On Thu, Jul 27, 2023 at 10:28 AM lain. <l...@fair.moe> wrote: > > I have a pretty nifty network setup that allows me to host from home via > WireGuard. > But there's one thing I'm struggling with. > Because for security reasons, I made it impossible for people outside > the network to connect via SSH, but for Git to function properly, I need > to allow SSH only for git@(DOMAIN) or git@(PUBLIC IP), and redirect that > to my home network so they can do stuff like "git pull", "git push", and > all the other fancy stuff. > > My pf.conf rules look like this: > > pass in quick on wg0 proto tcp from 192.168.0.0/24 to any port 22 > > pass in on $externalinterface proto tcp from any to $externalip port 22 > > rdr-to $internalip > > block in quick on egress proto tcp from any to any port 22 > > And my sshd_config: > > AllowUsers lain@192.168.0.0/24 > > AllowUsers git@(DOMAIN) > > AllowUsers git@(PUBLIC IP) > > Where exactly am I doing wrong here?
I suspect you're overthinking this. Rather than preventing access altogether, turn off password authentication and use SSH keys for authentication - for the git accounts, change the shell to git-shell if you haven't already. That way, bad faith actors can try all they want, they ain't gettin' in unless they get a hold of someone's key, and even if they do, it's likely a git key and the shell (barring any security vulns in git) will prevent them from doing anything not git related. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
