Preserving authentication whilst bypassing SSH

[Mike]

Hello,

I have a server that runs gitolite (very well, thanks a lot!). Users have accounts on the same server for remote development purposes.

Is there an easy and correct way to set up gitolite so you can do git pushes entirely server side, without involving SSH at all? At the moment the only obvious way is to upload your ssh private key to the server itself which is not ideal.

Obviously, UNIX permissions normally go a long way towards solving this. However, just pushing directly to the repo whilst bypassing gitolite is clearly not how it's meant to be used, and new repos wouldn't have the right permissions set anyway. If anyone has done this and can advise, it'd be appreciated!

[Stephen Morton]

You could perhaps write your own wrapper around gitolite-shell with a suid command allowed in /etc/sudoers, but at that point, you're probably better off involving ssh.

Any reason why you don't want ssh? If you're worried about ssh key troubles, you could use an alias for the remote in each user's ~/.ssh/config for each user. The git remote would be ssh://mygithost/path/to/repo.git . And the .ssh/config file would be something like this:

Host mygithost
    Hostname gitserver1.company.com
    User git
    IdentityFile ~/.ssh/my_git_id_rsa

Steve

--
You received this message because you are subscribed to the Google Groups "gitolite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gitolite+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gitolite/30c97de3-c267-41ce-8b21-2d8fcad0ac6dn%40googlegroups.com.

[Sitaram Chamarty]

[for some reason I no longer get the first email from a new user
-- the one that I release from the "hold" queue because it's a
new list member! So I'm replying to Stephen's mail instead]

As I understand your message (Mike), you have a hosting user,
say, "git", and developers have their own accounts on the same
box (e.g., alice, bob, etc)

Without ssh there is no way to do this *and* properly enforce
gitolite's access controls.

Like Stephen, I'm also curious why not ssh? There's hardly any
overhead especially if you're on "localhost" so why not?

regards
sitaram

> > <https://groups.google.com/d/msgid/gitolite/30c97de3-c267-41ce-8b21-2d8fcad0ac6dn%40googlegroups.com?utm_medium=email&utm_source=footer>
> > .

> >
>
> --
> You received this message because you are subscribed to the Google Groups "gitolite" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gitolite+u...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/gitolite/CAH8BJxHoJLshMuf%2B4DzGjYyPwOZOuaw-zqEkzQqDgwSdsWNdoA%40mail.gmail.com.

[Konstantin Ryabitsev]

On Fri, Jun 17, 2022 at 06:39:09AM -0700, Mike wrote:
> Hello,
>
> I have a server that runs gitolite (very well, thanks a lot!). Users have
> accounts on the same server for remote development purposes.
>
> Is there an easy and correct way to set up gitolite so you can do git
> pushes entirely server side, without involving SSH at all? At the moment
> the only obvious way is to upload your ssh private key to the server itself
> which is not ideal.

1. It would be better to use ssh-agent forwarding instead of uploading keys.
2. If your users are not able to set that up for some reason (that I can't
think of), you can also have dedicated keys generated and used just on that
server. In gitolite, you can put these dedicated keys into a separate
subdirectory under "keydir", e.g. for user "bob" you would have
keydir/bob.pub and keydir/onserver/bob.pub.

-K

[Mike Hearn]

Yes, there are workarounds like generating custom keys. I was wondering if there is something more direct than loopback ssh connections, but seems not.

Why not ssh agent forwarding - it can be done but there are some setups where it's awkward e.g. Windows, non-expert SSH users, and IntelliJ's new remote development feature where it logs in via ssh using a built-in client.

For now it's not urgent. If it becomes so I might look at the suid binary approach.

[Sitaram Chamarty]

On Wed, Jun 22, 2022 at 07:15:35PM +0200, Mike Hearn wrote:
> Yes, there are workarounds like generating custom keys. I was wondering if
> there is something more direct than loopback ssh connections, but seems not.

There is, because I wanted the test suite to run much (much)
faster than even local ssh would.

Look in t/glt, lines 21 to 31, and corresponding programs
t/gitolite-upload-pack and t/gitolite-receive-pack.

They will continue to work (because the test suite uses this
mechanism) but it's not the preferred mode of using gitolite.

sitaram

>
> Why not ssh agent forwarding - it can be done but there are some setups
> where it's awkward e.g. Windows, non-expert SSH users, and IntelliJ's new
> remote development feature where it logs in via ssh using a built-in client.
>
> For now it's not urgent. If it becomes so I might look at the suid binary
> approach.
>

> --
> You received this message because you are subscribed to the Google Groups "gitolite" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gitolite+u...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/gitolite/CANEZrP3sczp1AXGOhABaH%2BPzXc%2BYaBiOL4Eo8dsLq%3DSyZyf0Fg%40mail.gmail.com.