Give Access to host ssh server users for some projects

[frank-dspeed]

In some rare cases :) you want to share ssh access from host to gitlab here is how to do it

Create ssh user on host git-shell access
create host hooks that get refered from alone via gitlab as it links /hooks
create the ssh user with same uid gid for

[frank-dspeed]

useradd -ou 1005 -g1000 username.
/etc/passwd
chsh -s $(command -v git-shell) username

[frank-dspeed]

git shell accepts the following commands after the -c option:

git receive-pack
git upload-pack
git upload-archive

[frank-dspeed]

INTERACTIVE USE
By default, the commands above can be executed only with the -c option; the shell is not interactive.

If a ~/git-shell-commands directory is present, git shell can also be run interactively (with no arguments). If a help command is present in the git-shell-commands directory, it is run to provide the user with an overview of allowed actions. Then a "git> " prompt is presented at which one can enter any of the commands from the git-shell-commands directory, or exit to close the connection.

Generally this mode is used as an administrative interface to allow users to list repositories they have access to, create, delete, or rename repositories, or change repository descriptions and permissions.

If a no-interactive-login command exists, then it is run and the interactive shell is aborted.

EXAMPLES
To disable interactive logins, displaying a greeting instead:

$ chsh -s /usr/bin/git-shell
$ mkdir $HOME/git-shell-commands
$ cat >$HOME/git-shell-commands/no-interactive-login <<\EOF
#!/bin/sh
printf '%s\n' "Hi $USER! You've successfully authenticated, but I do not"
printf '%s\n' "provide interactive shell access."
exit 128
EOF
$ chmod +x $HOME/git-shell-commands/no-interactive-login

[frank-dspeed]

Ausgeführtes Kommando am SSH-Server analysieren
Die Analyse, welches Kommando in authorized_keys eingetragen werden muss, wird durch die Umgebungsvariable $SSH_ORIGINAL_COMMAND erleichtert:

command="/bin/echo You invoked: $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB[..]
Beim Aufruf eines Kommandos vom Client aus wird dann zu Analysezwecken das am Server ausgeführte Kommando ausgegeben:

:~$ ssh [email protected] tail /etc/passwd
You invoked: tail /etc/passwd
Manche Kommandos wie z.B. rsync führen beim obigen command jedoch zu einer Fehlermeldung. Über einen Umweg unter Zuhilfenahme eines Skriptes am SSH-Server, kommt man jedoch auch an das ausgeführte Kommando:[1]

:$ vi logssh.sh
#!/bin/sh
if [ -n "$SSH_ORIGINAL_COMMAND" ]
then
echo "/bin/date: $SSH_ORIGINAL_COMMAND" >> $HOME/ssh-command-log
exec $SSH_ORIGINAL_COMMAND
fi
:$ vi .ssh/authorized_keys
command="/home/dailybackup/logssh.sh" ssh-rsa AAAAB3N[...]
Der Client ruft anschließend rsync auf:

:~/tmp$ rsync -avz test.txt [email protected]:/home/dailybackup
sending incremental file list
[...]
Am SSH-Server scheint das über SSH ausgeführte Kommando in der Log-Datei auf. Dieses Kommando kann dann über command= wieder zur Einschränkung verwendet werden:

:~$ cat ssh-command-log
Wed Apr 30 15:10:54 CEST 2014: rsync --server -vlogDtprze.iLsf . /home/dailybackup