Can gitolite be configured to use an alternative authorized keys file?
29 views
Skip to first unread message
vfclists
Mar 20, 2021, 9:40:13 PM3/20/21
to gitolite
I am trying out a system where keys to run gitolite are separate from those of regular account users.
The SSH server runs on multiple ports and a separate port is used for gitolite.
The different ports use different authorized keys files and I wonder if gitolite can be configured to use those.
Sitaram Chamarty
Mar 20, 2021, 9:52:47 PM3/20/21
to vfclists, gitolite
On Sat, Mar 20, 2021 at 05:09:16AM -0700, vfclists wrote:
>
> I am trying out a system where keys to run gitolite are separate from those
> of regular account users.
I'm curious why? You should be using a dedicated **hosting
>
> I am trying out a system where keys to run gitolite are separate from those
> of regular account users.
user** [1] for gitolite, so the keys would be separate anyway.
[1]: https://gitolite.com/gitolite/concepts.html#the-hosting-user
> The SSH server runs on multiple ports and a separate port is used for
> gitolite.
> The different ports use different authorized keys files and I wonder if
> gitolite can be configured to use those.
src/triggers/post-compile/ssh-authkeys. There are a few other
places where this appears but they're not required if you don't
use those features.
In practice, I'd consider make sure this is not an X-Y problem
before going down that path.
vfclists
Mar 21, 2021, 5:29:30 AM3/21/21
to gitolite
On Sunday, March 21, 2021 at 1:52:47 AM UTC sita...@gmail.com wrote:
On Sat, Mar 20, 2021 at 05:09:16AM -0700, vfclists wrote:
>
> I am trying out a system where keys to run gitolite are separate from those
> of regular account users.
I'm curious why? You should be using a dedicated **hosting
user** [1] for gitolite, so the keys would be separate anyway.
On my personal repos I'm am usually acting as the gitolite administrator, a normal user of the git repository,
as well as the regular user of the linux account all of which use different authorization keys.
The keys conflict with each other when they are on the key chain at the same time and I need to be adding and deleting
from the key chain when I'm switching between git access and regular account access.
Having different authorized key files for different ports means the keys can be on the key chain at the same time.
Anyway I've come to the conclusion that it will be better to leave the default authorized_keys for utilities like
gitolite and use alternate ports with other authorized_keys files for regular access.
Sitaram Chamarty
Mar 21, 2021, 5:41:04 AM3/21/21
to vfclists, gitolite
On Sun, Mar 21, 2021 at 02:29:30AM -0700, vfclists wrote:
>
>
> On Sunday, March 21, 2021 at 1:52:47 AM UTC sita...@gmail.com wrote:
>
> > On Sat, Mar 20, 2021 at 05:09:16AM -0700, vfclists wrote:
> > >
> > > I am trying out a system where keys to run gitolite are separate from
> > those
> > > of regular account users.
> >
> > I'm curious why? You should be using a dedicated **hosting
> > user** [1] for gitolite, so the keys would be separate anyway.
> >
> >
>
> On my personal repos I'm am usually acting as the gitolite administrator, a
> normal user of the git repository,
> as well as the regular user of the linux account all of which use different
> authorization keys.
on the same server account I assume...
>
>
> On Sunday, March 21, 2021 at 1:52:47 AM UTC sita...@gmail.com wrote:
>
> > On Sat, Mar 20, 2021 at 05:09:16AM -0700, vfclists wrote:
> > >
> > > I am trying out a system where keys to run gitolite are separate from
> > those
> > > of regular account users.
> >
> > I'm curious why? You should be using a dedicated **hosting
> > user** [1] for gitolite, so the keys would be separate anyway.
> >
> >
>
> On my personal repos I'm am usually acting as the gitolite administrator, a
> normal user of the git repository,
> as well as the regular user of the linux account all of which use different
> authorization keys.
> The keys conflict with each other when they are on the key chain at the
> same time and I need to be adding and deleting
> from the key chain when I'm switching between git access and regular
> account access.
identitiesonly yes
host me
user me
hostname 1.2.3.4
identityfile ~/.ssh/key-for-me
host gito
user me
hostname 1.2.3.4
identityfile ~/.ssh/key-for-gitolite-normal-user
host gito-a
user me
hostname 1.2.3.4
identityfile ~/.ssh/key-for-gitolite-admin-user
then you type `ssh me` to login and get a shell, `git clone
gito:reponame` to clone as a normal user, and `git clone
gito-a:gitolite-admin` to clone as gitolite administrator.
> Having different authorized key files for different ports
> means the keys can be on the key chain at the same time.
makes sure the correct one is chosen.
(The identitiesonly directory has a different purpose; it's only
really needed when you have lots of keys in your agent. You may
not need it but it's useful anyway, in case you later add many
more keys for many more machines/users.).
vfclists
Mar 21, 2021, 7:42:41 AM3/21/21
to gitolite
I use the IdentifyFile option on all the connections with "IdentitiesOnly yes"
option in the past and it didn't work they way I expected. It interfered with
the ssh-agent.
I have tried it again on your suggestion and it seems to work as expected.
I may have used the wrong options or syntax in the past.
Thanks for the suggestion, I will see how it goes.
Reply all
Reply to author
Forward
0 new messages