Can you specify git-shell in .ssh/authorized_keys to restrict access to only git commands via ssh


I'd like to be able to use a ssh key for authentication, but still restrict the commands that can be executed over the ssh tunnel.

With Subversion, I've achieved this by using a .ssh/authorized_keys file like:

command="/usr/local/bin/svnserve -t --tunnel-user matt -r /path/to/repository",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIetc...

I've tried this with "/usr/bin/git-shell" in the command, but I just get the funky old fatal: What do you think I am? A shell? error message.

Best Answer

The following works for me.

In ~/.ssh/authorized_keys:

command="./gitserve",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-dss AAAAB…

In the ~/gitserve script:

exec git-shell -c "$SSH_ORIGINAL_COMMAND"

Note that if you put gitserve somewhere other than the home directory, you will have to adjust the command="./gitserve" parameter in authorized_keys.