blob: 54926cec60813af6b36f247abace913c5f34eb85 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
Rhodecode Setup
===============
SSH Keys and access to public repos
===================================
The main goal is to have the same ACL when connecting to our git server
via SSH protocol as the one over the Rhodecode web interface.
All the user/group restrictions must apply as well for both read/write
access.
To manage this, all the groups and users from the Rhodecode database must
be mirrored and synced with system users and groups.
Couple of potential problems were observed and discussed.
Rhodecode system user
---------------------
The Rhodecode app uses the 'rhodecode' system user for all git and mercurial
interactions so this user must have read/write access over all repositories.
Easiest way to do this and not intefere with other permissions is to have
all repository directories user ownership given to this user.
Group ownerships will be used to control SSH user/group ACL.
The question is does having a user which can access all repositories
present a security threat?
For one, we can disable shell access after installation for this user as well.
See section on "Disabling shell access for git SSH users".
Nested groups
-------------
Since Rhodecode supports nested groups and the need for them will most
likely be present, there are couple of ways to mimic this feature with the
system groups. Both ways include some form of synchronization between
Rhodecode users/groups with the systems' one.
First solution assume that all users and groups on Rhodecode reflects those on
the system. It includes having the sync script assign particular system user
not only to the group which he is assigned to in Rhodecode, but to all
*parent* groups of this particular group.
Second solution includes having all the users from the Rhodecode synced in the
system as well, but not all of the groups. Group will exist in the system only
and only if it is the *mother* group (meaning it has no parent) and it has at
least one user belonging to either that group or any child group.
Disabling shell access for git SSH users
----------------------------------------
In order for users to have access to git using SSH keys for public repositories
the idea provide them with limited access to git+ssh protocol.
SSH keys will be picked up by Rhodecode from LDAP service.
Users will be deprived of shell access to the system by enabling git-shell for
each user via the .ssh/authorized_keys file.
command="git-shell -c $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3NzaC***...***
For more info on git-shell and what commands it supports please refer to the
manual.
|
