Gitolite One User - Many Keys - Different usernames

Question

I have set up gitolite hopefully as per the instructions, and everything is working as planned.

I am slightly unsure as to how the usernames part works, and looking through the docs hasn't helped me - perhaps I'm missing something simple.

If I have two client machines, for use by one real person, but on each of those machines the usernames are, let's say dave and david. How can I organise the keys in keydir and any config file so that they both represent the same user? I get the suffix thing, dave@laptop, dave@desktop (I think), just not how to have different client machine usernames connecting, as it seems to look for this when authenticating (perhaps because of the public key containing user@host information?)

I can give more details if needed - I just didn't want to bombard you all with irrelevant information.

Thanks very much.

Answer 1

The current recommended way according to the documentation

"The simplest and most understandable is to put their keys in different subdirectories [inside your /kedir], (alice.pub, home/alice.pub, laptop/alice.pub, etc)."

reference: https://gitolite.com/gitolite/basic-admin.html#multiple-keys-per-user

The old way

If you are asking how you accomplish the following:

1. David (home computer)
2. David (work computer)
3. David (laptop)

With different ssh keys on each computer you would simply create the key (ie: keygen "david@someemail.com") and then copy the public key to your gitolite keydir directory (gitolite-admin/keydir). When you do that simply name the key david@homecomputer.pub, david@workcomputer.pub, and david@laptop.pub. Add the keys to the repository (git add keydir/.), commit (git commit -m "added David's additional keys") and git push back to the server.

Gitolite is smart enough to know that even though it is a different key the user name (before the @) is still david and will let that user log in and use the ACL for david

Hope this helps

To fix a scenario where you might have john_home.pub john_work.pub open up your gitolite repo (admin repo) and rename the keys in your kedir to john@work.pub and john@home.pub commit and push. Now your user john can login from either machine and use the same username.

Keep in mind, in order for this to work, the email address in the SSH Keys needs to be the same for all of the user's keys. So using the example above, in the keys david@homecomputer.pub, david@workcomputer.pub, and david@laptop.pub all should have the email address of david@foobar.com.

Above was the "old way" do to this and may cause a complication if you have named your keys in the "email address way" contrary to what I stated above gitolite DOES NOT inspect your key for the proper email address. Please ignore (I left the original comment in for clarity).

Answer 2

For Gitolite v3 at least Easiest solution is to use the subfolder system documented here http://sitaramc.github.com/gitolite/users.html

Gitolite will search recursively through the keydir and associate all the .pub as one user. I am using the subfolder system now with a windows laptop and linux dev machine and working fine.

The user@host convention seems way too complicated.

I'm doing something like this:

keydir
 |--mfang
 |    |--laptop01
 |    |      |--mfang.pub
 |    |--linux01
 |    |      |--mfang.pub
 |...etc

Answer 3

Since gitolite v3.5.2-10-g437b497 (September 2013, commit 59c817d0), there is an even simpler solution:

ukm, for "user key management".

User key management allows certain users to add and remove keys.

It can introduce a level of delegation, when not just the gitolite admin user can add new ssh public keys, but other users can now do so as well.

It also facilitate adding/removing public ssh keys.

You can see it in action in "contrib/t/ukm.t":

Gitolite documentation includes a section on that topic, but with ukm, it is easier (section "Users that want to manage multiple keys"):

Your gitolite administrator creates your gitolite identity with one of your keys as your initial key. This key can only be managed by the gitolite administrator, not by you. It basically determines under which name you are known to gitolite.

You can add new keys to this identity and remove them at your will.

# The admin can add multiple keys for the same userid.
try "
ADDOK u5 admin u4\@example.org
ADDOK u5 admin u4\@example.org\@home
ADDOK u5 admin laptop/u4\@example.org
ADDOK u5 admin laptop/u4\@example.org\@home
";

Answer 4

I've reorganized my gitolite admin keydir a couple times, and still haven't really decided which is the best way to organize things. If you can stick to some conventions, things will certainly be easier, but that isn't always possible. Luckily gitolite is flexible.

In general I prefer not to use a single, flat directory containing all keys, relying solely on the naming convention "user@host.pub" to keep things straight. (This seems to be implied in other answers?) That can become confusing if you have multiple keys on multiple hosts and multiple usernames for a single "real" user (or even the same username for two different users on two different hosts). Using subdirectories helps to organize things -- using a tree of any depth, but typically I just use one level.

The two main options (or even a combination thereof):

1. one directory per "real" user, with each directory containing multiple keys for that user (e.g., typically one per host).
2. one directory per (authorized) host, with one (or more) keys per user who will be working on that host. Although the user could copy their private key to another host, that is (in my case) discouraged. In any case, the subdirectories are named after the host where the key was originally generated.

As an example of one subdirectory per user (option #1):

conf
 |--gitolite.conf
keydir
 |--john.doe
 |    |--john@host1.pub
 |    |--john@host2.pub
 |    |--jdoe@host2.pub
 |    |--john.doe@company.com.pub
 |    |--tester@temp-vm43.pub
 |--will.rodgers
 |    |--wrodgers.pub
 |    |--wrodg1234@host2.pub
 |    |--will.rodgers@company.com.pub
 |    |--tester@temp-vm22.pub
 |...etc

Note that:

• the directory names (under keydir) don't matter to gitolite.
• the directory name should be universally unique, such as an email address or some other global ID. This allows "git" users with potentially the same username on different hosts.
• a key like "user.pub" or "user@email.com.pub" might be shared by a user across several hosts; doing this may be discouraged based on policy, however.

In general I prefer and do use option #1, sprinkled with a few examples of option #2. Option #2 could possibly simplify intranet automation if you have servers coming and going (perhaps provisioning & recycling VM's) and want to maintain things at a host level rather than at the user-level, so you can (for example) easily clean up obsolete keys on a decommissioned host (e.g., short-term test VM).

The nice thing about gitolite is that the (re-)organization of the keydir directory does not impact users. But you can easily (inadvertently) lock out your users (or yourself) if not careful.

Answer 5

You always connect like this:

git clone gitoliteuser@gitoliteserver:reponame

no matter what user you are. Gitolite identifies you by what public key you are providing. This key is called dave.pub, for example. Anything that is done through an ssh connection with this public key, will be scrutinized by gitolite according where "dave" or "all" is used in the config file.

You are free to set the name and email to be what ever you want on different machines and different repositories. The commits will have that information. But what branch, tree or repositories you can read or write to/from is dictated by how "dave" is restricted in the config file in the admin repo - if you use the same public/private key for ssh.

Hope this helps.

Answer 6

There's a subtle point everyone seems to be missing here, or at least not answering clearly.

The OP asked how to handle the same PERSON using two different USERNAMES and two different (associated) pub-keys on two different PLATFORMS.

Eg. dave@platform_a.pub, and david@platform_b.pub both represent the same real git user.

It'd be easy enough to add both dave & david as users on the "@known" (known users) line in the gitolite.conf file, and put both keys in the keydir, but then there's no way to tell whether that's two separate users, or the same person.

Eg. "git blame" would treat dave and david as two separate users.

Beyond the OP's post, a further complication is what happens if there ARE several Davids working on the same project?

I guess the Davids concerned would have to work out a system (or be content to blame each other ;-).

Answer 7

You install gitolite under one user on the server; usually git, and in your SSH connection string, you always explicitly use git@servername to connect to the Git user account. Gitolite will then look at what public key you are offering, find that in your configuration, and treat you as though you are the associated user.

Answer 8

Gitolite does authentication with ssh forced commands. Every user that has access to a gitolite repository logs in at the use that gitolite is installed under. The hooks take new keys in the keydir and add them to it's authorized keys file configured to use forced commands.

The users are forced to use gitolite shell with a paramater, and that parameter is the username. The following piece of the relevant hook takes the filepath and assigns it to user, it then strips all directories and files with a / in the name. what is left of that will become the username as long as it ends in .pub and it will disregard a single @ sign preceding the .pub suffix as long as there is at least one additional character.

my $user = $f;
$user =~ s(.*/)();                # foo/bar/baz.pub -> baz.pub
$user =~ s/(\@[^.]+)?\.pub$//;    # baz.pub, baz@home.pub -> baz

This provides functionality as such:

keydir
  |--host1
       |--dave.pub
       |--david.pub
  |--host2
       |--dave.pub

The directories are arbitrary, but for organizational purposes the hosts are used to give structure. You end up with two dave users and one david user.

I use a configuration more like this:

keydir
  |--steve
       |--steve@example.com@laptop.pub
       |--steve@example.com@desktop.pub
  |--services
       |--jenkins
            |--jenkins@master-buildhost.pub
            |--jenkins@slave-buildhost.pub
       |--redmine
            |--redmine@dev-server.pub
       |--jira
            |--jira@dev-alias.pub

Again, the directory structure does not matter. This gives me the users steve@example.com, jenkins, redmine, and jira. The steve@example.com user has two keys as well as the jenkins user. If I had more than a single user I would probably have a users subdirectory containing the steve key directory.