SSH Gitlab

SSH Access Without OS Shell in Gitlab

Exposing SSH of your gitlab on the internet could be dangerous as attackers can get shell access into your server. So here we show you a way to enable SSH for Git without opening access to shell of the hosting OS.

Step 1: Run another SSH instance just for gitlab

Copy sshd config file and make a soft link of sshd binary in /usr/sbin:

sudo cp /etc/ssh/sshd_config /etc/ssh/gitlabsshd_config
cd /usr/sbin
sudo ln -s sshd gitlabsshd

Now open the copied ssh config file:

sudo vim /etc/ssh/gitlabsshd_config

And make below changes in it:

Port 5446 (Use something random)
PasswordAuthentication no
AllowUsers git
PermitRootLogin no

Create a systemd service file:

sudo vim /lib/systemd/system/sshgitlab.service

And copy below config in it:

[Unit]
Description=Gitlab Only Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
ExecStart=/usr/sbin/gitlabsshd -D -f /etc/ssh/gitlabsshd_config
ExecReload=/usr/sbin/gitlabsshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
[Install]
WantedBy=multi-user.target
Alias=gitlabsshd.service

Reload systemd daemon, enable and start the service:

sudo systemctl daemon-reload
sudo systemctl enable sshgitlab
sudo systemctl start sshgitlab

Step 2: Config gitlab.rb

Open gitlab config file:

sudo vim /etc/gitlab/gitlab.rb

Find ‘gitlab_shell_ssh_port’ and set it to the port you chose on previous step:

gitlab_rails['gitlab_shell_ssh_port'] = 5446

Reconfigure gitlab:

sudo gitlab-ctl reconfigure

Step 3: Open SSH port on your firewall

Based on which firewall you’re using this step varies, but if you’re using iptables you can use the command below:

sudo iptables -A INPUT -p tcp --dport 5446 -m state --state NEW -j ACCEPT

Now you can use git with ssh, but users cannot access shell of your OS.

Leave a Reply

Your email address will not be published. Required fields are marked *