Restrict Access To Your Private Debian Repository

Posted by alexx on Fri 23 Mar 2007 at 09:32

There are many times where it is useful to setup a small repository for apt-get to install packages from. The downside of placing such a repository in a publicly available place means that other people might start using it. Here we'll look at a couple of simple ways of restricting access.

There are many reasons why you might want to have restricted access to your repository:

The repository contains packages for internal use, personal and/or commercial.
You host a private mirror for your company.
You are a software vendor that provides commercial updates for packages.
You are a software vendor that provides proprietary software for Linux and want to integrate it with apt-get

User/Password authentication

1) Using ftp/sftp

If you have small number of users or don't want strong security this is for you. Host the repository on a ftp server and create accounts for the users. Disable anonymous login.
Your users' /etc/apt/sources.list must contain the following line:

deb ftp://user:passwd@repo.server.com/debian ./

The drawback is that the password is transmitted in clear text over the network. I have tested this over ftp but not over sftp. Don't know if apt-get is capable of secure ftp connections.

2) Using http/https

Similar to using ftp. You will have to create a password protected directory on the httpd server. Several different methods are described here.

Public/Private key authentication with ssh

This is my preferred method. It has two strong points:

the connection is encrypted
private keys are harder to steal than to break a password

1) Generate a keypair for root on the client computer

root@client# rsa-keygen

2) Transfer the public key to the server in secure fashion.

root@client# scp /root/.ssh/id_rsa.pub root@repo.server.com:/tmp

3) Add this public key into the authorized_keys file of user owner of repository. This will enable password-less login from client's computer into the server.

root@repo.server.com:~$ cat /tmp/id_rsa.pub >> /home/repo-owner/.ssh/authorized_keys

4) Add to client's /etc/apt/sources.list the following line:

deb ssh://repo-owner@repo.server.com:/home/repo-owner/debian/ ./

This tells apt-get to use ssh connection to the server with username `repo-owner'.

5) When the client runs apt-get he gets:

root@client# apt-get update
--- skip ---
Get:5 ssh://repo-owner@repo.server.com ./ Packages [3967B]
--- skip ---

NOTES

repo-owner is better to be some unprivileged user.
You will need a way to validate the client's public key. E.g. is this really an authorised client?
Each method can be combined with other methods of authentication. E.g using kerberos.
It is up to you to combine different authentication methods and transport protocols.

This article can be found online at the Debian Administration website at the following bookmarkable URL (along with associated comments):

http://www.debian-administration.org/article/Restrict_Access_To_Your_Private_Debian_Repository