diff options
Initial commit
| -rw-r--r-- | Dockerfile | 88 | ||||
| -rw-r--r-- | LICENCE | 21 | ||||
| -rw-r--r-- | README.md | 250 | ||||
| -rw-r--r-- | cgitrc | 119 | ||||
| -rw-r--r-- | httpd.conf | 54 | ||||
| -rwxr-xr-x | prepare-container.sh | 63 | ||||
| -rw-r--r-- | sshd_config | 117 |
7 files changed, 712 insertions, 0 deletions
diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..22a3210 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,88 @@ +FROM httpd:2.4-alpine + +MAINTAINER Grégory J. <gregjbs@protonmail.com> + +WORKDIR /root + +ARG HTTP_PROXY + +# Packages +RUN apk update && apk add git openssh +RUN apk add gcc make libressl-dev +RUN apk add python3 py3-pygments +RUN apk add py3-markdown +RUN apk add linux-headers +RUN ln -sf /usr/include/linux/unistd.h /usr/include/ +RUN apk add musl-dev +RUN apk add libintl musl-libintl +RUN apk add zlib zlib-dev +# to support untar tar.xz +RUN apk add tar +# Vim is cool +RUN apk add vim + +# Clean up +RUN rm -rf /tmp/* /var/cache/apk/* + +# cgit install +WORKDIR /root +RUN git clone git://git.zx2c4.com/cgit +WORKDIR cgit +RUN git submodule init +RUN git submodule update +RUN make install NO_LUA=1 NO_REGEX=NeedsStartEnd +WORKDIR ../ +RUN rm -Rf cgit + +# cgit config +ENV HTTP_AUTH_USER="", HTTP_AUTH_PASSWORD="" +ADD httpd.conf /usr/local/apache2/conf/httpd.conf +ADD cgitrc /home/git/cgitrc +# Extra copy if /home/git is bindmounted +ADD cgitrc /etc/cgitrc.default +RUN ln -s /home/git/cgitrc /etc/cgitrc + +# Gitolite install +# Clone +RUN git clone https://github.com/sitaramc/gitolite +RUN gitolite/install -to /usr/local/bin/ + +# Default work dir for base image httpd +WORKDIR /usr/local/apache2 + +# Pre-launch script +ADD prepare-container.sh /usr/local/bin +RUN chmod +x /usr/local/bin/prepare-container.sh + +# SSHD config : no password, no strict mode +ADD sshd_config /etc/ssh/sshd_config + +# Remove SSH keyes, fresh keys will be generated at container startup by prepare-container.sh +RUN rm -rf /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_dsa_key + +# Gitolis / Gitolite +RUN adduser -D -g "" -s "/bin/ash" git +# We need a password set, otherwise pubkey auth doesn't work... why ?? /sbin/nologin doesn't work either +RUN echo "git:fhzefGG65gdoejdK$!dhd753" | chpasswd + +# Volume for /home/git +VOLUME ["/home/git"] + +# Ports +EXPOSE 80 +EXPOSE 22 + +# Minimal INIT system, cf https://github.com/Yelp/dumb-init/ +ADD https://github.com/Yelp/dumb-init/releases/download/v1.0.0/dumb-init_1.0.0_amd64 /usr/local/bin/dumb-init +RUN chmod +x /usr/local/bin/dumb-init + +# Runs "/usr/bin/dumb-init -- sh -c prepare-container.sh && exec apachectl -DFOREGROUND" +# dumb-init gets PID 1 and handles signals gracefully +ENTRYPOINT ["/usr/local/bin/dumb-init", "--"] +CMD ["sh", "-c", "prepare-container.sh && exec httpd-foreground"] + +# To work without dumb-init, uncomment last line in prepare-container.sh to make it usual Docker entrypoint. +# Use following CMD statement which comes from httpd Dockerfile. +# Comment previous ENTRYPOINT and CMD. +#ENTRYPOINT ["prepare-container.sh"] +#CMD ["httpd-foreground"] @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2020 Grégory J. <gregjbs@pm.me> + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..70c1b60 --- /dev/null +++ b/README.md @@ -0,0 +1,250 @@ +Image docker Gitolite/cgit +========================= + +This [Docker][docker] image offers a very quick way of deploying a Gitolite / Cgit server. Gitolite is a lightweight yet powerful git manager. Cgit is web-based frontend to Git repositories. + + + +## Starting a gitolite-cgit container + +### First launch + +This first launch will create the server RSA keypair and make Gitolite initialization. `SSH_KEY` is the Gitolite admin's public RSA key. +For more details about Gitolite setup, please read the [official documentation][gitolite_doc]. + +The container will stop by itself once the initial configuration is done. The `--rm` will make Docker remove it automatically. Only data will remain on the volume/bindmount. + + $ docker run --rm -dit -v git-data:/home/git -e SSH_KEY="$(cat /home/<user>/.ssh/id_rsa.pub)" gjbs84/gitolite-cgit:latest + +Default behavion is to save data into an internal named volume, `git-data` in this exemple. Of course you can change it if you wish. + +If it's suits you better you can use a bindmount. Here an exemple with `/srv/git-data`. No existing `repositories` directory must be there ! + + $ docker run --rm -dit -v /srv/git-data:/home/git -e SSH_KEY="$(cat /home/<user>/.ssh/id_rsa.pub)" gjbs84/gitolite-cgit:latest + + +### Troubleshooting + +If the initial startup fails, it can be usefull to repeat it one more time without the `--rm` option. + +The container will remains in stoped state and its logs will be available. + + $ docker logs git-test + +A good first startup looks like this : + +```sh + Generating public/private rsa key pair. + Your identification has been saved in /etc/ssh/ssh_host_rsa_key + Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub + The key fingerprint is: + SHA256:4GcKIlWTPI5tpto3eqfHK30jBqM8U+eWoTp/tWSU2zs root@67dc97f12dd3 + The key's randomart image is: + +---[RSA 3072]----+ + | .o. | + | .+. | + | .+ .. . | + | .. =. .o | + |. .+. ..So | + | ...+.o+= . | + | + o O.* . . | + |. B * % + E | + | oXoX.+ . . | + +----[SHA256]-----+ + Generating public/private dsa key pair. + Your identification has been saved in /etc/ssh/ssh_host_dsa_key + Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub + The key fingerprint is: + SHA256:M5WtzLCBRcU6HtrRdBgOHvDkqa+DU3x5XaWC6VjXexU root@67dc97f12dd3 + The key's randomart image is: + +---[DSA 1024]----+ + | .o*ooo | + | B =+o. E.| + | . B+++.. o.| + | .=B=.o + .| + | ..+SO+o o ..| + | +.*oo . . .| + | o ... . | + | o .. | + | ... | + +----[SHA256]-----+ + Starting sshd + Initialized empty Git repository in /home/git/repositories/gitolite-admin.git/ + Initialized empty Git repository in /home/git/repositories/testing.git/ + WARNING: /home/git/.ssh missing; creating a new one + (this is normal on a brand new install) + WARNING: /home/git/.ssh/authorized_keys missing; creating a new one + (this is normal on a brand new install) + First launch : container is now shut down +``` + +## Final launch + +You can now run the final container. It will use the previoulsy created volume `git-data`. Now we can give a name to this container and we have to NAT ports 22 et 80 to the host. Of course you may have to adapt the command line to your network. + + $ docker run --name gitolite-cgit-srv -dit -v git-data:/home/git -p 20080:80 -p 20022:22 gjbs84/gitolite-cgit:lastest + +If you have chosen the bindmount way (here `/srv/git-data`) : + + $ docker run --name gitolite-cgit-srv -dit -v /srv/git-data:/home/git -p 20080:80 -p 20022:22 gjbs84/gitolite-cgit:lastest + +It's now time to check if everythings is right ! Let's clone the `testing` repository. + +If you are new to Gitolite you have to know that every connection to it is made by the same user, commonly `git`. A very convenient way to proceed is to add an entry in your `~/.ssh/config` : + + Host <server> + Port 20022 + User git + IdentityFile ~/.ssh/id_rsa + +Of course you have to adapt this to your network once again. + +Now you can easily clone the testing repo : + + $ git clone localhost:testing + Cloning into 'testing'... + Enter passphrase for key '/home/greg/.ssh/id_rsa': + warning: warning: You appear to have cloned an empty repository. + Checking connectivity... done. + +Git tells us this an empty repository, it's true so everything is fine so far. + +## Updating / recreating container + +If you have deleted the exiting container or wish to update it with a newer version, just run the "Final launch" step again. The server RSA key will change but all your data are kept in Docker volume (or bindmount) . + +### .htaccess authentication + +You may wish to protect access to the git fronted Cgit. + +Just give fill up environnement variables `HTTP_AUTH_USER` and `HTTP_AUTH_PASSWORD` during the final launch step : + + $ docker run --name gitolite-cgit-srv -dit -v git-data:/home/git -p 20080:80 -p 20022:22 -e HTTP_AUTH_USER="my_user" -e HTTP_AUTH_PASSWORD="my_password" gjbs84/gitolite-cgit:latest + + +### Troubleshooting + +If you're experimenting some issue, start with having a loog into running container. Check health of `httpd` and `sshd` daemons. + +To jump into the container : + + $ docker exec -ti git-test sh + +Then check for `sshd` and `httpd` : + +``` + $ ps + PID USER TIME COMMAND + 1 root 0:00 /usr/local/bin/dumb-init -- sh -c prepare-container.sh && exec httpd-foreground + 6 root 0:00 httpd -DFOREGROUND + 13 root 0:00 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups + 69 daemon 0:00 httpd -DFOREGROUND + 70 daemon 0:00 httpd -DFOREGROUND + 71 daemon 0:00 httpd -DFOREGROUND + 72 daemon 0:00 httpd -DFOREGROUND + 73 daemon 0:00 httpd -DFOREGROUND +``` + +## Using Gitolite and Cgit + +### Cgit + +Cgit is configured to automatically serve every repositories located into `/home/git/repositories` which is where Gitolite stores them. You basically have nothing to do to use it, just got to (adapt URL to the port number and server name) : + + http(s)://myserver:20080 + +You may want to custumize it (clone-prefix, favicon, headers...), just edit `/home/git/cgitrc`. + + +### Gitolite + +This is not a Git/Gitolite course, but here is a very simple set of commands to quickly add a new repo to Gitolite. And a new non-admin user in the process. + +1. Clone the `gitolite-admin` repository : + + $ git clone myserver:gitolite-admin + +2. Edit the `conf/gitolite.conf` file to add a repo : + + repo new_repo + RW+ = bob + +3. Add Bob's public RSA key in `keydir/bob.pub` (of course you can use `admin` which already exists but it's not recommanded...). That's all you have to do to add a Gitolite user. + +4. Add, commit and push the updated Gitolite configuration : + + $ git add keydir/bob.pub conf/gitolite.conf + $ git commit -m "Added Bob and new_repo" + $ git push --all + +5. Now just add a remote site in you local `new_repo` repository and push a local branch to it ! + + $ git remote add origin ssh://myserver:new_repo.git + $ git push origin master + + +For more details, you'll have to check for official documentation of both projects ! + + * [Gitolite][gitolite_admin] administration + * [Cgit][cgit_page] + + +## Add existing repositories + +First you must have an archive containing all you existing repositories. + +They have to be BARE repositories ! No working copy should exist in any of them ! + +1. Jump into the container + +2. Copy repos archive into the container. + + $ scp user@<your_host_local_ip>:/home/user/repos.tgz /tmp/ + +3. Untar archive into Gitolite repositories directory : + + $ cd /home/git/repositories + $ tar -xf /tmp/repos.tgz + $ rm /tmp/repos.tgz + +4. Set permissions : + + $ chown -R git:git * + $ chmod -R 755 * + +5. From now you definitely should read [the official procedure][gitolite_existing_repo] before you go any further ! These commands come directly from there. + + $ su git + $ cd + $ gitolite compile + $ gitolite setup --hooks-only + $ gitolite trigger POST_COMPILE + +6. Clone the Gitolite admin repository or go to your local copy and update the `gitolite.conf` with your new repositories info. Don't forget to add new users public key in `keydir` if needed. + +7. Add/commit/push and you're done ! Check everything is fine with the `info` command. You shoud see all the repositories you have access to, which means all of them (because you have the admin key). + + $ ssh git@myserver info + +8. Adjust Cgit configuration in `/home/git/cgitrc` if you wish, but it will work out of the box. + + +## Building container image + +In case you want to build you own image, clone from Github and build using the common Docker way (adjust or remove proxy settings according to your needs). + + $ docker build --build-arg HTTP_PROXY=http://192.168.0.1:3128 -t <image_name> . + + +## Voir aussi + +* [Base image I used (httpd 2.4) ](https:https://hub.docker.com/_/httpd) +* [Gitolite image](http://github.com/sitaramc/gitolite#adding-users-and-repos) +* [Cgit image](https://github.com/invokr/docker-cgit) +* [Gitolite Documentation](https://gitolite.com/gitolite/index.html) + +[docker]: https://www.docker.com/ +[gitolite_doc]: https://gitolite.com/gitolite/install.html +[gitolite_admin]: https://gitolite.com/gitolite/basic-admin.html +[cgit_page]: https://git.zx2c4.com/cgit/about/ +[gitolite_existing_repo]: https://gitolite.com/gitolite/basic-admin.html#appendix-1-bringing-existing-repos-into-gitolite @@ -0,0 +1,119 @@ +# Enable caching of up to 1000 output entries +cache-size=1000 + +# Specify some default clone prefixes +clone-prefix=http://git.mydomain.com/git ssh://git@git.mydomain.com + +# Specify the css url +css=/cgit.css + +# Show extra links for each repository on the index page +enable-index-links=1 + +# Show number of affected files per commit on the log pages +enable-log-filecount=1 + +# Show number of added/removed lines per commit on the log pages +enable-log-linecount=1 + +# Enable ASCII art commit history graph on the log pages +enable-commit-graph=1 + +# Add a cgit favicon +#favicon=/favicon.ico + +# Use a custom logo +logo=/cgit.png + +# Enable statistics per week, month and quarter +max-stats=month + +# Set the title and heading of the repository index page +root-title=Welcome ! + +# Set a subheading for the repository index page +root-desc=Some information... + +# Include some more info about foobar.com on the index page +#root-readme=/var/www/htdocs/about.html + +# Allow download of tar.gz, tar.bz2 and zip-files +snapshots=tar.gz tar.bz2 zip + +robots=noindex, nofollow +enable-git-config=1 +#source-filter=/opt/highlight.sh +source-filter=/usr/local/lib/cgit/filters/syntax-highlighting.py + + +## +## Search for these files in the root of the default branch of repositories +## for coming up with the about page: +## +readme=:README.md +readme=:readme.md +readme=:README.mkd +readme=:readme.mkd +readme=:README.rst +readme=:readme.rst +readme=:README.html +readme=:readme.html +readme=:README.htm +readme=:readme.htm +readme=:README.txt +readme=:readme.txt +readme=:README +readme=:readme +readme=:INSTALL.md +readme=:install.md +readme=:INSTALL.mkd +readme=:install.mkd +readme=:INSTALL.rst +readme=:install.rst +readme=:INSTALL.html +readme=:install.html +readme=:INSTALL.htm +readme=:install.htm +readme=:INSTALL.txt +readme=:install.txt +readme=:INSTALL +readme=:install + +about-filter=/usr/local/lib/cgit/filters/about-formatting.sh + +## +### List of common mimetypes +### + +mimetype.git=image/git +mimetype.html=text/html +mimetype.jpg=image/jpeg +mimetype.jpeg=image/jpeg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml + +## +## List of repositories. +## PS: Any repositories listed when repo.group is unset will not be +## displayed under a group heading +## PPS: This list could be kept in a different file (e.g. '/etc/cgitrepos') +## and included like this: +## include=/etc/cgitrepos +## + +#### +section=my repo + +#repo.url=testing +#repo.path=/home/git/testing.git +#repo.desc=Testing repo created by Gitolite +#repo.owner=admin@mynetwork.com +# + + + +# Auto scan +scan-path=/home/git/repositories + + diff --git a/httpd.conf b/httpd.conf new file mode 100644 index 0000000..dc6c934 --- /dev/null +++ b/httpd.conf @@ -0,0 +1,54 @@ +ServerRoot "/usr/local/apache2" + +# standard +LoadModule authz_core_module modules/mod_authz_core.so +LoadModule unixd_module modules/mod_unixd.so +LoadModule log_config_module modules/mod_log_config.so +LoadModule logio_module modules/mod_logio.so +LoadModule mime_magic_module modules/mod_mime_magic.so +LoadModule mime_module modules/mod_mime.so +LoadModule mpm_prefork_module modules/mod_mpm_prefork.so +LoadModule cgi_module modules/mod_cgi.so +LoadModule dir_module modules/mod_dir.so + +# uncomment for htaccess +LoadModule auth_basic_module modules/mod_auth_basic.so +LoadModule authn_core_module modules/mod_authn_core.so +LoadModule authn_file_module modules/mod_authn_file.so +LoadModule authz_user_module modules/mod_authz_user.so + +Listen 80 +User daemon +Group daemon + +ServerName localhost +ServerAdmin root@localhost + +ErrorLog "logs/error_log" +LogLevel warn + +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %b" common +CustomLog "logs/access_log" combined + +AddHandler cgi-script .cgi +AddDefaultCharset UTF-8 +TypesConfig conf/mime.types +MIMEMagicFile conf/magic +EnableSendfile on + +<Directory /> + Require all denied +</Directory> + +DocumentRoot "/var/www/htdocs/cgit" +<Directory "/var/www/htdocs/cgit/"> + DirectoryIndex cgit.cgi + AllowOverride All + Options +ExecCGI -FollowSymLinks + Require all granted +</Directory> + +<Files ".ht*"> + Require all denied +</Files> diff --git a/prepare-container.sh b/prepare-container.sh new file mode 100755 index 0000000..784b9eb --- /dev/null +++ b/prepare-container.sh @@ -0,0 +1,63 @@ +#!/bin/sh + +# Warning : this no standard docker entrypoint, we use dumb-init ! + +if [ ! -f "/etc/ssh/ssh_host_rsa_key" ]; then + # generate fresh rsa key + ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa +fi +if [ ! -f "/etc/ssh/ssh_host_dsa_key" ]; then + # generate fresh dsa key + ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa +fi + +#prepare run dir +if [ ! -d "/var/run/sshd" ]; then + mkdir -p /var/run/sshd +fi + +# Run sshd +echo "Starting sshd" +/usr/sbin/sshd + +# If no cgitrc, let's copy one from /etc/cgitrc.default. This happens when bindmounting /home/git +if [ ! -f "/home/git/cgitrc" ]; then + cp /etc/cgitrc.default /home/git/cgitrc +fi + +# Gitolite configuration (admin pubkey) +if [ ! -f "/home/git/.ssh/authorized_keys" ]; then + if [ -n "$SSH_KEY" ]; then + echo "$SSH_KEY" > "/tmp/admin.pub" + su - git -c "gitolite setup -pk \"/tmp/admin.pub\"" + rm "/tmp/admin.pub" + else + echo "You need to specify SSH_KEY on first run to setup gitolite" + echo 'Example: docker run --rm --name git-test -e SSH_KEY="$(cat ~/.ssh/id_rsa.pub)" -v git-data:/home/git -dit gitolite-cgit-cds:v10' + exit 1 + fi + echo "First launch : container is now shut down" + halt +# Check setup at every startup +else + su - git -c "gitolite setup" +fi + +# Volume permissions +echo "Setting up permissions" +chown -R git:git /home/git +chmod -R 755 /home/git/repositories + +# htaccess/htpasswd auth (comes from docker-cgit/scripts) +echo "No Apache htaccess required" +if [ "$HTTP_AUTH_PASSWORD" != "" ]; then + echo "Enables Apache htaccess" + echo "AuthType Basic +AuthName \"CGit\" +AuthUserFile /var/www/htdocs/cgit/.htpasswd +Require valid-user" > /var/www/htdocs/cgit/.htaccess +htpasswd -c -b /var/www/htdocs/cgit/.htpasswd $HTTP_AUTH_USER $HTTP_AUTH_PASSWORD +fi + +#exec "$@" + diff --git a/sshd_config b/sshd_config new file mode 100644 index 0000000..7f51fe2 --- /dev/null +++ b/sshd_config @@ -0,0 +1,117 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +StrictModes no +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +# Feel free to re-enable these if your use case requires them. +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server |