Jeremiah Mahler

home

Setting up Gitolite

29 Jun 2013

Git by itself does not provide any mechanism for fine grained access to a single project by multiple people. Gitolite adds a layer on top of Git which provides this ability.

Gitolite Installation

Gitolite works by having multiple public keys stored for a single git user.

The first step is to add the user git.

sudo adduser --disabled-login --disabled-password git
# or, with useradd instead of adduser
sudo useradd git
sudo passwd -d git

It is a smart idea to limit the priveleges of the git account since normally no one would ever login under this user. The only access should be through sudo.

git clone git://github.com/sitaramc/gitolite
mkdir $HOME/bin
gitolite/install -to $HOME/bin

Finally we need to install a public ssh key to enable access for the first user. In this example it is copied out of a users directory and then added by the git user.

(another terminal for the user jeri)
cp .ssh/id_rsa.pub /tmp/jeri.pub

(git user)
$HOME/bin/gitolite setup -pk /tmp/jeri.pub

After this point all further administration tasks are performed by checking out (clone) the gitolite-admin project.

jeri$ git clone git@hudson.localdomain:gitolite-admin

To add a new user add their public key to:

gitolite-admin/keydir/<name>.pub

And to create a new project edit gitolite.conf.

gitolite-admin/conf/gitolite.conf

Install Without a git User

Ideally when Gitolite is installed it would be done under a new git user which wouldn’t have access to any sensitive data. But in some cases it may not be possible to create a new account. Perhaps you want to setup a Git repo under the account where your website is hosted, for example.

To accomplish this the Gitolite install is performed the same as before except under some non-git user. But complications arise when a user tries to access the account. The user needs to be able to do two different things: login using ssh and checkout Git projects. But Gitolite takes over the user key so that it runs the Gitolite shell is invoked makes it impossible to login with this key.

To fix problem the client needs to setup a ~/.ssh/config. Using the ssh config it is possible to configure it to use a particular key for a particular host. So, assuming you can get a git. DNS entry added, it should be possible to both login and access Git.

The following is an example ~/.ssh/config. Essentially it says when accessing git.example.com using the keys with the prefix id_rsa.git and login as the user miah. In all other cases it will use just the standard id_rsa prefixed keys.

Host git.example.com 
IdentityFile ~/.ssh/id_rsa.git
User miah

The following command would create the key for the above example.

ssh-keygen -t rsa -f ~/.ssh/id_rsa.git

Now it is possible to both login and checkout Git projects from a single user account.

$ git clone miah@git.example.com:testing

$ ssh miah@example.com

Jeremiah Mahler
jmmahler@gmail.com

github.com/jmahler