Restrict Access To Your Private Debian Repository

There are many times where it is useful to setup a small repository for apt-get to install packages from. The downside of placing such a repository in a publicly available place means that other people might start using it. Here we'll look at a couple of simple ways of restricting access.

There are many reasons why you might want to have restricted access to your repository:

• The repository contains packages for internal use, personal and/or commercial.
• You host a private mirror for your company.
• You are a software vendor that provides commercial updates for packages.
• You are a software vendor that provides proprietary software for Linux and want to integrate it with apt-get

User/Password authentication

1) Using ftp/sftp

If you have small number of users or don't want strong security this is for you. Host the repository on a ftp server and create accounts for the users. Disable anonymous login.
Your users' /etc/apt/sources.list must contain the following line:

deb ftp://user:passwd@repo.server.com/debian ./

The drawback is that the password is transmitted in clear text over the network. I have tested this over ftp but not over sftp. Don't know if apt-get is capable of secure ftp connections.

2) Using http/https

Similar to using ftp. You will have to create a password protected directory on the httpd server. Several different methods are described here.

Public/Private key authentication with ssh

This is my preferred method. It has two strong points:

• the connection is encrypted
• private keys are harder to steal than to break a password

1) Generate a keypair for root on the client computer

root@client# rsa-keygen

2) Transfer the public key to the server in secure fashion.

root@client# scp /root/.ssh/id_rsa.pub root@repo.server.com:/tmp

3) Add this public key into the authorized_keys file of user owner of repository. This will enable password-less login from client's computer into the server.

root@repo.server.com:~$ cat /tmp/id_rsa.pub >> /home/repo-owner/.ssh/authorized_keys

4) Add to client's /etc/apt/sources.list the following line:

deb ssh://repo-owner@repo.server.com:/home/repo-owner/debian/ ./

This tells apt-get to use ssh connection to the server with username `repo-owner'.

5) When the client runs apt-get he gets:

root@client# apt-get update
--- skip ---
Get:5 ssh://repo-owner@repo.server.com ./ Packages [3967B]
--- skip ---

NOTES

• repo-owner is better to be some unprivileged user.
• You will need a way to validate the client's public key. E.g. is this really an authorised client?
• Each method can be combined with other methods of authentication. E.g using kerberos.
• It is up to you to combine different authentication methods and transport protocols.

2) Transfer the public key to the server in secure fashion.
root@client# ssh-copy-id -i /root/.ssh/id_rsa repo-owner@repo.server.com

<Locatation /apt>
  order deny,allow
  deny from all
  Allow from 62.30.xx.xx
  Allow from 192.168.1.0/24
</Location>