July 26, 2013

Git + mercurial (hg) restricted shared ssh server.

I had a problem at work, where we needed to restrict vcs user’s access to only allow git and mercurial commands. There was a server that had been designated as the central repository server that everyone wash pushing to and pulling from, but as we added more users it became apparent that we should lock things down a bit to prevent repo tampering since everyone had shell access to the server and write permissions to their repos.

There are several existing solutions for this for git and mercurial individually but nothing that encompassed both of them.  I found a great idea here Code Your Own Multi-User Private Git Server in 5 Minutes and extended it to include hg commands, then locked down the hg commands using the same logic as hg-ssh. I removed the read/write logic since hg handles commands differently than git, and I can control that with file permissions for the users and repos to a certain degree.

You need to setup command restricted authorized_keys files for each user, then point the command to this script.

Here is an example of the authorized_keys file

I then used puppet to manage authorized_keys files for each user.