(2 months ago)commit 34b636f: cleanup README
tree / README
Marrow - Git Server Authentication and Shell System
Marrow is a pair of C programs that provide simple authentication and
access control for Git repositories served over SSH. It allows anonymous
read-only access to repositories while restricting write access to
authenticated users within their own directories.
Marrow reads from it's configuration directory, which should contain the
following files:
marrow/
$USER # keys for a given user
Components:
- marrow-auth: AuthorizedKeysCommand that outputs SSH keys with forced
marrow-shell commands
- marrow-shell: Restricted shell that enforces Git access permissions
based on GIT_USER or -a flag for anonymous
How it works:
SSH authenticates users via marrow-auth which reads /etc/marrow/authorized_keys
and outputs keys with forced commands. Anonymous keys use marrow-shell -a,
authenticated users get marrow-shell with GIT_USER set. Users can read from
any repo under /srv/git/ but can only write to /srv/git/$GIT_USER/.
Example setup:
1. Configure sshd_config with AuthorizedKeysCommand /usr/local/bin/marrow-auth
2. Create /etc/marrow/user with format:
3. Users SSH in and git commands are filtered through marrow-shell
Example usage:
Anonymous clone: git clone git@server:project.git
Authenticated push: git push git@server:myuser/project.git
Building:
make - Build both programs
make test - Run tests
make install - Install to /usr/local/bin
make clean - Remove build artifacts
Requirements: C compiler, crypt(3)
Note: Built and tested on FreeBSD systems
License: MIT
TODO:
- Build out initial prototype
- Additional tooling
- User management
- Public vs Private repos