From 574bb07847a98dedc64976d92e4a11810c6abe99 Mon Sep 17 00:00:00 2001 From: Girish Ramakrishnan Date: Wed, 5 Mar 2025 14:13:26 +0100 Subject: [PATCH] git user must be enabled --- Dockerfile | 8 ++--- sshd_config | 97 +++++++++++++++-------------------------------------- 2 files changed, 29 insertions(+), 76 deletions(-) diff --git a/Dockerfile b/Dockerfile index 523bf26..9729f08 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,12 +8,8 @@ RUN pip3 install jupyter ADD supervisor/ /etc/supervisor/conf.d/ -RUN adduser --disabled-login --gecos 'Gitea' git -# by default, git account is created as inactive which prevents login via openssh -# https://github.com/gitlabhq/gitlabhq/issues/5304 -RUN passwd -d git - -RUN mkdir -p /home/git/gitea +RUN useradd --comment "Gogs" --create-home --shell /bin/bash git +RUN passwd -d git # by default, git account is created as inactive which prevents login via openssh. this disables password for account WORKDIR /home/git # for autosign feature diff --git a/sshd_config b/sshd_config index fae92d8..9f4d969 100644 --- a/sshd_config +++ b/sshd_config @@ -1,80 +1,37 @@ -# Package generated configuration file -# See the sshd_config(5) manpage for details - -# What ports, IPs and protocols we listen for Port 29418 -# Use these options to restrict which interfaces/protocols sshd will bind to + +AddressFamily any ListenAddress 0.0.0.0 ListenAddress :: -Protocol 2 -# HostKeys for protocol version 2 + HostKey /app/data/sshd/ssh_host_rsa_key -HostKey /app/data/sshd/ssh_host_dsa_key HostKey /app/data/sshd/ssh_host_ecdsa_key HostKey /app/data/sshd/ssh_host_ed25519_key -# Logging -SyslogFacility AUTH LogLevel INFO -# Authentication: -LoginGraceTime 120 -PermitRootLogin prohibit-password -StrictModes yes - -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -#PasswordAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding yes -X11DisplayOffset 10 -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM no +# no reverse DNS lookup UseDNS no +UsePAM no +AllowAgentForwarding no +AllowTcpForwarding no +PrintMotd no +PrintLastLog no + +LoginGraceTime 120 +StrictModes yes +PubkeyAuthentication yes +PermitUserEnvironment yes +PermitRootLogin no +ChallengeResponseAuthentication no +PasswordAuthentication no +PermitEmptyPasswords no +HostbasedAuthentication no + +AllowUsers git + +Banner none +Subsystem sftp /usr/lib/ssh/sftp-server + +AcceptEnv GIT_PROTOCOL LANG LC_* +