current community

your communities

more stack exchange communities

Stack Exchange Inbox Reputation and Badges
tour help
Sign up ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems. It's 100% free, no registration required.
up vote 2 down vote favorite

Using command="" in authorized_keys, I can restrict the commands that can be run by a particular key.

What commands do I need to allow in order to have a functioning git remote?

From the Pro Git book I can infer that git-upload-pack and git-receive-pack are required, but is there anything else?

Note I still want to be able to log into the user normally, just not with this key.

share|improve this question

1 Answer 1

up vote 5 down vote accepted

Git includes a git-shell command suitable for use as a Git-only login shell. It accepts exactly the following commands:

git receive-pack
git upload-pack
git upload-archive
git-receive-pack
git-upload-pack
git-upload-archive
cvs server (used for emulating a CVS server, and not required for the Git protocol)

So these are the only commands you need to allow. Every version of Git I have access to only uses the hyphenated versions.

git-shell itself may be good enough in itself for what you want to do, too.

You can verify what Git is running for any particular command by setting GIT_SSH to a shim that echoes the arguments. Make a script ssh.sh:

#!/bin/bash
echo "$@" >&2

Then run:

GIT_SSH="./ssh.sh" git push

and you will see the remote command it tried to run.

share|improve this answer
    
So command="git-shell" ssh-rsa ... will work? –  aragilar Jul 1 '14 at 5:38
1  
No, you'll want to list each of those commands above. git-shell is intended to be the login shell of a restricted git only user. –  bahamat Jul 1 '14 at 5:41

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.