAB3NzaC1yc2EAAAADAQABAAABAQDEwENNMomTboYI+LJieaAY16qiXiH3wuvENhBG... +---- + Now Git network commands will still work just fine but the users won't be able to get a shell. As the output states, you can also set up a directory in the `git` user's home directory that customizes the `git-shell` command a bit. For instance, you can restrict the Git commands that the server will accept or you can customize the message that users see if they try to SSH in like that.