Instructions for setting up git server on Synology Diskstation

Synology-Diskstation-Git.md

Configure Synology NAS as Git Server

Instructions for setting up a git server on a Synology NAS with Diskstation. Specifically, I am using a DS414 with DSM 5.0.

Set Up User and Folder

• Create user gituser via Diskstation interface (with File Station and WebDAV privilages)
• Add new shared folder called git (located at /volume1/git) with read/write access for gituser and admin. This folder will hold all the repos.
• Install Git Server package via Diskstation
• Open Git Server and allow gituser permissions
• Enable SSH access on Diskstation (Control Panel > Terminal & SNMP > Enable SSH Service)

Configure SSH Access

• create ~/.ssh folder for gituser on server

ssh [email protected]
mkdir /volume1/homes/gituser/.ssh

• copy public rsa key from local computer to gituser account on server

scp ~/.ssh/id_rsa.pub [email protected]:/volume1/homes/gituser/.ssh

• connect via SSH as root and rename id_rsa.pub to authorized_keys on NAS (or append if already exists, cat id_rsa.pub >> authorized_keys)

ssh [email protected]
mv /volume1/homes/gituser/.ssh/id_rsa.pub /volume1/homes/gituser/.ssh/authorized_keys

• change permissions while logged in as root

cd /volume1/homes/gituser/
chown -R gituser:users .ssh
chmod 700 .ssh
chmod 644 .ssh/authorized_keys

Set Up New Repo on NAS

• create bare repo as root

ssh [email protected]
cd /volume1/git/
git --bare init <repo-name>.git
chown -R gituser:users <repo-name>.git
cd <repo-name>.git
git update-server-info

NOTE: I'm not entirely sure if git update-server-info must be run for each repo or just initially. It seems to work without running this command, but I'm suspcicious that it might cause problems later.

Add NAS as Remote for Local Repo

• Clone repo from NAS

git clone ssh://[email protected]/volume1/git/<repo-name>.git

References

http://blog.osdev.org/git/2014/02/13/using-git-on-a-synology-nas.html http://stackoverflow.com/questions/20074692/set-up-git-on-a-nas-with-synologys-official-package http://www.heidilux.com/2014/02/setup-git-server-synology-nas/

The "NO interactive users" comes from the file ~gituser/git-shell-commands/no-interactive-login

This file is sourced by git-shell which is the assigned shell for gituser once it is associated with GIT.

You can remove this file

rm ~gituser/git-shell-commands/no-interactive-login

OR rename it

mv ~gituser/git-shell-commands/no-interactive-login ~gituser/git-shell-commands/no-interactive-login.HOLD

Remember to move it back or recreate once you are done.

I would login and check if you can initialise a repository using the commands

You need root or admin access.

Sudo to gituser
sudo -u gituser bash

Change directory to git directory
cd /volume1/git

Create an empty git repository In this example I am calling it TestRepository. This would be the name it accessed as remotely
git --bare init TestRepository.git

Finally remember when adding the repository into windows, linux or OS X git tools you must use the full name TestRepository.git.

Trouble shooting the requirement for password

First check what it is doing using the ssh client in verbose mode.

ssh -vvv [email protected]

You are looking for information on matching keys etc.

Be aware that it could be rejected because .ssh/authorized_keys does not exist or permissions are incorrect on the file or the .ssh directory on the Synology. You also need to be aware of name or IP address mismatches between files. If your id_rsa.pub file has an old hostname or IP address in it then this will not match.

The ssh client will require a password if you have created a password on your private key file on your local machine. It is difficult to remove this and not break other things, so i would recommend you creating another one.

ssh-keygen -t rsa -f gituser_rsa

Generating an ssh key on a mac os x

You will then need to append the gituser_rsa.pub file onto the .ssh/authorized_keys file.

Hope these things help.

Hi,

Thanks for the post!

• To make "password-less ssh" work, aside from @gazgeek's suggestion, I also find out that I need to change the permission of the user folder (that contains .ssh) to 755. Previously it was 711:

chmod 755 /home/gituser

Reference:
http://superuser.com/questions/736055/ssh-with-no-password-passwordless-on-synology-dsm-5-as-other-non-root-user

With your tip I could make it work for my buddy who is a non-root user and needs access to my git repository.
Thanks for sharing!

Hi, thanks for your above comments,
this is what I have done on my Synology.

On Diskstation interface.

1. Create gituser.
2. Create git shared folder.
3. Grand access for gituser to the shared folder.
4. Enable SSH access (Control Panel > Terminal & SNMP > Enable SSH Service)
5. Install Git Server package.
6. Open Git Server and allow gituser permissions.

On local computer. (Generate SSH key pair and copy public key to Diskstation)

ssh-keygen -t rsa -b 4096
scp ~/.ssh/id_rsa.pub [email protected]:/tmp

On Diskstation SSH. (Create Git repository, configure permissions and SSH Server )

ssh [email protected]
cd /volume1/git
git init --bare --shared myrepo.git
cd ./myrepo.git
git update-server-info
sudo ln -s /volume1/git/myrepo.git /myrepo.git

sudo su -
mkdir /volume1/homes/gituser/.ssh
cat /tmp/id_rsa.pub >> /volume1/homes/gituser/.ssh/authorized_keys
chown -R gituser:users /volume1/homes/gituser/.ssh
chmod 755 /volume1/homes/gituser
chmod 711 /volume1/homes/gituser/.ssh/
chmod 600 /volume1/homes/gituser/.ssh/authorized_keys

vim /etc/ssh/sshd_config
    RSAAuthentification yes
    PubkeyAuthentification yes
synoservicectl --reload sshd

On local computer.
git clone ssh://[email protected]/myrepo.git

@walkerjeffd @denrzh Hi all could someone please advise. I followed all the steps but when I open the application Git Server my list of users is empty! Why are no users showing up at all on the GitServer app? I'm logged in as a user who has admin access.

@walkerjeffd @denrzh Hi all could someone please advise. I followed all the steps but when I open the application Git Server my list of users is empty! Why are no users showing up at all on the GitServer app? I'm logged in as a user who has admin access.

Hi mate! It's blank for me too, as I don't need to restrict the use of the git shell to specific users.
Since all my users can use git repositories, i manage their permission through the configured gituser - as discussed above.

Please make sure to check the hint in the documentation when you click the "?" in that GIT server dialog:

(Sorry, my NAS is setup in German, but I guess the English documentation will provide the same information.)

The issue can be resolved by editing "appPriv" in SYNO.Git.lib file.
cat /var/packages/Git/target/webapi/SYNO.Git.lib

Before appPriv edit.
{"SYNO.Git.lib": {"allowUser": ["admin.local", "admin.domain", "admin.ldap"], "appPriv": "SYNO.SDS.GIT.Instance", "authLevel": 1, "lib": "/var/packages/Git/target/webapi/SYNO.Git.so", "maxVersion": 1, "methods": {"1": [{"enum_user": {"grantable": true}}, {"apply": {"grantable": true}}]}, "minVersion": 1, "priority": 0}}

After appPriv edit.
{"SYNO.Git.lib": {"allowUser": ["admin.local", "admin.domain", "admin.ldap"], "appPriv": "", "authLevel": 1, "lib": "/var/packages/Git/target/webapi/SYNO.Git.so", "maxVersion": 1, "methods": {"1": [{"enum_user": {"grantable": true}}, {"apply": {"grantable": true}}]}, "minVersion": 1, "priority": 0}}

@walkerjeffd @denrzh Hi all could someone please advise. I followed all the steps but when I open the application Git Server my list of users is empty! Why are no users showing up at all on the GitServer app? I'm logged in as a user who has admin access.

Hi mate! It's blank for me too, as I don't need to restrict the use of the git shell to specific users.
Since all my users can use git repositories, i manage their permission through the configured gituser - as discussed above.

Please make sure to check the hint in the documentation when you click the "?" in that GIT server dialog:

(Sorry, my NAS is setup in German, but I guess the English documentation will provide the same information.)

@denrzh It works!!! , thanks, but i do not know why

Hi, thanks for your above comments,
this is what I have done on my Synology.

On Diskstation interface.

1. Create gituser.
2. Create git shared folder.
3. Grand access for gituser to the shared folder.
4. Enable SSH access (Control Panel > Terminal & SNMP > Enable SSH Service)
5. Install Git Server package.
6. Open Git Server and allow gituser permissions.

On local computer. (Generate SSH key pair and copy public key to Diskstation)

ssh-keygen -t rsa -b 4096
scp ~/.ssh/id_rsa.pub [email protected]:/tmp

On Diskstation SSH. (Create Git repository, configure permissions and SSH Server )

ssh [email protected]
cd /volume1/git
git init --bare --shared myrepo.git
cd ./myrepo.git
git update-server-info
sudo ls -s /volume1/git/myrepo.git /myrepo.git

sudo su -
mkdir /volume1/homes/gituser/.ssh
cat /tmp/id_rsa.pub >> /volume1/homes/gituser/.ssh/authorized_keys
chown -R gituser:users /volume1/homes/gituser/.ssh
chmod 755 /volume1/homes/gituser
chmod 711 /volume1/homes/gituser/.ssh/
chmod 600 /volume1/homes/gituser/.ssh/authorized_keys

vim /etc/ssh/sshd_config
    RSAAuthentification yes
    PubkeyAuthentification yes
synoservicectl --reload sshd

On local computer.
git clone ssh://[email protected]/myrepo.git

Thank you very much for your great instructions!

I think there's a typo "sudo ls -s". It should be "ln" instead of "ls".

It seems Synology removed interactive command support in their packaged version of git:

https://community.synology.com/enu/forum/8/post/147518

If you get the 'fatal: git package does not support interactive shell' messages, then that's why.

A workaround (discussed in the linked forum) to remove the Syno package, install community, get the git-shell executable, remove community and reinstall Syno git package, and overwrite their version of git-shell. You have to do it as root so be careful what you type.

Multiple units, DSM7.0, Synology GIT server package: 2.26.2-1015

@dmurphyoz I have been trying to follow your scripts but the problem I ran into is that the remote execution could not find these scripts.
running a remote env command gives PATH=/usr/bin:/bin:/usr/sbin:/sbin. The login shell of gituser is /bin/sh, I tried to add a ~/.profile, ~/.shinit file, did not load, I also tried to change the login shell to /bin/bash but then access was denied. Could you provide more insight? I'm using DSM7 btw.

Create repositories remotely using supported mechanism

Thank you for this guide! It is extremely useful. Thank you @walkerjeffd

Six years on and this still seems the best documentation available for this process - thank you. Unfortunately I did not find it until near the end of the process.
In my case I was using DSM 7.1.? and then then found I could manually upgrade to 7.2.1.
Each version upgrade seems to tie the system down even tighter in terms of "security", but the measures taken seem to me somewhat arbitrary. There are at least three layers of actively blocking me trying to get a login shell for the git user (just so I can get things set up).

Here are some other observations people might find useful

Openssh requirements for public key use.

From the manual for opensshd, on Linux systems it requires only that group and other permissions are set to be not writable. Whether you apply mode 0600, 700, 711 or 755 should not make any difference. As mentioned, this requirement applies to:

1. the git user's login dir,
2. ~/.ssh and
3. authorized_keys under that.

What I don't know the answer to is how much DSM's default to inherited ACL permissions breaks this.
The presence of a "+" in the permission list of ls -l indicates ACLs are in operation and the unix-mode flags are fabrications. In some cases, different users will see different flags shown for the same directory.
Using chmod on a file or directory will disable the ACLs and assign the unix-mode values you have specified, but if your home directory is not set suitably then you may think it is safe, but to root it reports as world- or group-writable.
In the end, I used the undocumented synoacltool to remove inheritance and delete write-access to 'admin'. So, the lesson is, if you see a "+" on the permission flags with ls then apply a chmod, even if the values already look ok.

Did Synology modify opensshd to take ACLs into account? I doubt it.

sftp chroot

Another thing that threw me for a bit was that ssh in a default config will log you in with access to the full file system. However, sftp and scp do something like a chroot and they only expose shared folders you have permission to access.
So, what looks like /volume1/gitfiles/ when you log in, becomes /gitfiles under sftp and scp. And the default starting folder with scp is not your home dir - I've not found a way that does not need a full path specified.

2024 - this all still seems to be a problem.
I rarely fiddle with SSH keys, so I wonder - my client only prompts me to give it a private key… this instruction does also… I'd assume, since this is the host, that it also (should) issue certificates. How'd I go about that?

Thanks for this precious piece of information.

Just a couple of comments, maybe other people may found these helpful:

1. in my case, on a DS214+, home directories are under /var/services/homes
2. for SCP to work, I had to add the legacy compatibility flag -O otherwise i was getting the error subsystem request failed on channel 0

Even if your guide does not mention SSHing with gituser, I want to point out that after installing the git service, every user - except root - won't connect anymore on SSH giving the error fatal: git package does not support interactive shell.
To fix this, you will need to edit /etc/passwd and restore /bin/sh as the login shell for all affected users.

In addition to this, if you create bare repository directly SSHing with gituser, you won't need to change permissions or ownership of the repo directories.

I just found another approach which worked for me:

1. login with your Synology admin account (should not me "admin" anymore ;-)) from your client machine using ssh (ssh must be enabled as the diskstation, of course)
2. go to the location where your git repo will live, e.g. /volume1/git-repos
3. create a repo sub directory, e.g. my-repo,
4. enter the repo sub directory and initialize a bare git repo: git init --bare
5. enter the diskstation GUI as admin, go to the created sub directory and change the user recursively (check box below) for the whole repo directory; let's assume, the user is git-user (changing the user at the ssh prompt will not work!)
6. go to your client machine and clone the repo with: git clone ssh://git-user@diskstation:22/volume1/git-repos/my-repo
   Note: The ssh port may be different on your machine;  diskstation is the DNS name of your diskstation; /volume1/git-repos/my-repo is the full path to the created repo sub directory. 
7. a password prompt for git-user gets displayed where the according password needs to be entered

I guess, for multi user scenarios this will also work if the a special git-users group is created with all git users in it and the created repo directory is assigned to this group with read/write permissions (not tested).

For single user scenarios I observed that if a git repo is created under /var/services/homes/<user>/git/<repo> it is accessible through ssh://<user>@diskstation:22/var/services/homes/<user>/git/<repo>. Maybe, with the git user group approach from above it will also work in multi user scenarios.

DS213j:DSM 6.2.4-25556 Update 8

thanks