This site is now 100% read-only, and retired.

Restrict Access To Your Private Debian Repository

Posted by alexx on Fri 23 Mar 2007 at 09:32

There are many times where it is useful to setup a small repository for apt-get to install packages from. The downside of placing such a repository in a publicly available place means that other people might start using it. Here we'll look at a couple of simple ways of restricting access.

There are many reasons why you might want to have restricted access to your repository:

  • The repository contains packages for internal use, personal and/or commercial.
  • You host a private mirror for your company.
  • You are a software vendor that provides commercial updates for packages.
  • You are a software vendor that provides proprietary software for Linux and want to integrate it with apt-get

User/Password authentication

1) Using ftp/sftp

If you have small number of users or don't want strong security this is for you. Host the repository on a ftp server and create accounts for the users. Disable anonymous login.
Your users' /etc/apt/sources.list must contain the following line:

deb ftp://user:passwd@repo.server.com/debian ./

The drawback is that the password is transmitted in clear text over the network. I have tested this over ftp but not over sftp. Don't know if apt-get is capable of secure ftp connections.

2) Using http/https

Similar to using ftp. You will have to create a password protected directory on the httpd server. Several different methods are described here.

Public/Private key authentication with ssh

This is my preferred method. It has two strong points:
  • the connection is encrypted
  • private keys are harder to steal than to break a password
1) Generate a keypair for root on the client computer
root@client# rsa-keygen
2) Transfer the public key to the server in secure fashion.
root@client# scp /root/.ssh/id_rsa.pub root@repo.server.com:/tmp
3) Add this public key into the authorized_keys file of user owner of repository. This will enable password-less login from client's computer into the server.
root@repo.server.com:~$ cat /tmp/id_rsa.pub >> /home/repo-owner/.ssh/authorized_keys
4) Add to client's /etc/apt/sources.list the following line:
deb ssh://repo-owner@repo.server.com:/home/repo-owner/debian/ ./
This tells apt-get to use ssh connection to the server with username `repo-owner'.

5) When the client runs apt-get he gets:
root@client# apt-get update
--- skip ---
Get:5 ssh://repo-owner@repo.server.com ./ Packages [3967B]
--- skip ---
NOTES
  • repo-owner is better to be some unprivileged user.
  • You will need a way to validate the client's public key. E.g. is this really an authorised client?
  • Each method can be combined with other methods of authentication. E.g using kerberos.
  • It is up to you to combine different authentication methods and transport protocols.

 

 


Re: Restrict Access To Your Private Debian Repository
Posted by Anonymous (217.7.xx.xx) on Fri 23 Mar 2007 at 13:00
2) Transfer the public key to the server in secure fashion.
root@client# ssh-copy-id -i /root/.ssh/id_rsa repo-owner@repo.server.com

3) Delete repo-owner's password for security reasons
ssh repo-owner@repo.server.com passwd -d

[ Parent ]

Re: Restrict Access To Your Private Debian Repository
Posted by shufla (83.12.xx.xx) on Fri 23 Mar 2007 at 13:08

Hello,

3) Delete repo-owner's password for security reasons
ssh repo-owner@repo.server.com passwd -d

AFAIK -d@ disables password ask - there's no need to type password to login and its quite unsecure. To turn of password @passwd -l is better.

I might be wrong.
Luke

[ Parent ]

Re: Restrict Access To Your Private Debian Repository
Posted by alexx (62.40.xx.xx) on Fri 23 Mar 2007 at 14:51
2) Transfer the public key to the server in secure fashion.
root@client# ssh-copy-id -i /root/.ssh/id_rsa repo-owner@repo.server.com
Thanks, I did not know that.

[ Parent ]

Re: Restrict Access To Your Private Debian Repository
Posted by Steve (80.68.xx.xx) on Fri 23 Mar 2007 at 14:17
[ View Weblogs ]

If you're using Apache/Apache2 to serve your repository you could also limit it by IP address - if your authorized clients come from a specific range.

Something like this:

<Locatation /apt>
  order deny,allow
  deny from all
  Allow from 62.30.xx.xx
  Allow from 192.168.1.0/24
</Location>

Steve

[ Parent ]

Re: Restrict Access To Your Private Debian Repository
Posted by glanz (70.55.xx.xx) on Mon 2 Apr 2007 at 15:25
[ View Weblogs ]
That works! Thanks Steve. I placed a few Iceape debs up to test this and all worked pretty well.

[ Parent ]

Re: Restrict Access To Your Private Debian Repository
Posted by Anonymous (2a01:0xx:0xx:0xxx:0xxx:0xxx:xx) on Sun 11 Dec 2016 at 02:32
�ftp but not over sftp�. sftp has nothing to do with ftp since it is an ssh thing. Did you mean ftps (ftp with tls) ?

Anyway, the ssh trick is quite exciting, and I am going to test it right now.

Thank you.

[ Parent ]