In this article, I will give an example of configuring SSH for Phabricator.
If an SSH server is already installed on the server, then we won’t touch it, unless you can change the standard port 22, for example, to 2222, to start the second SSH server on the standard port 22 and not specify the port in the repository links.
At the time of writing, I was using the Ubuntu 18.04 operating system.
Create a user system, for example, git or hg:
adduser --quiet --no-create-home --disabled-password --gecos "" git
Copy the script and specify the user in it:
cp /home/phd/phabricator/resources/sshd/phabricator-ssh-hook.sh /usr/lib/phabricator-ssh-hook.sh
chown root /usr/lib/phabricator-ssh-hook.sh
chmod 755 /usr/lib/phabricator-ssh-hook.sh
nano /usr/lib/phabricator-ssh-hook.sh
Copy the SSH configuration template, specify AuthorizedKeysCommand, AuthorizedKeysCommandUser, and AllowUsers in it:
cp /home/phd/phabricator/resources/sshd/sshd_config.phabricator.example /etc/ssh/sshd_config.phabricator
nano /etc/ssh/sshd_config.phabricator
Launch the SSH server (so that it starts automatically at system startup, add it to /etc/rc.local or create an autorun script):
/usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator
Check if it is running:
netstat -na | grep :22
echo [] | ssh git@test.ixnfo.com conduit conduit.ping
Add to the /etc/sudoers file:
git ALL=(phd) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack, /usr/bin/hg, /usr/bin/svnserve
Keys are added in user profiles, you can make sure that they are added as follows:
/usr/lib/phabricator-ssh-hook.sh git
If necessary, specify the parameters:
cd /home/phd/phabricator/
./bin/config set diffusion.ssh-host ...
./bin/config set diffusion.ssh-port 22
./bin/config set diffusion.ssh-user git
I also recommend installing Fail2Ban to block failed connection attempts.
See also my articles:
- Install Phabricator on Ubuntu
- Configuring Phabricator
- Connect to SSH using the keys
- Run application at startup in Ubuntu
- Installing and Configuring Fail2ban