Correct way to setup shell for git user (and ssh)


I’ve been trying to setup the git user on our gitlab-ce server for use with SSH in a secure way. I’ve not found much information on gitlab-ce’s authorized_keys file.

What I’m trying to achieve is:
-git user uses git-shell
-ssh clone/push/pull operations work
-ssh using git user results in git shell limited to help and list

What I’ve done is this:
-created /var/opt/gitlab/git-shell-commands
-copied list and help commands to /var/opt/gitlab/git-shell-commands
-appended /usr/bin/git-shell to /etc/shells
-set git user shell to /usr/bin/git-shell via /etc/gitlab/gitlab.rb using user[‘shell’] = ‘/usr/bin/git-shell’
-git user’s home remains set as /var/opt/gitlab

What I’ve noticed is that within the .ssh/authorized_keys file for gitlab, the ssh command includes a path to gitlab-shell which cannot be reached upon ssh. A typical entry from gitlab-ce’s authorized_keys is like this:

command="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-26",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa r5web56brvdbd5nt…

This is what is seen SSHing:

fatal: unrecognized command ‘/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-26’
Connection to closed.

(su-ing to the git user on the server works as expected - resulting in git shell)

Any ideas/help would be much appreciated.


the first section of this page seems to describe a similar problem…

having to modify the command each time a new key is added would be a nuisance

is the problem because both git-shell and gitlab-shell are being used?

perhaps I need a cronjob with sed running to correct the authorized_keys command to this: command=“gitlab-shell key-xx”,

could this be something residual from an upgrade of gitlab-ce ? (the path gitlab-ce keeps putting in the authorized_keys command)