1. The better way:
# create git user
sudo adduser git
su git
cd
## configure ssh
mkdir .ssh && chmod 700 .ssh
touch .ssh/authorized_keys && chmod 600 .ssh/authorized_keys
## append ssh public keys from your team members
cat /tmp/id_rsa.yours.pub >> ~/.ssh/authorized_keys
cat /tmp/id_rsa.others.pub >> ~/.ssh/authorized_keys
# restrict ssh access
cat /etc/shells # see if `git-shell` is already in there. If not…
which git-shell # make sure git-shell is installed on your system.
sudo nano /etc/shells # and add the path to git-shell from last command
sudo chsh git # and enter the path to git-shell, usually: /usr/bin/git-shell
# create git repo
git init –bare project.git
Reference URL: http://blog.airobot.org/2016/10/09/搭建简易git私服/
2. The brute force way:
Put below restrict in the ~/.ssh/authorized_keys file:
command="/path/to/git_rsh.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3….o9M9qz4xqGCqGXoJw= user@host
The git_rsh.sh script:
#!/bin/sh
if [ $# -ne 2 ] || [ “$1″ != “-c" ] ; then
printf “interactive login not permitted\n"
exit 1
fi
set — $2
if [ $# != 2 ] ; then
printf “wrong number of arguments\n"
exit 1
fi
case “$1″ in
( git-upload-pack | git-receive-pack )
;; # continue execution
( * )
printf “command not allowed\n"
exit 1
;;
esac
# Canonicalize the path name: we don’t want escape out of
# git via ../ path components.
gitpath=$(readlink -f “$2″) # GNU Coreutils specific
case “$gitpath" in
( /git/* )
;; # continue execution
( * )
printf “access denied outside of /git\n"
exit 1
;;
esac
if ! [ -e “$gitpath" ] ; then
printf “that git repo doesn’t exist\n"
exit 1
fi
“$1″ “$gitpath"
Reference URL: https://stackoverflow.com/questions/402615/how-to-restrict-ssh-users-to-a-predefined-set-of-commands-after-login