Configuring ssh for Phabricator to use the default port and daemon

I don’t know if anyone has talked about this before or not, but I have discovered that it is really easy to set up ssh access for Phabricator without running a separate daemon on a nonstandard port. The magic that allows this is the OpenSSH’s sshd_config directive Match. All of the necessary config options for Phabricator’s normal ssh setup are valid in a Match block. My vcs-user is simply git because I don’t intend to use any other vcs. Following all of the directions for setting up ssh in the documentation, with the exception of the sshd_config stuff, I did this in five minutes by adding the following to the end of my normal /etc/ssh/sshd_config:

Match User git
        AllowAgentForwarding no
        AllowTcpForwarding no
        PasswordAuthentication no
        AuthorizedKeysFile none
        AuthorizedKeysCommand /usr/libexec/phabricator-ssh-hook.sh
        AuthorizedKeysCommandUser git

and it worked just as expected, including pinging conduit.

I think this should be added to the documentation in some way, either as the recommended practice or an “if you don’t want to do it our way” method. What does everyone think about this?

2 Likes

Awesome! It works!!!
I have been looking for this for a long time, thanks very much.