preventing SSH port forwarding (#1296)

ben · web-flow · commit 7de09058c200 · 2019-08-30T08:34:48.000-07:00
preventing SSH port forwarding
diff --git a/book/04-git-server/sections/setting-up-server.asc b/book/04-git-server/sections/setting-up-server.asc
@@ -107,7 +107,7 @@ Now you can edit the shell for a user using `chsh <username> -s <shell>`:
 $ sudo chsh git -s $(which git-shell)
 ----
 
-Now, the `git` user can only use the SSH connection to push and pull Git repositories and can't shell onto the machine.
+Now, the `git` user can still use the SSH connection to push and pull Git repositories but can't shell onto the machine.
 If you try, you'll see a login rejection like this:
 
 [source,console]
@@ -118,6 +118,31 @@ hint: ~/git-shell-commands should exist and have read and execute access.
 Connection to gitserver closed.
 ----
 
+At this point, users are still able to use SSH port forwarding to access any host the git server is able to reach.
+If you want to prevent that, you can edit the `authorized_keys` file and prepend the following options to each key you'd like to restrict:
+
+[source,console]
+----
+no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
+----
+
+The result should look like this:
+
+[source,console]
+----
+$ cat ~/.ssh/authorized_keys
+no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa
+AAAAB3NzaC1yc2EAAAADAQABAAABAQCB007n/ww+ouN4gSLKssMxXnBOvf9LGt4LojG6rs6h
+PB09j9R/T17/x4lhJA0F3FR1rP6kYBRsWj2aThGw6HXLm9/5zytK6Ztg3RPKK+4kYjh6541N
+YsnEAZuXz0jTTyAUfrtU3Z5E003C4oxOj6H0rfIF1kKI9MAQLMdpGW1GYEIgS9EzSdfd8AcC
+IicTDWbqLAcU4UpkaX8KyGlLwsNuuGztobF8m72ALC/nLF6JLtPofwFBlgc+myivO7TCUSBd
+LQlgMVOFq1I2uPWQOkOWQAHukEOmfjy2jctxSDBQ220ymjaNsHT4kgtZg2AYYgPqdAv8JggJ
+ICUvax2T9va5 gsg-keypair
+
+no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa
+AAAAB3NzaC1yc2EAAAADAQABAAABAQDEwENNMomTboYI+LJieaAY16qiXiH3wuvENhBG...
+----
+
 Now Git network commands will still work just fine but the users won't be able to get a shell.
 As the output states, you can also set up a directory in the `git` user's home directory that customizes the `git-shell` command a bit.
 For instance, you can restrict the Git commands that the server will accept or you can customize the message that users see if they try to SSH in like that.
