Security for Private Git Repositories when Dealing with SSH?

Is it normal that any user with a SSH key can clone a private git repository using SSH? I thought that since a project was private, it would only be available to the user that created it along with users granted access to it?

Granted, a normal user won’t be able to see the SSH git URL to the private project, but if it is given to him by someone with permission to the project, it can be cloned by any user with a SSH key configured?

The SSH user is always git@server

So, the user is git… is this normal for the community edition hosted on our own server? We’re using an embedded package of GitLab CE. The user git can be used by anyone that has a SSH key configured since the keys are conglomerated for the git Linux user.

Should I be worried about this? Is this normal or do I have it configured incorrectly?

@own3mall

Intro

When you access GitLab via SSH, this is picked up by GitLab Shell which calls the GitLab Rails API to check if you are authorized. If you are, you are granted access to perform the operation you are requesting to perform, in this case clone via ssh.

Answer

  1. [quote=“own3mall, post:1, topic:2513”]
    Is it normal that any user with a SSH key can clone a private git repository using SSH? I thought that since a project was private, it would only be available to the user that created it along with users granted access to it?
    [/quote]

No. They can only clone what they have access to the project hence the repo even if they have the ssh url i.e.

  • If the repo is in a group they have access to
  • If you explicitly included them as project member to that project
  • If the project is public

Otherwise, if they do not meet any of the criteria specified above they get an error message that looks like this

Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

2

The ssh user on the git server is always git. You are right. But based on your uploaded ssh key, when you try to clone,push etc, GitLab is able to tie this to your account. To confirm just do: ssh -T git@GITSERVERURL. This outputs your name e.g. for me it outputs

e.g. using GitLab.com as an example:

ssh -T git@gitlab.com
Welcome to GitLab, Kelvin Mutuma!
1 Like

I’m not seeing that though.

Users who have NOT been specifically granted access to a project are able to clone the repository, make changes, and commit their changes. The project’s settings are set to private. Is there a global setting that could be overriding this behavior? Was this fixed in a later version of GitLab?

  • What version of GitLab are you using?
  • Are the private repositories contained in a group in which these unauthorised users are members?
    • To confirm this, click on, groups on the left pane and click members to view

Here’s a video explaining it:

Video Link: https://vimeo.com/158705536
Video Password: gitlabSecur1ty?

Is this normal behavior… or?