Git is available again

Par Yves le jeudi 20 avril 2017, 13:53 - Lien permanent

When I setup gitolite on my server for Git access through SSH, of course I did test that cloning worked from outside my network. That was for my Paperweb project.

Later I configured port-knocking on the server to get rid of bot-based authentication attempts that were polluting my log files. Unfortunately, at this time, the “outside” server on which I have an account was down, so I could not leave my network to check that all was fine; from the inside of the network, all worked like a charm, though!

Same situation when someone asked me for the Paperweb code by e-mail because they could not get it the normal Git way. I had no idea that port-knocking was the problem: from my side of the firewall, all worked correctly…

NOW, at last, I can once again access my network from the outside; and this is how I discovered that port-knocking had in effect completely closed all access to gitolite… except if you danced the right port-knocking dance, of course ;-)

To solve this situation, I opened a new port on the server: 2222, and I made OpenSSH listen to this new port in addition to the regular port 22. The lines added to sshd_config are these:

Port 2222

Match LocalPort 2222
  AllowUsers gitolite

The last two lines are necessary, or port-knocking on port 22 becomes useless: if anyone can freely use port 2222, why bother with port-knocking on port 22, right? So OpenSSH will accept connections on both ports, but only gitolite can actually use the unprotected port.

I sincerely apologize to all the people who tried to access Git on my server and could not because of this. The article on Paperweb has been updated accordingly.

Ajouter un commentaire

Le code HTML est affiché comme du texte et les adresses web sont automatiquement transformées.

La discussion continue ailleurs

URL de rétrolien : http://yalis.fr/cms/index.php/trackback/95

Fil des commentaires de ce billet