git-ssh-server icon indicating copy to clipboard operation
git-ssh-server copied to clipboard
verified publisher icon unixtastic

consider PAM=no for passwordless login

Open xasima opened this issue 11 years ago • 4 comments

I had experienced some problems with password-less access to this server, but the following changes to /etc/ssh/sshd_config enabled this

RSAAuthentication yes
PubkeyAuthentication yes
UsePAM no

xasima avatar Nov 24 '14 20:11 xasima

Thanks for the feedback.

RSAAuthentication is used for SSH protocol version 1, this version is obsolete and should not be used anywhere. Protocol version 2 is pretty universal these days.

PubkeyAuthentication is a perfectly valid setting but 'yes' is the default. Setting this to yes should not make any difference unless the SSH documentation is wrong.

Disabling PAM sounds like a good idea. I'd like to know what issues you were having. SSH login refused? or did you get a banner when logging in as a git user? That can break git but adding a .hushlogin should fix it.

unixtastic avatar Nov 25 '14 23:11 unixtastic

Basically, I prefer to avoid manual copy of ssh key on the host (means touch the /srv/docker_data/git/.ssh/authorized_key), but allow users to grant the access themselves, so to follow this instruction instead

  1. get the proper host (i.e. dev.example.com), port (i.e. 2222), dummy temporal credentials for ssh-copy-id command (pls ask resource manager), and the name of the repository to access (i.e. yourrepo)
  2. generate openssh keys on your client machine
  3. grant yourself the access to the repo by ssh-copy-id "[email protected] -p 2222" and pass the credentials provided by resource manager to you before
  4. clone the repo via git clone ssh://[email protected]:2222/git/yourrepo

In order to implement this I needed to add additional mapping docker -v /srv/docker_data/.ssh:/root/.ssh to allow developers to login as other user (root user in this case) than git-user, since the git-user had some problems to create terminal under login, producing

fatal: Interactive git shell is not enabled.
hint: ~/git-shell-commands should exist and have read and execute access.

It would be nice of course to fix the ssh-copy-id / ssh login under git user, since exposing of root user needs both further changes in sshd_config, and not good at all. I use root user since any other changes on /etc/passwd and user list are not persistence on the original unixtastic/git-ssh-server image, and may be broken on further image updates.

I have experienced immediate connection close after login if usePAM yes. And you seems to be right on useless of PubkeyAuthentication / RSAAuthernication change.

xasima avatar Nov 26 '14 13:11 xasima

Sorry, I want to inform a more good way to copy developers public keys to server. Instead of exposing additional ssh user (to use copy-ssh-id), or perform manual copying to authorized_keys via host system, it's better to place addkey script to /git/git-shell-commands (see http://planzero.org/blog/2012/10/24/hosting_an_admin-friendly_git_server_with_git-shell). So you may just expose git user password to developers to allow add their keys themself.

xasima avatar Dec 17 '14 13:12 xasima

That's sounds like a good improvement. I'll look at adding it.

unixtastic avatar Dec 21 '14 19:12 unixtastic