blob: 19ef103a5a2ecff6cb6aa4c9ef1038201ea83659 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
# SSH configuration for the "code" user
# This user can only access git repositories and cannot read other system files
# Explicitly deny root login
PermitRootLogin no
# Deny user environment manipulation globally
PermitUserEnvironment no
# Only allow the "code" user to login via SSH
AllowUsers code
Match User code
# Only allow public key authentication
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
# Use authorized_keys from a volume mount (outside the repositories directory)
AuthorizedKeysFile /etc/ssh/authorized_keys_code
# Restrict to necessary commands only - harden SSH
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
PermitTunnel no
GatewayPorts no
PermitTTY yes
|
