Exposing SSH of your gitlab on the internet could be dangerous as attackers can get shell access into your server. So here we show you a way to enable SSH for Git without opening access to shell of the hosting OS.

Step 1: Run another SSH instance just for gitlab

Copy sshd config file and make a soft link of sshd binary in /usr/sbin:

sudo cp /etc/ssh/sshd_config /etc/ssh/gitlabsshd_config
cd /usr/sbin
sudo ln -s sshd gitlabsshd

Now open the copied ssh config file:

sudo vim /etc/ssh/gitlabsshd_config

And make below changes in it:

Port 5446 (Use something random)
PasswordAuthentication no
AllowUsers git
PermitRootLogin no

Create a systemd service file:

sudo vim /lib/systemd/system/sshgitlab.service

And copy below config in it:

[Unit]
Description=Gitlab Only Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
ExecStart=/usr/sbin/gitlabsshd -D -f /etc/ssh/gitlabsshd_config
ExecReload=/usr/sbin/gitlabsshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
[Install]
WantedBy=multi-user.target
Alias=gitlabsshd.service

Reload systemd daemon, enable and start the service:

sudo systemctl daemon-reload
sudo systemctl enable sshgitlab
sudo systemctl start sshgitlab

Step 2: Config gitlab.rb

Open gitlab config file:

sudo vim /etc/gitlab/gitlab.rb

Find ‘gitlab_shell_ssh_port’ and set it to the port you chose on previous step:

gitlab_rails['gitlab_shell_ssh_port'] = 5446

Reconfigure gitlab:

sudo gitlab-ctl reconfigure

Step 3: Open SSH port on your firewall

Based on which firewall you’re using this step varies, but if you’re using iptables you can use the command below:

sudo iptables -A INPUT -p tcp --dport 5446 -m state --state NEW -j ACCEPT

Now you can use git with ssh, but users cannot access shell of your OS.