CODEWITHSUNDEEP
gitsshrepositorysharedgit-clone
Javier Villanueva
Javier Villanueva

Reputation: 4058

How can I set read only access to ssh git server?

I have a git repo on my server that I can push/pull through SSH just fine like:

git clone ssh://[email protected]/repositories/myrepo.git

It prompts me with my public key passcode and I'm able to fetch or push changes to it, but I was wondering if there was a way where I could set it up so people can clone it only with read access so they don't have to enter any SSH credentials.

Thanks in advance!

Upvotes: 1

Views: 4469

Answers (4)

Andy
Andy

Reputation: 46354

You could use git-daemon. That will remove the dependency on having valid ssh credentials.

Upvotes: 1

tzot
tzot

Reputation: 95911

Given that:

  • git clone ssh://remote/src/proj1 and subsequent git pull / git fetch execute git-upload-pack 'src/proj1' (with the quotes)
  • git push etc executes git-receive-pack 'src/proj1' on the remote server

in your ~/.ssh/authorized_keys you can setup a line beginning with:

command="/home/yourusername/bin/checker" ssh-…

where the … part is the public key of the private SSH key you will give your users.

The /home/yourusername/bin/checker can be a shell script along the lines:

case $SSH_ORIGINAL_COMMAND in
(git-upload-pack*)
     # run git-upload-pack after unquoting its argument, optionally further restricting
     # access to specific directories
     ;;
(git-receive-pack*)
     exit 1 # deny access
     ;;
(*)
     exit 1 # allow nothing else
     ;;
esac

Please check the authorized_keys man page for extra security options like no-port-forwarding which most probably you want to include along the command="…" option in your authorized_keys file.

Upvotes: 1

Johan Ehnberg
Johan Ehnberg

Reputation: 131

You can use git-shell, set only read permissions on the repository, and use key authentication. This is feasible when you are in control of who gets the key.

Upvotes: 1

misnomer
misnomer

Reputation: 2594

Not through ssh; unless you wanted to distribute a public is they could log in with, and that is a terrible idea.

The way we got this functionality on our gitolite was to use git-daemon; you need to open a new port, but can specify per-repository which ones it will serve, and can specify read-only. Users would clone with the git protocol i.e.

git clone git://domain.com/repositories/myrepo.git

Another way is to set the repository to be shared over a web server directly; then the user could access over standard http.

The page on the git community book here is a good overview, along with the man pages for git-daemon.

Upvotes: 4

Related Questions