= Git Shell = '''`git-shell(1)`''' is a minimal shell meant for hosting git repositories over SSH. The shell exposes very little information or utility, minimizing attack surface. <> ---- == Installation == In most cases, `git-shell(1)` is provided by the `git` package. ---- == Setup == Interactive user creation scripts will offer the login shell as a configurable setting. Simply select `git-shell` at this stage. For a non-interactive approach, try: {{{ adduser --create-home --shell $(command -v git-shell) git }}} For more details, see [[Linux/Users|here]] To set `git-shell` as the login shell for an existing user, try: {{{ chsh --shell $(command -v git-shell) username }}} ---- == Advanced Configuration == In some cases, it is necessary to have an actual home directory for the git user. For example, in order to restrict access to remote users with a passkey, a truly private (i.e. only the login is a member of its user group) home directory has to exist. Create the git user in a more normal manner. Then, establish some very simple configuration files. {{{ # create user adduser --create-home git # login as user su - git # create SSH passkeys directory mkdir .ssh chmod 700 .ssh touch .ssh/authorized_keys # create profile that will set $HOME and kick user into git-shell cat < .profile #!/bin/sh export HOME=/var/git exec /usr/bin/git-shell EOF }}} Lastly, address the SSH URL issue. As-is, repositories must be named by absolute path to clone over SSH. (`git clone user@host:/var/git/my-repo.git` instead of `git clone user@host:my-repo.git`) There isn't a perfect solution to this, but there's a very simple ''good enough'' solution. By creating a symbolic link within the git user's home directory, remote users can specify a relative path to the repositories. (`git clone user@host:repos/my-repo.git`) {{{ ln -s /var/git ~/repos }}} Alternatively, given enough patience/cleverness, you can create symbolic links to every repository within the git user's home directory. {{{ for repo in /var/git/*; do ln -s "$repo" "~/$(basename "$r")" done }}} ---- CategoryRicottone