[Dev] Replacing gitosis with git-shell

Nicolás Reynolds fauno at kiwwwi.com.ar
Tue Apr 10 03:58:33 GMT 2012

So I did a test to replace gitosis on the server, to allow push access
to our git repos[0]. The idea was to find a simpler way that doesn't
require the granularity gitosis allows, that IMO hurts our horizontal
approach, but it still had some degree of security...

For this I found git-shell, a tool that comes with the git package and
works as a user shell that only allows the git commands needed to push
into repos.

If you don't want to bother with the technical details skip to the all
caps section of this email.

I created a test user called "git2", with home /srv/git2 and shell
/usr/bin/git-shell. Inside this home I mirrored abslibre.git to work on,
and copied the .ssh from /srv/git (and cleaned up the stuff gitosis uses
to work).

This worked OK, except that you have to pass the full path of the repo to
push, so if you cloned git://gparabola/abslibre.git you'll have to
push into ssh://gparabola/srv/git2/abslibre.git

Now, we needed a method to add new SSH pubkeys in an easy way. Since
git2 uses git-shell I couldn't run `ssh-copy-id` unless I specifically
enabled it, but it still lacked the accountability I was looking for,
that is "X added the new hacker Y", instead of randomly saying on
#parabola "Hey I added Y to the repos" or "fauno, when will you add Y?".

I came up with this:

Manage the SSH pubkeys with another git repo in a way that pushing into
it gives immediate access to those keys to the git server. The history
management would also allow the kind of accountability I already
mentioned by using technical methods embedded on git itself ;)

So I did this:

I created a "hackers" git repo locally and added the authorized_keys
file and a README explaining how to work with the repo.

Under git2, I created "hackers.git" as a bare repo.

Then I cloned hackers.git into .ssh and gave it the permissions ssh

On hackers.git I added a post-update hook that forces a checkout on
.ssh, so anytime someone pushes a key to the server it gets immediately
approved by sshd.


* Simple and secure (!) way to add new hackers.

* Any hacker can give access to new hackers, no need to depend on lazy admins.

* Major implications for technocracy in general, so many I won't mention.


This isn't implemented yet, I'll do this during the week. Feedback is welcome.

[0]: https://projects.parabolagnulinux.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20120410/0f0e70df/attachment.sig>

More information about the Dev mailing list