Difference between revisions of "Gitolite"

From ArchWiki
Jump to: navigation, search
m (Update installation section)
(ssh users: rewrite - fix language and style, refer to the official documentation)
 
(39 intermediate revisions by 12 users not shown)
Line 1: Line 1:
 
[[Category:Version Control System]]
 
[[Category:Version Control System]]
[https://github.com/sitaramc/gitolite/wiki/ Gitolite] allows you to host Git repositories easily and securely.
+
[[ja:Gitolite]]
 +
[https://github.com/sitaramc/gitolite/wiki/ Gitolite] allows you to host Git repositories for multiple users easily and securely.
  
 
== Installation ==
 
== Installation ==
{{AUR|gitolite}} is available in the [[Arch User Repository]].
+
[[Install]] the {{Pkg|gitolite}} package.
  
It is also available on [https://github.com/sitaramc/gitolite/tree/master GitHub], where you can find the lastest update.
+
== Configuration ==
 +
Installing gitolite automatically adds the ''gitolite'' user to the system, with home directory {{ic|/var/lib/gitolite}}.
 +
 
 +
=== Admin SSH access ===
 +
 
 +
To give you admin access, copy your SSH public key to {{ic|/var/lib/gitolite/''username''.pub}}, where {{ic|username}} is your username.
 +
# install -o gitolite -g gitolite ~/.ssh/id_rsa.pub /var/lib/gitolite/''username''.pub
 +
 
 +
Then run the Gitolite setup script as the ''gitolite'' user.
 +
# sudo -u gitolite gitolite setup -pk /var/lib/gitolite/''username''.pub
 +
 
 +
This puts your public key into the gitolite-admin keydir and gives your username RW+ access to the gitolite-admin repository
 +
 
 +
You can now remove the copy of your SSH public key
 +
# rm /var/lib/gitolite/''username''.pub
 +
 
 +
Now as your user you can check that everything went correctly
 +
{{hc|$ ssh gitolite@''hostname'' info|
 +
hello ''username'', this is gitolite@''hostname'' running gitolite3 v3.6.2 on git 2.3.3
 +
 
 +
R W    gitolite-admin
 +
R W    testing
 +
}}
 +
 
 +
Do '''not''' add repositories or users directly as ''gitolite'' on the server! The server '''must''' be managed by cloning the special ''gitolite-admin'' repository
 +
$ git clone gitolite@''hostname'':gitolite-admin
 +
 
 +
For reference see [https://github.com/sitaramc/gitolite/ Gitolite].
 +
 
 +
=== Adding http(s) access via Apache (with basic authentication) ===
 +
 
 +
We need to create an suEXEC wrapper script. To satisfy suEXEC's security requirements, the script and the directory containing it must be owned by {{ic|gitolite:gitolite}} and below {{ic|/srv/http}} in the directory hierarchy. For this example, we create the directory as {{ic|/srv/http/git/cgi-bin}}.
 +
# install -o gitolite -g gitolite -d /srv/http/git/cgi-bin
 +
 
 +
Create an suEXEC wrapper for the gitolite shell with the contents below. For this example, we create it as {{ic|/srv/http/git/cgi-bin/gitolite-suexec-wrapper}}.
 +
{{hc|/srv/http/git/cgi-bin/gitolite-suexec-wrapper|2=
 +
#!/usr/bin/bash
 +
#
 +
# suEXEC wrapper for gitolite-shell
 +
#
 +
 
 +
export GIT_PROJECT_ROOT=/var/lib/gitolite/repositories
 +
export GITOLITE_HTTP_HOME=/var/lib/gitolite
 +
 
 +
exec /usr/lib/gitolite/gitolite-shell
 +
}}
 +
 
 +
Make the wrapper executable and owned by {{ic|gitolite:gitolite}}.
 +
# chown gitolite:gitolite /srv/http/git/cgi-bin/gitolite-suexec-wrapper
 +
# chmod 0755 /srv/http/git/cgi-bin/gitolite-suexec-wrapper
 +
 
 +
Create an empty password database file, owned by {{ic|gitolite:http}}
 +
# install -o gitolite -g http -m 0640 /dev/null /srv/http/git/htpasswd
  
== Configuration ==
+
Apache's basic authentication mechanism is separate from ssh, and therefore requires a separate set of credentials. Create your web users using {{ic|htpasswd}}.
Add a user
+
  # htpasswd /srv/http/git/htpasswd ''username''
  # useradd -m -U -r -s /bin/bash -d /srv/git git
+
 
# su - git
+
Add the following to your Apache vhost configuration:
$ gitolite setup -pk id_rsa.pub
+
{{bc|
 +
SuexecUserGroup gitolite gitolite
 +
ScriptAlias /git/ /srv/http/git/cgi-bin/gitolite-suexec-wrapper/
 +
 
 +
<Directory /srv/http/git/cgi-bin>
 +
    Require all granted
 +
</Directory>
  
Add to your work-machine's ~/.ssh/config:
+
<Location /git>
Host server
+
    AuthType Basic
HostName 192.168.12.2
+
    AuthName "Git Access"
User git
+
    AuthBasicProvider file
### IdentityFile specifies the private ssh-key
+
    AuthUserFile /srv/http/git/htpasswd
Identityfile ~/.ssh/id_rsa
+
    Require valid-user
 +
</Location>
 +
}}
  
 +
Restart {{ic|httpd.service}}.
  
Do NOT add repos or users directly on the server! You MUST manage the server by cloning the special 'gitolite-admin' repo on your workstation:
+
Finally, in the gitolite-admin repository you cloned in the previous section, edit {{ic|conf/gitolite.conf}}, add an {{ic|1=R = daemon}} access rule to all repositories you want to make available via http, and push the changes.
$ git clone server:gitolite-admin
 
  
 
== Add users ==
 
== Add users ==
Ask each user who will get access to send you a public key. On their workstation generate the pair of ssh keys:
 
$ ssh-keygen
 
Rename each public key according to the user's name, with a .pub extension, like sitaram.pub or john-smith.pub. You can also use periods and underscores. Have the users send you the keys.
 
  
Copy all these *.pub files to keydir in your gitolite-admin repo clone. You can also organise them into various subdirectories of keydir if you wish, since the entire tree is searched.
+
=== ssh users ===
 +
 
 +
Ask each user who will get access to send you an [[SSH keys|SSH public key]]. Rename each public key to {{ic|''username''.pub}}, where {{ic|''username''}} is the user name which will be used in {{ic|gitolite.conf}}. Then move all new public keys to the {{ic|keydir}} directory in the cloned {{ic|gitolite-admin}} repo. You can also organise them into various subdirectories of {{ic|keydir}} if you wish, since the entire tree is searched.
 +
 
 +
Finally commit and push the changes:
 +
$ git commit -a
 +
$ git push
 +
 
 +
See the [http://gitolite.com/gitolite/basic-admin/#addremove-users add/remove users] in the official documentation for details.
 +
 
 +
To grant access rights to the new users, edit the config file ({{ic|conf/gitolite.conf}} in the {{ic|gitolite-admin}} repo). See [http://gitolite.com/gitolite/conf/ the "conf" file] in the official documentation for details.
 +
 
 +
=== http(s) users ===
 +
 
 +
User management for http(s) is more suitable for single-user setups. To add a new user or to change an existing user's password:
 +
# htpasswd /srv/http/git/htpasswd ''username''
 +
 
 +
== Troubleshooting ==
 +
In case you cannot log in with the gitolite account, it may be caused by the account being locked, and depending of your ssh configuration.
 +
 
 +
If you have done some SSH hardening, it may be the cause of this behavior, as noted in [http://arlimus.github.io/articles/usepam/ SSH and locked users Article] and [http://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut Unix & Linux StackExchange - How to unlock account for public key ssh authorization, but not for password authorization].
  
Edit the config file (conf/gitolite.conf in your admin repo clone). See the gitolite.conf documentation (http://sitaramc.github.com/gitolite/admin.html#conf) for details on what goes in that file, syntax, etc. Just add new repos as needed, and add new users and give them permissions as required. The users names should be exactly the same as their keyfile names, but without the .pub extension
+
To solve this you have to allow PAM in {{ic|sshd_config}} or unlock the account by:
$ nano conf/gitolite.conf
 
  
Commit and push the changes them:
+
  # usermod -p '*' gitolite
  git commit -a
 
git push
 
  
== Gitosis-like usernames ==
+
{{hc|/etc/passwd|
If you want to distinguish users with the same login (like username@server1, username@server2) you may want to do the following (for gitolite-3.04-1):
+
...
 +
gitolite:*:16199:0:99999:7:::
 +
...
 +
}}
  
* edit /usr/lib/gitolite/triggers/post-compile/ssh-authkeys and replace
+
{{Warning|Do not leave the account in the state left by {{ic|passwd -u}} (with a blank password field). Doing that will allow logins without entering a password!}}
$user =~ s/(\@[^.]+)?\.pub$//;    # baz.pub, baz@home.pub -> baz
 
by
 
$user =~ s/\.pub$//;              # baz@home.pub -> baz@home
 
* update authorized_keys file (for example, by pushing into gitolite-admin repo)
 
  
 
== See also ==
 
== See also ==
http://sitaramc.github.com/gitolite/index.html
+
* [http://sitaramc.github.com/gitolite/index.html Gitolite Site]
 +
* [http://arlimus.github.io/articles/usepam/ SSH and locked users Article]
 +
* [http://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut Unix & Linux StackExchange - How to unlock account for public key ssh authorization, but not for password authorization]

Latest revision as of 12:18, 28 October 2017

Gitolite allows you to host Git repositories for multiple users easily and securely.

Installation

Install the gitolite package.

Configuration

Installing gitolite automatically adds the gitolite user to the system, with home directory /var/lib/gitolite.

Admin SSH access

To give you admin access, copy your SSH public key to /var/lib/gitolite/username.pub, where username is your username.

# install -o gitolite -g gitolite ~/.ssh/id_rsa.pub /var/lib/gitolite/username.pub

Then run the Gitolite setup script as the gitolite user.

# sudo -u gitolite gitolite setup -pk /var/lib/gitolite/username.pub

This puts your public key into the gitolite-admin keydir and gives your username RW+ access to the gitolite-admin repository

You can now remove the copy of your SSH public key

# rm /var/lib/gitolite/username.pub

Now as your user you can check that everything went correctly

$ ssh gitolite@hostname info
hello username, this is gitolite@hostname running gitolite3 v3.6.2 on git 2.3.3

 R W    gitolite-admin
 R W    testing

Do not add repositories or users directly as gitolite on the server! The server must be managed by cloning the special gitolite-admin repository

$ git clone gitolite@hostname:gitolite-admin

For reference see Gitolite.

Adding http(s) access via Apache (with basic authentication)

We need to create an suEXEC wrapper script. To satisfy suEXEC's security requirements, the script and the directory containing it must be owned by gitolite:gitolite and below /srv/http in the directory hierarchy. For this example, we create the directory as /srv/http/git/cgi-bin.

# install -o gitolite -g gitolite -d /srv/http/git/cgi-bin

Create an suEXEC wrapper for the gitolite shell with the contents below. For this example, we create it as /srv/http/git/cgi-bin/gitolite-suexec-wrapper.

/srv/http/git/cgi-bin/gitolite-suexec-wrapper
#!/usr/bin/bash
#
# suEXEC wrapper for gitolite-shell
#

export GIT_PROJECT_ROOT=/var/lib/gitolite/repositories
export GITOLITE_HTTP_HOME=/var/lib/gitolite

exec /usr/lib/gitolite/gitolite-shell

Make the wrapper executable and owned by gitolite:gitolite.

# chown gitolite:gitolite /srv/http/git/cgi-bin/gitolite-suexec-wrapper
# chmod 0755 /srv/http/git/cgi-bin/gitolite-suexec-wrapper

Create an empty password database file, owned by gitolite:http

# install -o gitolite -g http -m 0640 /dev/null /srv/http/git/htpasswd

Apache's basic authentication mechanism is separate from ssh, and therefore requires a separate set of credentials. Create your web users using htpasswd.

# htpasswd /srv/http/git/htpasswd username

Add the following to your Apache vhost configuration:

SuexecUserGroup gitolite gitolite
ScriptAlias /git/ /srv/http/git/cgi-bin/gitolite-suexec-wrapper/

<Directory /srv/http/git/cgi-bin>
    Require all granted
</Directory>

<Location /git>
    AuthType Basic
    AuthName "Git Access"
    AuthBasicProvider file
    AuthUserFile /srv/http/git/htpasswd
    Require valid-user
</Location>

Restart httpd.service.

Finally, in the gitolite-admin repository you cloned in the previous section, edit conf/gitolite.conf, add an R = daemon access rule to all repositories you want to make available via http, and push the changes.

Add users

ssh users

Ask each user who will get access to send you an SSH public key. Rename each public key to username.pub, where username is the user name which will be used in gitolite.conf. Then move all new public keys to the keydir directory in the cloned gitolite-admin repo. You can also organise them into various subdirectories of keydir if you wish, since the entire tree is searched.

Finally commit and push the changes:

$ git commit -a
$ git push

See the add/remove users in the official documentation for details.

To grant access rights to the new users, edit the config file (conf/gitolite.conf in the gitolite-admin repo). See the "conf" file in the official documentation for details.

http(s) users

User management for http(s) is more suitable for single-user setups. To add a new user or to change an existing user's password:

# htpasswd /srv/http/git/htpasswd username

Troubleshooting

In case you cannot log in with the gitolite account, it may be caused by the account being locked, and depending of your ssh configuration.

If you have done some SSH hardening, it may be the cause of this behavior, as noted in SSH and locked users Article and Unix & Linux StackExchange - How to unlock account for public key ssh authorization, but not for password authorization.

To solve this you have to allow PAM in sshd_config or unlock the account by:

# usermod -p '*' gitolite
/etc/passwd
...
gitolite:*:16199:0:99999:7:::
...
Warning: Do not leave the account in the state left by passwd -u (with a blank password field). Doing that will allow logins without entering a password!

See also