How to set up a secure Git repository?

I followed this tutorial to set up a git repository on an EC2 instance. http://git-scm.com/book/ch4-4.html. Basically, I add a new git user and include my public key in authorized_keys. After setting up the git user, I just initialize a new repo by git init --bare.

However, I've noticed that I can clone it easily without needing my private key. Is there a way to force it to only be available via SSH so authorized_keys is followed? I'm guessing it's using the default of git which is port 9418 which doesn't seem to support authentication.


Port 9814 is where git-daemon runs (e.g clone, git clone git://git.example.com/repo). This is meant for an internal git repository. Read the documentation for more details.

You have 2 other options for setting up a remote git server:

  • SSH server: git clone ssh://git.example.com/git/repo
  • HTTP server git clone https://git.example.com/git/repo

SSH is a lot easier to setup. You just need to make sure all contributors have access to the SSH account. This is normally done via SSH keys---each developer adds their public key to a git SSH account.

Just remember:

  • Specify the protocol in your command (i.e., ssh, git, http or https).
  • Make sure you have firewall setup correctly:
    • Usually port 22 for ssh
    • Usually port 443 for https
    • The other two should be avoided but, for ref, port 9814 for gitand port 80 for http

You seem to be under the assumption that git-daemon is responsible. Have you confirmed that git-daemon is, in fact, running on the system? Check the process list as well as the open ports list:

$ ps auxwww | grep git-daemon
$ sudo netstat -ptuna | grep 9814

If git-daemon is not running and there's nothing listening on port 9814, it's possible that there's something else amiss -- perhaps the new git user you've added does not have a password set or the SSH configuration is using Kerberos and you have an existing valid service ticket.

HTTP and SSH are only two of the half dozen or so protocols that git supports. I believe that git only ever uses SSH with URLs of the form user@host, so I'm pretty certain it's an authentication issue with your git user.

When you clone the repo, watch the auth log on your system (typically /var/log/auth.log or /var/log/secure). If you see SSH logins for the git user during the clone operation, then it's almost certainly using SSH and not git-daemon.