Installing Secure Git with Gitosis
Gitosis — making hosting multiple Git repositories manageable
Gitosis is a tool for managing hosted git repositories.
There’s a bit of a blurb here since the main page doesn’t really say anything about what it’s for &c.
gitosis aims to make hosting git repos easier and safer. It manages multiple repositories under one user account, using SSH keys to identify users. End users do not need shell accounts on the server, they will talk to one shared account that will not let them run arbitrary commands.
It is written in Python, not that that really matters but if I do want to jump in and fix/enhance something I’ll be in familiar territory.
On all of my systems, I keep all the stuff I install from source in /usr/local/src so, to get gitosis installed on my Linux server. You may need to sudo some of these depending on your setup:
# cd /usr/local/src # git clone git://eagain.net/gitosis.git # cd gitosis # python setup.py install
So far, so good.
Now, somewhat following the instructions at Garry Dolley’s Blog…
First snag is that, on the version of Linux I’m running on this particular server (CentOS 4), the long forms of the options to adduser don’t exist so I ended up using:
# sudo adduser \ -s /bin/sh \ -d /home/git \ git
Just to make sure I wasn’t adding a user who could log in with no password, I tried ssh-ing into the server as the ‘gut’ user. The ‘git’ user could not log in. So far so good.
On my main machine (Mac), I ran
# cd ~ # ssh-keygen -t rsa
To generate an rsa key (I only had dsa flavored key) and copied it up to the /tmp directory on my Linux server.
Then I ran:
# sudo -H -u git gitosis-init < /tmp/id_rsa.pub
This creates the gitosis configuration repository, gitosis-admin.git, in /home/git/repositories/.
The -H sets the HOME environment variable to the home of the user (/home/git, in this case) so that gitosis-init creates its configuration repository in the right place.
The -u makes the command get run as the supplied user (git).
As per the instructions, I also ran:
# sudo chmod 755 /home/git/repositories/gitosis-admin.git/hooks/post-update
Then, to get the ball rolling, I fetched the configuration repository to my local machine — I put it in my home directory, for now.
# cd ~ # git clone git@MY_SERVER_HOSTNAME:gitosis-admin # cd gitosis-admin
There’s not much there yet, just gitosis.conf and the keydir.
This is where the fun begins. By creating entries for new repositories in the gitosis.conf and adding the public keys for other users in the keydir, then pushing those changes to the server, you can control access to the repositories managed by gitosis all from your local copy.
More on that in my next post…