diff options
| author | Elizabeth Hunt <me@liz.coffee> | 2025-12-05 21:43:18 -0800 |
|---|---|---|
| committer | Elizabeth Hunt <me@liz.coffee> | 2025-12-05 22:19:52 -0800 |
| commit | 8667f8615da479a8e9c4e8d5bb5987632d75bfaf (patch) | |
| tree | e3b4bdb4ebe4f0010c90dd43970822bbe8f8d4a6 /sshd_code_user.conf | |
| parent | 4cde5dedcf35f2d5850ce0479f25d29bac74daf7 (diff) | |
| download | wwwgit-8667f8615da479a8e9c4e8d5bb5987632d75bfaf.tar.gz wwwgit-8667f8615da479a8e9c4e8d5bb5987632d75bfaf.zip | |
Add ssh server
Diffstat (limited to 'sshd_code_user.conf')
| -rw-r--r-- | sshd_code_user.conf | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/sshd_code_user.conf b/sshd_code_user.conf new file mode 100644 index 0000000..19ef103 --- /dev/null +++ b/sshd_code_user.conf @@ -0,0 +1,28 @@ +# SSH configuration for the "code" user +# This user can only access git repositories and cannot read other system files + +# Explicitly deny root login +PermitRootLogin no + +# Deny user environment manipulation globally +PermitUserEnvironment no + +# Only allow the "code" user to login via SSH +AllowUsers code + +Match User code + # Only allow public key authentication + PubkeyAuthentication yes + PasswordAuthentication no + PermitEmptyPasswords no + + # Use authorized_keys from a volume mount (outside the repositories directory) + AuthorizedKeysFile /etc/ssh/authorized_keys_code + + # Restrict to necessary commands only - harden SSH + X11Forwarding no + AllowTcpForwarding no + AllowAgentForwarding no + PermitTunnel no + GatewayPorts no + PermitTTY yes |