[Dev] Replacing gitosis with git-shell

Luke T.Shumaker lukeshu at sbcglobal.net
Fri Apr 13 04:41:23 GMT 2012 

At Tue, 10 Apr 2012 00:58:33 -0300,
Nicolás Reynolds wrote:
> So I did a test to replace gitosis on the server, to allow push access
> to our git repos[0]. The idea was to find a simpler way that doesn't
> require the granularity gitosis allows, that IMO hurts our horizontal
> approach, but it still had some degree of security...
> 
> For this I found git-shell, a tool that comes with the git package and
> works as a user shell that only allows the git commands needed to push
> into repos.

Of course, the decision is that of the doer, but other solutions I
would consider:
 * git-http-server: a CGI script allowing push over HTTP. Permissions
   are handled by the web server.
   Also: There are clones that may work better with certain setups,
   for example, jgit-http-server for Java, or Grack for Ruby. I'm not
   aware of any that are Python (we're running Python for parabolaweb
   anyway).
 * Girocco (the repo.or.cz software): a set of (mostly perl) CGI
   scripts.
 * Gitorious: Ruby on Rails, RESTfully designed, meaning it has an API
   we can use to integrate it with other software and script things.

I mention scripting and integration because it will allow us to
automate submodule repository creation, which you are iterested in.

It also allows the possibility of integrating with parabolaweb, but I
wouldn't hope for that.

> I created a test user called "git2", with home /srv/git2 and shell
> /usr/bin/git-shell. Inside this home I mirrored abslibre.git to work on,
> and copied the .ssh from /srv/git (and cleaned up the stuff gitosis uses
> to work).
> 
> This worked OK, except that you have to pass the full path of the repo to
> push, so if you cloned git://gparabola/abslibre.git you'll have to
> push into ssh://gparabola/srv/git2/abslibre.git

You can work around this by not giving the address in URL form, but in
SCP form: "git2 at gparabola:abslibre.git"

> Now, we needed a method to add new SSH pubkeys in an easy way. Since
> git2 uses git-shell I couldn't run `ssh-copy-id` unless I specifically
> enabled it, but it still lacked the accountability I was looking for,
> that is "X added the new hacker Y", instead of randomly saying on
> #parabola "Hey I added Y to the repos" or "fauno, when will you add Y?".
> 
> I came up with this:
> 
> Manage the SSH pubkeys with another git repo in a way that pushing into
> it gives immediate access to those keys to the git server. The history
> management would also allow the kind of accountability I already
> mentioned by using technical methods embedded on git itself ;)
> 
> So I did this:
> 
> I created a "hackers" git repo locally and added the authorized_keys
> file and a README explaining how to work with the repo.
> 
> Under git2, I created "hackers.git" as a bare repo.
> 
> Then I cloned hackers.git into .ssh and gave it the permissions ssh
> needs.

http://lukeshu.ath.cx/1/img/git.png

> On hackers.git I added a post-update hook that forces a checkout on
> .ssh, so anytime someone pushes a key to the server it gets immediately
> approved by sshd.

Or a cron job if you want to get it working quickly.

~ Luke Shumaker

More information about the Dev mailing list