Git is available again
Par Yves le jeudi 20 avril 2017, 13:53 - Lien permanent
When I setup gitolite on my server for Git access through SSH, of course I did test that cloning worked from outside my network. That was for my Paperweb project.
Later I configured port-knocking on the server to get rid of bot-based authentication attempts that were polluting my log files. Unfortunately, at this time, the “outside” server on which I have an account was down, so I could not leave my network to check that all was fine; from the inside of the network, all worked like a charm, though!
Same situation when someone asked me for the Paperweb code by e-mail because they could not get it the normal Git way. I had no idea that port-knocking was the problem: from my side of the firewall, all worked correctly…
NOW, at last, I can once again access my network from the outside; and this is how I discovered that port-knocking had in effect completely closed all access to gitolite… except if you danced the right port-knocking dance, of course ;-)
To solve this situation, I opened a new port on the server: 2222, and I made OpenSSH listen to this new port in addition to the regular port 22. The lines added to sshd_config are these:
Port 2222
Match LocalPort 2222
AllowUsers gitolite
The last two lines are necessary, or port-knocking on port 22 becomes useless: if anyone can freely use port 2222, why bother with port-knocking on port 22, right? So OpenSSH will accept connections on both ports, but only gitolite can actually use the unprotected port.
I sincerely apologize to all the people who tried to access Git on my server and could not because of this. The article on Paperweb has been updated accordingly.