Gitolite One User - Many Keys - Different usernames

git authentication ssh gitolite
18,633

Solution 1

The current recommended way according to the documentation

"The simplest and most understandable is to put their keys in different subdirectories [inside your /kedir], (alice.pub, home/alice.pub, laptop/alice.pub, etc)."

reference: https://gitolite.com/gitolite/basic-admin.html#multiple-keys-per-user

The old way

If you are asking how you accomplish the following:

  1. David (home computer)
  2. David (work computer)
  3. David (laptop)

With different ssh keys on each computer you would simply create the key (ie: keygen "[email protected]") and then copy the public key to your gitolite keydir directory (gitolite-admin/keydir). When you do that simply name the key [email protected], [email protected], and [email protected]. Add the keys to the repository (git add keydir/.), commit (git commit -m "added David's additional keys") and git push back to the server.

Gitolite is smart enough to know that even though it is a different key the user name (before the @) is still david and will let that user log in and use the ACL for david

Hope this helps

To fix a scenario where you might have john_home.pub john_work.pub open up your gitolite repo (admin repo) and rename the keys in your kedir to [email protected] and [email protected] commit and push. Now your user john can login from either machine and use the same username.

Keep in mind, in order for this to work, the email address in the SSH Keys needs to be the same for all of the user's keys. So using the example above, in the keys [email protected], [email protected], and [email protected] all should have the email address of [email protected].

Above was the "old way" do to this and may cause a complication if you have named your keys in the "email address way" contrary to what I stated above gitolite DOES NOT inspect your key for the proper email address. Please ignore (I left the original comment in for clarity).

Solution 2

For Gitolite v3 at least Easiest solution is to use the subfolder system documented here http://sitaramc.github.com/gitolite/users.html

Gitolite will search recursively through the keydir and associate all the .pub as one user. I am using the subfolder system now with a windows laptop and linux dev machine and working fine.

The user@host convention seems way too complicated.

I'm doing something like this:

keydir
 |--mfang
 |    |--laptop01
 |    |      |--mfang.pub
 |    |--linux01
 |    |      |--mfang.pub
 |...etc

Solution 3

Since gitolite v3.5.2-10-g437b497 (September 2013, commit 59c817d0), there is an even simpler solution:

ukm, for "user key management".

User key management allows certain users to add and remove keys.

It can introduce a level of delegation, when not just the gitolite admin user can add new ssh public keys, but other users can now do so as well.

It also facilitate adding/removing public ssh keys.

You can see it in action in "contrib/t/ukm.t":

Gitolite documentation includes a section on that topic, but with ukm, it is easier (section "Users that want to manage multiple keys"):

Your gitolite administrator creates your gitolite identity with one of your keys as your initial key. This key can only be managed by the gitolite administrator, not by you. It basically determines under which name you are known to gitolite.

You can add new keys to this identity and remove them at your will.

# The admin can add multiple keys for the same userid.
try "
ADDOK u5 admin u4\@example.org
ADDOK u5 admin u4\@example.org\@home
ADDOK u5 admin laptop/u4\@example.org
ADDOK u5 admin laptop/u4\@example.org\@home
";

Solution 4

I've reorganized my gitolite admin keydir a couple times, and still haven't really decided which is the best way to organize things. If you can stick to some conventions, things will certainly be easier, but that isn't always possible. Luckily gitolite is flexible.

In general I prefer not to use a single, flat directory containing all keys, relying solely on the naming convention "[email protected]" to keep things straight. (This seems to be implied in other answers?) That can become confusing if you have multiple keys on multiple hosts and multiple usernames for a single "real" user (or even the same username for two different users on two different hosts). Using subdirectories helps to organize things -- using a tree of any depth, but typically I just use one level.

The two main options (or even a combination thereof):

  1. one directory per "real" user, with each directory containing multiple keys for that user (e.g., typically one per host).
  2. one directory per (authorized) host, with one (or more) keys per user who will be working on that host. Although the user could copy their private key to another host, that is (in my case) discouraged. In any case, the subdirectories are named after the host where the key was originally generated.

As an example of one subdirectory per user (option #1):

conf
 |--gitolite.conf
keydir
 |--john.doe
 |    |[email protected]
 |    |[email protected]
 |    |[email protected]
 |    |[email protected]
 |    |[email protected]
 |--will.rodgers
 |    |--wrodgers.pub
 |    |[email protected]
 |    |[email protected]
 |    |[email protected]
 |...etc

Note that:

  • the directory names (under keydir) don't matter to gitolite.
  • the directory name should be universally unique, such as an email address or some other global ID. This allows "git" users with potentially the same username on different hosts.
  • a key like "user.pub" or "[email protected]" might be shared by a user across several hosts; doing this may be discouraged based on policy, however.

In general I prefer and do use option #1, sprinkled with a few examples of option #2. Option #2 could possibly simplify intranet automation if you have servers coming and going (perhaps provisioning & recycling VM's) and want to maintain things at a host level rather than at the user-level, so you can (for example) easily clean up obsolete keys on a decommissioned host (e.g., short-term test VM).

The nice thing about gitolite is that the (re-)organization of the keydir directory does not impact users. But you can easily (inadvertently) lock out your users (or yourself) if not careful.

Solution 5

You always connect like this:

git clone gitoliteuser@gitoliteserver:reponame

no matter what user you are. Gitolite identifies you by what public key you are providing. This key is called dave.pub, for example. Anything that is done through an ssh connection with this public key, will be scrutinized by gitolite according where "dave" or "all" is used in the config file.

You are free to set the name and email to be what ever you want on different machines and different repositories. The commits will have that information. But what branch, tree or repositories you can read or write to/from is dictated by how "dave" is restricted in the config file in the admin repo - if you use the same public/private key for ssh.

Hope this helps.

Share:
18,633
Adam
Author by

Adam

Software Engineer and Web Developer. Focused primarily on PHP and JavaScript.

Updated on June 27, 2022

Comments

  • Adam
    Adam almost 2 years

    I have set up gitolite hopefully as per the instructions, and everything is working as planned.

    I am slightly unsure as to how the usernames part works, and looking through the docs hasn't helped me - perhaps I'm missing something simple.

    If I have two client machines, for use by one real person, but on each of those machines the usernames are, let's say dave and david. How can I organise the keys in keydir and any config file so that they both represent the same user? I get the suffix thing, dave@laptop, dave@desktop (I think), just not how to have different client machine usernames connecting, as it seems to look for this when authenticating (perhaps because of the public key containing user@host information?)

    I can give more details if needed - I just didn't want to bombard you all with irrelevant information.

    Thanks very much.

  • Adam
    Adam about 13 years
    So how does it match a public key to a user? Is it by the user@host section in authkeys? It seems like it takes the username I'm connecting with (on the client) and looks for a key with that name?
  • Brian Wigginton
    Brian Wigginton about 13 years
    This is incorrect, gitolite does indeed seem to look at the connecting user's username. See: sitaramc.github.com/gitolite/doc/…
  • Brian Campbell
    Brian Campbell about 13 years
    @Brian When you're using gitolite, you connect as git@hostname; the user seen by the SSH protocol is git, not your local username. Then, as described in the link you provided, the SSH daemon looks through the authorized keys file, finds the line matching your public key, checks to make sure you're authenticating with the correct private key, and then executes the command listed on that line in the authorized keys file, which calls gl-auth-command passing in the associate username for that key; now gl-auth-command knows what user is connecting based on the name passed in.
  • Brian Wigginton
    Brian Wigginton about 13 years
    @Brian, I apologize you're absolutely correct. I was misinterpreting an issue I was having which made me think otherwise. +1
  • Steve HHH
    Steve HHH over 12 years
    While this answer may be factually correct, it does not answer the original question. The OP is asking how to modify the gitolite.conf file to recognise multiple public keys from the same user, rather than how remote connections from multiple users are handled by Gitolite.
  • Steve HHH
    Steve HHH over 12 years
    This is the correct answer, but I found that the solution to be slightly more complex. I have several differently named accounts that I want to match up to a single user. For example, in the keydir folder, I have [email protected] and [email protected]. In my gitolite.conf file, I have a group defined as @steveh = [email protected] [email protected] and below in the repo permissions section I use my @sheveh group name when assigning permissions. For example RW+ = @steveh. For information on gitolite groups, see: progit.org/book/ch4-8.html
  • happy day
    happy day over 12 years
    If you are referring to your login on the box then that doesn't matter, you can generate a ssh keypair with the same email address and then you follow the instructions above without having to muck with your gitolite conf like above.
  • happy day
    happy day about 12 years
    Kirill, not sure how you have your environment setup but, it certainly does work for me as I have a setup that works exactly like this. keydir: [email protected] [email protected] [email protected]
  • happy day
    happy day about 12 years
    It takes whatever is on the left of the .pub file. So you can have [email protected] and his key can be generated with whatever email address you want.
  • Steve Buzonas
    Steve Buzonas almost 12 years
    directory per user is exactly how i wanted to organize, this option doesn't appear to be documented. i only saw the old style that i failed to get to work properly and the directory per host documented
  • michael
    michael almost 12 years
    @steve-buzonas the dir layout is afaik arbitrary; just the key prefix is used as the username (eg, keydir/foo/bar.pub => "foo" is irrelevant and username is "bar".) See ( sitaramc.github.com/gitolite/users.html ): "multiple keys per user: The simplest and most understandable is to put their keys in different subdirectories, (alice.pub, home/alice.pub, laptop/alice.pub, etc)." Also ( sitaramc.github.com/gitolite/g2/add.html ): "You can also organise them into various subdirectories of keydir if you wish, since the entire tree is searched." I just upgraded; both g2 and g3 do this.
  • Steve Buzonas
    Steve Buzonas almost 12 years
    that was my understanding of it, i'm slightly confused with your example showing a different key prefix for the same user.
  • Steve Buzonas
    Steve Buzonas almost 12 years
    @KirillRoskoliy gitolite rejects keys with an @ sign in them using the gitolite command as the git user, but subsequent users configured through the gitolite-admin repository should work exactly as described
  • Steve Buzonas
    Steve Buzonas almost 12 years
    to address multiple davids the alternative could always be to go the full email address as username approach
  • Steve Buzonas
    Steve Buzonas almost 12 years
    i only have a simple understanding of regex, so if someone could please confirm or further explain i can adjust the answer accordingly.
  • michael
    michael almost 12 years
    @steve-buzonas that's the original question, no? => "Gitolite: one user, many keys, different usernames"? The key prefix is the set of usernames for the same user; each "real user" gets one directory (arbitrary but unique) dedicated to their keys. You can just have {[email protected], [email protected],[email protected]}, but nothing prevents John Doe from also being username "john_testuser931@test_vm23.pub", potentially with different permissions than the other "jdoe" usernames (e.g., read-only or limited projects). (If there's one thing that can be said of gitolite, it's extremely flexible.)
  • michael
    michael almost 12 years
    (cont)...it's easy enough to experiment with gitolite users and usernames: the login accounts on server are totally separate from the gitolite users, so there's no sys-admin work required on the server to test this (i.e., no need to create real users on the server.) You just need multiple client accounts to test with (a linux VM would be useful). Just create keys for each user, add them to the keydir directory (anywhere), and push them to the server, and test these users' access to the hosted git repos. Reconfiguring/restructuring takes seconds: move/rename keys, and push again.
  • Steve Buzonas
    Steve Buzonas almost 12 years
    i see, my confusion was i was thinking user in an administrative sense being user means gitolite account. now i see here user is in the sense of the actor in a use case and can have multiple accounts. my initial thought process upon reading assumed you somehow configured all keys within a particular directory to be mapped to a single gitolite account making the directory the username and the pubkey file arbitrary instead of the other way around as it is designed.
  • Jeremy
    Jeremy over 11 years
    "Steve" is correct here, not "Steve HHH", if your ssh keys have the same email address in then gitolite is smart enough to figure it out.
  • happy day
    happy day over 11 years
    Actually, that doesn't matter, you just need to name the .pub files as I have outlined. Which I stated in my comment above that read: So to fix your problem of many users (that are technically the same user). Just go into your gitolite repo and rename the keys "[email protected], [email protected]" instead of having john1, john2. Commit and push your changes back to gitolite. Done. It is simply bad practice to have the same user with multiple usernames and pretty much would make it virtually impossible to tell who exactly mucked something up (in git logs etc).
  • Ben Johnson
    Ben Johnson over 6 years
    It is hugely helpful to see the plaintext tree diagram! I had to read the top-rated answer twice to absorb the same information that you present so elegantly as a tree.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Gitolite - How to create users?
How to tell git which private key to use?
ssh hostname returns “Bad owner or permissions on ~/.ssh/config” (chmod 600 not working with MingW)
git pull: Permission denied (publickey)
Git clone ask for password
GitLab requires git@localhost password to push to a repo
Adding users to Gitolite
BitBucket: Host key verification failed
Specify an SSH key for git push for a given domain
gitolite: can connect via ssh, can't clone