So you’ve setup your company secured internal Debian APT repository server by allowing apt operations only via SSH with prior public key exchange. Great.

And what if your -say- unmanaged APT clients decide to ssh into your APT repository and start playing around messing things up? - Ok, we need to disable shell allocation, while still permitting normal APT operations.

Modifying the default user shell to something like /usr/sbin/nologin or /bin/false turned out to be not feasible (it would also deny apt-getting). So I came up with using the “no-pty” option inside the ~/.ssh/authorized_keys file. As man sshd says, the no-pty option prevents tty allocation (a request to allocate a pty will fail) but permits clients to perform the normal APT operations (apt-get/aptitude update, install, remove).

So, simply edit your keys present in the Repo server ~/.ssh/authorized_keys file (where ~/ stands for the home directory of your unprivileged, repository-dedicated user - isn’t?) as in the following example:

BEFORE:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvrjJ2b3CXy1bqktcFtvibUMpu50Uypu0BdRd/hV31pVvGVKxszaadRwIrrs5tone+TV/jCdEoxRxH3sKyySw2EvNwQqKUqxH6BB6ZtumGt04fRnVyCCIvatr6sYHLZL+oNnfoD4dYO0J+7XMuOQB+krRhF2/WRgaGUBn1Dnl7z3nbxhc6Z7OFWySrp6aJqt9RTOs1y049OPoVu2237UOeSqeTqQ0kgX3hIzdL0zfMir0CAzgtzHfOT2MsbkIMyMqgqHQRBynnNaqmljPbNKjmCvIrY8Vao/l1GqAaDlRJ6BKrrzhWEOGmjr5vh85dArJub5qWvoXnDldaA/dnr8Rt root@not-so-trusted

AFTER:

no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvrjJ2b3CXy1bqktcFtvibUMpu50Uypu0BdRd/hV31pVvGVKxszaadRwIrrs5tone+TV/jCdEoxRxH3sKyySw2EvNwQqKUqxH6BB6ZtumGt04fRnVyCCIvatr6sYHLZL+oNnfoD4dYO0J+7XMuOQB+krRhF2/WRgaGUBn1Dnl7z3nbxhc6Z7OFWySrp6aJqt9RTOs1y049OPoVu2237UOeSqeTqQ0kgX3hIzdL0zfMir0CAzgtzHfOT2MsbkIMyMqgqHQRBynnNaqmljPbNKjmCvIrY8Vao/l1GqAaDlRJ6BKrrzhWEOGmjr5vh85dArJub5qWvoXnDldaA/dnr8Rt root@not-so-trusted