Restrict Access To Your Private Debian Repository
Posted by alexx on Fri 23 Mar 2007 at 09:32
There are many times where it is useful to setup a small repository for apt-get to install packages from. The downside of placing such a repository in a publicly available place means that other people might start using it. Here we'll look at a couple of simple ways of restricting access.
There are many reasons why you might want to have restricted access to your repository:
- The repository contains packages for internal use, personal and/or commercial.
- You host a private mirror for your company.
- You are a software vendor that provides commercial updates for packages.
- You are a software vendor that provides proprietary software for Linux and want to integrate it with apt-get
User/Password authentication
1) Using ftp/sftpIf you have small number of users or don't want strong security this is for you. Host the repository on a ftp server and create accounts for the users. Disable anonymous login.
Your users' /etc/apt/sources.list must contain the following line:
deb ftp://user:passwd@repo.server.com/debian ./
The drawback is that the password is transmitted in clear text over the network. I have tested this over ftp but not over sftp. Don't know if apt-get is capable of secure ftp connections.
2) Using http/httpsSimilar to using ftp. You will have to create a password protected directory on the httpd server. Several different methods are described here.
Public/Private key authentication with ssh
This is my preferred method. It has two strong points:- the connection is encrypted
- private keys are harder to steal than to break a password
root@client# rsa-keygen2) Transfer the public key to the server in secure fashion.
root@client# scp /root/.ssh/id_rsa.pub root@repo.server.com:/tmp3) Add this public key into the authorized_keys file of user owner of repository. This will enable password-less login from client's computer into the server.
root@repo.server.com:~$ cat /tmp/id_rsa.pub >> /home/repo-owner/.ssh/authorized_keys4) Add to client's /etc/apt/sources.list the following line:
deb ssh://repo-owner@repo.server.com:/home/repo-owner/debian/ ./This tells apt-get to use ssh connection to the server with username `repo-owner'.
5) When the client runs apt-get he gets:
root@client# apt-get update --- skip --- Get:5 ssh://repo-owner@repo.server.com ./ Packages [3967B] --- skip ---NOTES
- repo-owner is better to be some unprivileged user.
- You will need a way to validate the client's public key. E.g. is this really an authorised client?
- Each method can be combined with other methods of authentication. E.g using kerberos.
- It is up to you to combine different authentication methods and transport protocols.
root@client# ssh-copy-id -i /root/.ssh/id_rsa repo-owner@repo.server.com
3) Delete repo-owner's password for security reasons
ssh repo-owner@repo.server.com passwd -d
[ Parent | Reply to this comment ]
Hello,
3) Delete repo-owner's password for security reasonsssh repo-owner@repo.server.com passwd -d
AFAIK -d@ disables password ask - there's no need to type password to login and its quite unsecure. To turn of password @passwd -l is better.
I might be wrong.
Luke
[ Parent | Reply to this comment ]
2) Transfer the public key to the server in secure fashion. root@client# ssh-copy-id -i /root/.ssh/id_rsa repo-owner@repo.server.comThanks, I did not know that.
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
If you're using Apache/Apache2 to serve your repository you could also limit it by IP address - if your authorized clients come from a specific range.
Something like this:
<Locatation /apt> order deny,allow deny from all Allow from 62.30.xx.xx Allow from 192.168.1.0/24 </Location>
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]