Run a Secure git Repository on FreeNAS

Running a secure git repository on FreeNAS is pretty straight forward, once you understand what your trying to do.  If you have looked over my previous post “Creating a secure Git repository server” you understand that all you really need to do is connect to the git repository via ssh/ssl and copy back what you need.  The hardest part of using FreeNAS is creating the keys.

To start out, you need to create a user account on the FreeNAS system.  This will be a generic account that everyone who has write access will use.  You may also create a account for each person, and grant each of them access to the central repository.

After you have your account, follow my post on “Enable SSH Key Authorization on FreeNAS” to copy over the SSL key and setup the account.  Once you are able to log in as your FreeNAS git user, you may follow my previous post “Creating a secure Git repository server” to setup the git repository.

Advertisements

Enable SSH Key Authorization on FreeNAS

FreeNAS is a powerful tools for archive data and other long-term storage requirements. Recently I have started backing up this and other off-site servers to one of my local FreeNAS boxes. Since these systems are only connected via the insecure internet (no VPN), I decided to transmit the backup files via SSH using SCP.  In order to do this without having to enter my password in for each and every backup (most of which happen while I’m hopeful sleeping), I needed to implement SSH Key Authorization on the receiving FreeNAS box.

To do this first I needed to create a DSA key pair on a different system.  On my Fedora 12 laptop I ran

ssh-keygen -t dsa

The trick here is to not create your new key pair in the default directory of “~/.ssh/” but in a temporary directory instead. So when it asks you.

Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):

Enter a different file in witch to save the key in. Note this is asking for the name of a file, not the name of the directory, it will also create a .pub file, this is the public key for the above private key.

Now that you have a public/private key for the FreeNAS box, if you don’t already you need to create one for the user that you plan on sending the file from.  Just follow the above command, but this time, you may just hit enter all the way threw leaving all options as default.

Next, go to your FreeNAS web-page control panel, If you don’t already have one, you will need to create a user on your FreeNAS box for you to connect to.  You may do this via “Access -> User and Groups” from the black bar on the top of the page.

Now from the top (black) bar go to “Services -> SSH”

On your Services|SSH page, first make sure the service is enabled (top right hand corner). Once it is you will be able to change the below options.

  • TCP Port: The default (port 22) is fine in most cases, but note if you change it, you must use the new port for all connections.
  • Permit root login: My option is that the root account should never be allowed to log in via a remote process.  You should set your system up correctly where this is not needed.
  • Password authentication: For now this must be enabled (checked), once you have set “Key Authorization” up, you may disable this option.
  • TCP forwarding: Disabled (unchecked)
  • Compression: Enabled (checked)
  • Private Key: This will be were we put the private key created above.  All you need to do is copy and paste.
  • Extra options: Blank

After you have made your changes, “Save and Restart” the service.

On your local system, you need to copy the content of the local users public (~/.ssh/username.pub) key file to a new file named “authorized_keys” (Note: this is not the file we created for FreeNAS but the file we created for your local account).  This is the file that will need to be copied to your FreeNAS box.

Now that you have all the needed bits, we need to log into your FreeNAS server and create a “.ssh” directory to store the “authorized_keys” file.  To log in to the FreeNAS box interactively run a command similar too.

ssh freenasuser@freenasaddress

Or if you changed the “TCP Port” above, your command will look like this:

ssh -P freenasport freenasuser@freenasaddress

Once your logged in, you need to create the directory, by doing.

mkdir ~/.ssh

After you have successfully created your directory, you may exit out of your FreeNAS box for the next step.
Back on your local system you need to copy the “authorized_keys” file created before to the FreeNAS box. Using SCP you can do this by running a command like:

scp -P freenasport authorized_keys freenasuser@freenasaddress:~/.ssh/

This will copy the file to the FreeNAS box. Next, reconnect to the FreeNAS box as you did before and run.

cd ~/.ssh/
chmod 600 authorized_keys

Once your done, you should be able to connect to your FreeNAS box using the private key in the authorized_keys with out a password.

SSH with no password

When working with different Linux/Unix servers, or when working with a Secure GIT repo, life is much easier after you have setup an SSH public & private keys.  Setting up a public & private key is really pretty simple.

Start out by create a public & private key.

ssh-keygen -t dsa

You will now be prompted for a location and a few other options, the best anwser is the default, so just enter threw these.  You will also be asked to create a password, creating a password at this step will require you to enter the password every time you wish to use the key, so best bet is to just enter threw those questions also.  After you have created your new key, go into your “.ssh” folder (note the . before ssh) and copy your public key to remote servers.

cd .ssh

Next we want to rename the public key so we wont confuse it after sending it to the world.

cp id_dsa.pub matt_dsa.pub

Wonderful, now all we need to do is copy the public key to a remote server

scp matt_dsa.pub remote_server.example.com:~/.ssh

Note, the above example copies the public into the remote server’s .ssh folder, if the server dose not have a .ssh folder, you may need to create it.  After the public key has been copied, we need to put it into the “authorized_keys” file.

cat matt_dsa.pub >> authorized_keys

and that’s it, just exit out of your remote server, and try to connect again, it should not ask you for a password, but just now connect.  If you are using this your git account, just copy this key into the git’s users authorized_keys file.

Creating a secure Git repository server

Creating a secure git repository server is a pretty simple process.  Basically we will be using SSH to transmit the data over an encrypted channel.  SSH will handle all the authentication and data encryption.  So the first set is creating a user for git to use and creating the git users ssh key.

On your server, from a privileged account, create a user (were going to use git).

adduser git
passwd git

The configuration we will be setting up will store the actual repositories in the git users home directory.  If you don’t like it’s current location, you may modify the /etc/passwd file for your user.

Once we have the user setup, in it’s home directory we need to create our first repository.  Start out by creating the folder, then well go into it and create the git repository files.

mkdir new-project.git
cd new-project.git
git init --bare

With the repository now setup go back to your desktop/laptop system (linux/unix).

From your desktop system, create a empty repository or go to an existing git repo. If you are going to be adding an existing repo, it may not be connected to any other remote repository. if you clone it from a remote source (a directory on the same system counts as a remote source) you will need to modify the repository’s config file and remove those entry’s, look in the config file under the .git (note the ‘dot’) directory.

To create an empty repository, create a directory for the repository, go into it and init the repo.

mkdir new-project.git
cd new-project.git
git init

Since you need something in your repo, and git likes having a readme file (or gitweb dose) let’s create a readme file and commit it.

touch README
git add README
git commit -m 'Added README file, first commit'

Now that we have a commit in our repo, we can add the newly created git repo server and push our new repo to it.

We will start by adding the server to the repo’s configuration.

git remote add origin git@new-git-server.example.com:new-project.git

The above example assumes you’re server’s name is “new-git-server.example.com” and your using a project named “new-project.git” for the user “git”. But it also assumes that your repo is directly in the user git’s home directory. If you store your repo’s in a different directory, you will need to add the list folders after the colon.

After you have successfully added the server, push your new repository to the server.

git push origin master

You may now be asked for the git user’s password, enter it, and your repository should be transferred.

Also check out how to setup a ssh public/private key where no password is required, only the private key on your client system.

The above may look like a lot, but it’s really pretty simple to setup. If you have any problems or questions abut this How-To, please leave a comment or contact me.