From a4cd831fbd924b766eb58b020a649f2f05b36807 Mon Sep 17 00:00:00 2001 From: Pete Travis Date: Tue, 22 Apr 2014 23:08:33 -0600 Subject: Starting a recipe on using a locked down account for automated git pulls --- en-US/git/secure-git-pull.xml | 142 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 en-US/git/secure-git-pull.xml diff --git a/en-US/git/secure-git-pull.xml b/en-US/git/secure-git-pull.xml new file mode 100644 index 0000000..c2d21f3 --- /dev/null +++ b/en-US/git/secure-git-pull.xml @@ -0,0 +1,142 @@ + + + + %BOOK_ENTITIES; +]> + + + +
+ Secure deployment with Git and SSH + + Git, a distributed version control system, can be used to transfer software and other files to remote systems. By configuring the remote system to pull content from a git repository on a schedule, deployment can be accomplished with a simple local merge. Configuring the system that hosts the repository to restrict access from the remote system enhances security without affecting the method's usefulness. + +
+ Required Ingredients + + + + Two computers running Fedora with a working network connection. + + + Git installed on both systems, and a git repository on one. + + + + A dedicated user account. + + + A dedicated SSH authentication key
+ + +
+
+ Directions + + Configuring the host + + Create and configure a new user account to use for the transfer. For security reasons, this account will only be allowed to interact with git. + + + First, identify the path to your git repository. Store it in a shell variable, for convenience. + + + repo_directory=/srv/repos/my-project.git + + + + + Create the user account. + + + useradd --home $repo_directory --shell /usr/bin/git-shell puller + + + + The options given to useradd restrict the user's account. Refer to the explanation below, and man useradd for further insight. + + + + --home $repo_directory - sets the account's home directory as the repository, using the shell variable from the previous step. + + + --shell /usr/bin/git-shell - Sets the login shell to git shell, a special utility provided with git that will only allow the user to execute git commands. + + + puller - The name of the user to create. Name the account something that will remind you of its purpose. + + + + + + Copy the public half of your ssh key into the user's home directory. + + mkdir $repo_directory/.ssh/ + + cp puller_id_rsa.pub $repo_direcory/.ssh/ + + + + + + Give the user read only access to the repository + + + + + + + + + <emphasis>Optional:</emphasis> tell git to ignore the ssh key + + You can add the ssh public key to your git repository to share it, or tell git to ignore they key with the instructions below. + + pushd $repo_directory + echo ".ssh/" >> .gitignore + git add .gitignore + git commit -m "Ignore $repo_directory/.ssh" + popd + + + + + + + + Configure the remote host to use your repository + + + + + + + + + + + +
+ +
+ References + + + Upstream Documentation + + + + + +
+ + + + -- cgit