Search code examples
gitgitoliteauthorized-keys

Gitolite usernames in authorized_keys file

I'll try to explain my scenario the best I can:

I'm using gitolite in a debian squeeze server and there are 3 users who can access and work with the repositories:

  • alex@workbox
  • alex@homebox
  • katy@workbox

The above are the corresponding usernames and hostnames of three Ubuntu boxes (Alex works from two locations).

The first thing I did was to add alex@workbox to the gitolite:

  1. Alex generated his ssh key using ssh-keygen
  2. I copied his ssh key as alex@workbox.pub in "keydir" folder of my local gitolite-admin cloned repo
  3. Modified conf/gitolite.conf file of my local gitolite-admin cloned repo in order to let alex@workbox RW access to a repository:
    repo project1
    RW+ = alex@workbox
  4. Did the usual:
    • git add .
    • git commit -m "Added alex@workbox"
    • git push

When Alex tried to clone the project1 repo an error showed up saying that access for user "alex" was denied.
So, I logged in into the server and opened /var/lib/gitolite/.ssh/authorized_keys.
The first part of the file was this:

command="/usr/share/gitolite/gl-auth-command alex",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa...

So I manually replaced alex with alex@workbox, saved the file and this time Alex was able to clone the repository and work with it without any problems.

Then I did the same above steps to add Katy and after the push to gitolite-admin, I opened again the authorized_keys file and saw that gitolite replaced the "user@hostname" with "user".
So it had alex instead of alex@workbox and the same for katy.
Then I had to manually replace that again and save the file. I saw that for every push that I do for the gitolite-admin repo gitolite replaces every "user@hostname" with "user" in its .ssh/authorized_keys and this way make the repositories inaccessible for the users.

How can I do to make gitolite keep the "user@hostname"?
Is there a configuration to make on the server or a configuration change on my local cloned gitolite-admin repo?

Solution

  • The configuration syntax mentions:

    User names and repo names are as simple as possible; they must start with an alphanumeric, but after that they can also contain ., _, or -.

    Usernames can optionally be followed by an @ and a domainname containing at least one . (this allows you to use an email address as someone's username).

    Your naming convention doesn't follow the proper syntax for having an '@'.

    You can see this rule in action in src/triggers/post-compile/ssh-authkeys

    sub optionise {
    my $f = shift;

    my $user = $f;
    $user =~ s(.*/)(); # foo/bar/baz.pub -> baz.pub
    $user =~ s/(\@[^.]+)?\.pub$//; # baz.pub, baz@home.pub -> baz

    my @line = slurp($f);
    if ( @line != 1 ) {
        _warn "$f does not contain exactly 1 line; ignoring";
        return '';
    }
    chomp(@line);
    return "command=\"$glshell $user" . ( $kfn ? " $f" : "" ) . "\",$auth_options $line[0]";
}