1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
Game of Trees daemon for Debian
===============================
To use the Game of Trees daemon to host git repositoties, a few
manual setup steps are required. Below is an example for setting
up read only anonymous access to a clone of the upstream got repository.
First we need to check out the got source code on our host machine.
----------------------------------------------------------------
# Create git directory
$ mkdir -p /var/git
$ cd /var/git
# Clone repository you are planning to serve with got
$ got clone ssh://anonymous@got.gameoftrees.org/got.git
# Alternatively you can use git
$ git clone --bare ssh://anonymous@got.gameoftrees.org/got.git
# Make sure the gotd user can access the directory
$ chown -R _gotd:_gotd /var/git
----------------------------------------------------------------
For our example we need to create an anonymous ssh login user and
group with an empty password to allow everyone read only access.
For a more restricted setup it is also possible to create a developer
group and users with pre-shared ssh keys.
----------------------------------------------------------------
# Add anonymous user and group for ssh login
$ addgroup anonymous
$ adduser --disabled-password --comment "anonymous gotd login" \
--shell /usr/bin/gotsh --ingroup anonymous anonymous
# Make sure the password entry is actually empty and not disabled
$ passwd -d anonymous
----------------------------------------------------------------
Finally it is strongly recommended to harden the anonymous user's
sshd config to make sure they can only run their gotsh shell.
In our case password authentication and empty passwords need to be
allowed explicitly.
/etc/ssh/sshd_config.d/gotd.conf:
================================================================
Match User anonymous
DisableForwarding yes
PermitTTY no
PasswordAuthentication yes
PermitEmptyPasswords yes
================================================================
Copy /usr/share/doc/gotd/examples/gotd.conf.example to /etc/gotd.conf and
modify it to point to our gotd git repository and allow read-only
access for the anonymous user:
/etc/gotd.conf:
================================================================
# Run as the default user
user _gotd
# ssh://anonymous@example.com/got
repository "got" {
path "/var/git/got.git"
permit ro anonymous
}
================================================================
Finally reload the sshd configuration and start the gotd service:
----------------------------------------------------------------
$ systemctl reload sshd
$ systemctl enable --now gotd
----------------------------------------------------------------
It should now be possible to clone the git repository with:
----------------------------------------------------------------
$ got clone ssh://anonymous@example.com/got
----------------------------------------------------------------
You can find more information on how to configure gotsh and gotd in
their respective man pages gotsh(1), gotd(8), and gotd.conf(5).
|
