From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Shawn O. Pearce" Subject: Re: Few Questions Date: Tue, 20 Jan 2009 08:04:10 -0800 Message-ID: <20090120160410.GI14053@spearce.org> References: <726600.29783.qm@web35708.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: m.arya@yahoo.com, git@vger.kernel.org To: Jakub Narebski X-From: git-owner@vger.kernel.org Tue Jan 20 17:06:24 2009 Return-path: Envelope-to: gcvg-git-2@gmane.org Received: from vger.kernel.org ([209.132.176.167]) by lo.gmane.org with esmtp (Exim 4.50) id 1LPJ6z-0002vY-SR for gcvg-git-2@gmane.org; Tue, 20 Jan 2009 17:05:58 +0100 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754967AbZATQEM (ORCPT ); Tue, 20 Jan 2009 11:04:12 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756088AbZATQEM (ORCPT ); Tue, 20 Jan 2009 11:04:12 -0500 Received: from george.spearce.org ([209.20.77.23]:43880 "EHLO george.spearce.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756061AbZATQEL (ORCPT ); Tue, 20 Jan 2009 11:04:11 -0500 Received: by george.spearce.org (Postfix, from userid 1001) id 4457B38210; Tue, 20 Jan 2009 16:04:10 +0000 (UTC) Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17+20080114 (2008-01-14) Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org Archived-At: Jakub Narebski wrote: > "Arya, Manish Kumar" writes: > > > > I want to have following with Git > > > > - LDAP and ssh authentication. > > > > Instead of inventing (and failing) its own protocol and its own > authentication git uses established solutions for authentication: SSH > for "smart" server, and WebDAV for push via (currently only "dumb") > HTTPS protocol. > > There exist solutions that help with setting up SSH for git: > git-shell, ssh_acl, and I think most commonly used Gitosis (see > seminal reference about Gitosis on http://git.or.cz/gitwiki/BlogPosts). Yup. Gitosis is very popular for this. At my last job I rolled my own Gitosis-lite, but in Perl, because they are a Perl based shop. It also uses the update-paranoid hook for access controls, as its more flexible (and easier to confuse the heck out of yourself) than Gitosis. But if you can get along with Gitosis, its a good choice. Unfortunately its authentication is limited to public keys registered in the authorized keys file of the "git" user. Gerrit2 is also likely to enter this "market" soon. I'm trying to get it production ready and live for one major project before the end of this month. It embeds its own SSH daemon on a non-standard port, completely disconnected from the OS authentication. This may make it slightly more palatable in some enviroments then Gitosis, as you don't need a huge authorized_keys file, and you don't have to worry quite so much about attack vectors. Unlike with Gitosis, public key management is placed on end-users by using web authentication to identify the user, and letting the user manage their own "authorized key list". It also has a full blown web based code review system built in. Which right now a project must use if it is hosted by Gerrit2. :-) -- Shawn.