3

I was wondering if it was possible to have an RSA key that works for a specific repository only. Or something of that sorts. I have users that need to be able to create a git repo and read/write to it, and to manage who can read or write to it themselves. My plan was to use RSA keys (authorized_keys) and a git user, and giving the key to the group that needs to connect. Is there a way to specify which folders a rsa key can access?

Ryan Copley
  • 873
  • 1
  • 10
  • 26

2 Answers2

2

Yes, it is supported. Try adding config (without any extension) file to ~./ssh with content as such:

Host github.com
    HostName github.com
    User madhead
    IdentityFile ~/.ssh/id_rsa_1
Host bitbucket.org
    HostName bitbucket.org
    User madhead_
    IdentityFile ~/.ssh/id_rsa_2
madhead
  • 31,729
  • 16
  • 153
  • 201
  • Would I have to have a linux user for each person? – Ryan Copley Jan 01 '13 at 00:22
  • No, it's just my nicknames for github and bitbucket :) So, when I commit to github, author looks like this: madhead , and when I commit to bitbucket: madhead_ . – madhead Jan 01 '13 at 00:25
  • 2
    I think you understood the question wrong. He isn't asking for "how do I use a specific key when connecting" but "how can I only allow specific keys to access the bare reposities on my server" – Nils Werner Jan 04 '13 at 13:15
2

Sounds like a job for Gitosis.

Gitosis allows you to have each and every user use the git@server user and identify themselves by a public key. Inside gitosis you can specifiy users (and their keys), groups and repositories. Each user and group can be given read or write access to any of the repositories.

This effectively achieves what you're asking for: Certain keys can be given access to certain repositories; all users are authenticating via their pubkeys.

It's noteworthy that gitosis doesn't isntall a new server or daemon but only makes use of the already accessible SSH server; all access control is done after the user has established the SSH connection. Also, regular shell logins are impossible using this method.

Basically, Gitosis does exactly what GitHub etc. do.

Nils Werner
  • 34,832
  • 7
  • 76
  • 98