Exposing SSH of your gitlab on the internet could be dangerous as attackers can get shell access into your server. So here we show you a way to enable SSH for Git without opening access to shell of the hosting OS.
Step 1: Run another SSH instance just for gitlab
Copy sshd config file and make a soft link of sshd binary in /usr/sbin:
sudo cp /etc/ssh/sshd_config /etc/ssh/gitlabsshd_config
cd /usr/sbin
sudo ln -s sshd gitlabsshdNow open the copied ssh config file:
sudo vim /etc/ssh/gitlabsshd_configAnd make below changes in it:
Port 5446 (Use something random)
PasswordAuthentication no
AllowUsers git
PermitRootLogin noCreate a systemd service file:
sudo vim /lib/systemd/system/sshgitlab.serviceAnd copy below config in it:
[Unit]
Description=Gitlab Only Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
ExecStart=/usr/sbin/gitlabsshd -D -f /etc/ssh/gitlabsshd_config
ExecReload=/usr/sbin/gitlabsshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
[Install]
WantedBy=multi-user.target
Alias=gitlabsshd.serviceReload systemd daemon, enable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable sshgitlab
sudo systemctl start sshgitlabStep 2: Config gitlab.rb
Open gitlab config file:
sudo vim /etc/gitlab/gitlab.rbFind ‘gitlab_shell_ssh_port’ and set it to the port you chose on previous step:
gitlab_rails['gitlab_shell_ssh_port'] = 5446Reconfigure gitlab:
sudo gitlab-ctl reconfigureStep 3: Open SSH port on your firewall
Based on which firewall you’re using this step varies, but if you’re using iptables you can use the command below:
sudo iptables -A INPUT -p tcp --dport 5446 -m state --state NEW -j ACCEPTNow you can use git with ssh, but users cannot access shell of your OS.
An SRE enthusiast.
Leave a Reply