How does gitosis know who the key belongs to

How does gitosis know who the key belongs to

[Howard Miller]

Hi,

This is probably another one of my stupid questions.

Gitosis obviously uses keypairs but the config file addresses the user
by name/host. How does gitosis connect the two together? Is it any
more complicated than the user detail at the end of the public key?

The second part of my question then is is it possible to use the same
private key on more than one host?

Cheers,

Howard

How does gitosis know who the key belongs to

[Howard Miller]

Hi,

This is probably another one of my stupid questions.

Gitosis obviously uses keypairs but the config file addresses the user
by name/host. How does gitosis connect the two together? Is it any
more complicated than the user detail at the end of the public key?

The second part of my question then is is it possible to use the same
private key on more than one host?

Cheers,

Howard

Re: How does gitosis know who the key belongs to

[Heiko Voigt]

On Thu, Sep 24, 2009 at 03:51:44PM +0100, Howard Miller wrote:
> Gitosis obviously uses keypairs but the config file addresses the user
> by name/host. How does gitosis connect the two together? Is it any
> more complicated than the user detail at the end of the public key?

Not much different. It uses the command feature of the authorized_keys
file of ssh to limit access to the 'gitosis-serve' command which is
given the username from the gitosis.conf as argument. gitosis-server
then takes care of the access control.

> The second part of my question then is is it possible to use the same
> private key on more than one host?

Yes definitely. It identifies the user not the host. Although you can
use differenty keys if you want.

cheers Heiko

Re: How does gitosis know who the key belongs to

[Matthieu Moy]

Heiko Voigt <hvoigt@hvoigt.net> writes:

> On Thu, Sep 24, 2009 at 03:51:44PM +0100, Howard Miller wrote:
>> Gitosis obviously uses keypairs but the config file addresses the user
>> by name/host. How does gitosis connect the two together? Is it any
>> more complicated than the user detail at the end of the public key?

The user@host at the end of the public key is mostly a comment. No
serious software would use it for authentication, since you can freely
edit it without changing the rest of the key.

> Not much different. It uses the command feature of the authorized_keys
> file of ssh to limit access to the 'gitosis-serve' command which is
> given the username from the gitosis.conf as argument.

... the username -> key association being done in gitosis's
configuration itself (the key held in keydir/foobar is the one of user
foobar).

-- 
Matthieu Moy
http://www-verimag.imag.fr/~moy/

Re: How does gitosis know who the key belongs to

[Howard Miller]

Hi,

I don't really understand the answers I have been given. Trying
desperately not to "top post" see bellow...

2009/9/24 Matthieu Moy <Matthieu.Moy@grenoble-inp.fr>:
> Heiko Voigt <hvoigt@hvoigt.net> writes:
>
>> On Thu, Sep 24, 2009 at 03:51:44PM +0100, Howard Miller wrote:
>>> Gitosis obviously uses keypairs but the config file addresses the user
>>> by name/host. How does gitosis connect the two together? Is it any
>>> more complicated than the user detail at the end of the public key?
>
> The user@host at the end of the public key is mostly a comment. No
> serious software would use it for authentication, since you can freely
> edit it without changing the rest of the key.
>
>> Not much different. It uses the command feature of the authorized_keys
>> file of ssh to limit access to the 'gitosis-serve' command which is
>> given the username from the gitosis.conf as argument.
>
> ... the username -> key association being done in gitosis's
> configuration itself (the key held in keydir/foobar is the one of user
> foobar).


Yes, I realise that the association is done im gitosis' config file,
but that is exactly my question - how does that association work?

To take a step back - I have to put a name (or a name@hostname) in the
configuration file. How do I know what that should be in the general
sense? When I create a key it doesn't ask me for the username I want
so I see a disconnect here. Do I put a name, do I put name@hostname,
does it matter and (again) how does it know which is 'my' public key?
Is it the naming convention of the key or something magic? Plus, when
I actually use gitosis, I am logging as the user 'git' so how does it
know who I am? I am thoroughly confused by the whole thing. I'm
probably missing something really obvious but, AFAIK, this is not
covered at all in the docs.

Thanks!

Howard

Re: How does gitosis know who the key belongs to

[Howard Miller]

2009/9/25 Howard Miller <howard@e-learndesign.co.uk>:
> Hi,
>
> I don't really understand the answers I have been given. Trying
> desperately not to "top post" see bellow...
>
> 2009/9/24 Matthieu Moy <Matthieu.Moy@grenoble-inp.fr>:
>> Heiko Voigt <hvoigt@hvoigt.net> writes:
>>
>>> On Thu, Sep 24, 2009 at 03:51:44PM +0100, Howard Miller wrote:
>>>> Gitosis obviously uses keypairs but the config file addresses the user
>>>> by name/host. How does gitosis connect the two together? Is it any
>>>> more complicated than the user detail at the end of the public key?
>>
>> The user@host at the end of the public key is mostly a comment. No
>> serious software would use it for authentication, since you can freely
>> edit it without changing the rest of the key.
>>
>>> Not much different. It uses the command feature of the authorized_keys
>>> file of ssh to limit access to the 'gitosis-serve' command which is
>>> given the username from the gitosis.conf as argument.
>>
>> ... the username -> key association being done in gitosis's
>> configuration itself (the key held in keydir/foobar is the one of user
>> foobar).
>
>
> Yes, I realise that the association is done im gitosis' config file,
> but that is exactly my question - how does that association work?
>
> To take a step back - I have to put a name (or a name@hostname) in the
> configuration file. How do I know what that should be in the general
> sense? When I create a key it doesn't ask me for the username I want
> so I see a disconnect here. Do I put a name, do I put name@hostname,
> does it matter and (again) how does it know which is 'my' public key?
> Is it the naming convention of the key or something magic? Plus, when
> I actually use gitosis, I am logging as the user 'git' so how does it
> know who I am? I am thoroughly confused by the whole thing. I'm
> probably missing something really obvious but, AFAIK, this is not
> covered at all in the docs.
>
> Thanks!
>
> Howard
>


Ahh... just read Heiko's post properly and actually looked at the
authorized_keys file. This is now starting to make some sense. So the
name in config has to match that sent to gitosis-server presumably. I
still don't quite see the cause and effect. If I don't like being
howard@x.y.z and would rather be just 'howard' what can I change? It
tells me not to edit that file!

Re: Re: How does gitosis know who the key belongs to

[Heiko Voigt]

On Fri, Sep 25, 2009 at 07:10:07AM +0100, Howard Miller wrote:
> 2009/9/24 Matthieu Moy <Matthieu.Moy@grenoble-inp.fr>:
> > Heiko Voigt <hvoigt@hvoigt.net> writes:
> >
> >> On Thu, Sep 24, 2009 at 03:51:44PM +0100, Howard Miller wrote:
> >> Not much different. It uses the command feature of the authorized_keys
> >> file of ssh to limit access to the 'gitosis-serve' command which is
> >> given the username from the gitosis.conf as argument.
> >
> > ... the username -> key association being done in gitosis's
> > configuration itself (the key held in keydir/foobar is the one of user
> > foobar).
> 
> 
> Yes, I realise that the association is done im gitosis' config file,
> but that is exactly my question - how does that association work?
> 
> To take a step back - I have to put a name (or a name@hostname) in the
> configuration file. How do I know what that should be in the general
> sense?

Anything you like. The username is deducted from the filename in the
keydir file as Matthieu alredy pointed out. e.g:

  keydir/hvoigt.pub	<--- file contains my public key
  
  gitosis.conf contents:
  
  [group hvoigt-projects]
  members = hvoigt
  writable = myproject
  
That would give access to git@yourserver:myproject.git to the key in
hvoigt.pub. Technically its done using a update hook on the server which
is run when you push the configuration repository. It scans the config
and installs the keys in the authorized_keys file of the git user. The
above would look something like this in the git's users home dir:

  .ssh/auhtorized_keys:
  
  command="gitosis-serve hvoigt",no-port-forwarding,no-X11-forwarding,\
    no-agent-forwarding,no-pty ssh-dss AAAA... hvoigt@localhost

Because ssh can match the key you are using to one of such lines the
gitosis-serve command is given the according username.

Does this make it a little bit clearer ?

cheers Heiko

Re: How does gitosis know who the key belongs to

[Matthieu Moy]

Howard Miller <howard@e-learndesign.co.uk> writes:

> Ahh... just read Heiko's post properly and actually looked at the
> authorized_keys file. This is now starting to make some sense. So the
> name in config has to match that sent to gitosis-server presumably. I
> still don't quite see the cause and effect. If I don't like being
> howard@x.y.z and would rather be just 'howard' what can I change? It
> tells me not to edit that file!

If you're confused with "name", then just think about "filename
holding the key".

If you want to name yourself "howard", then put your key in
keydir/howard and then use "howard" in the config file. gitosis will
add the relevant

command="gitosis-server howard" ssh-whatever <your-key-here> <irrelevant-comment>

to the ~git/.ssh/auhtorized_keys file.

You chose your "name" by chosing the filename, then you use this name
in the config file, and then gitosis does the job.

-- 
Matthieu Moy
http://www-verimag.imag.fr/~moy/

Re: How does gitosis know who the key belongs to

[Howard Miller]

>
> If you're confused with "name", then just think about "filename
> holding the key".
>
> If you want to name yourself "howard", then put your key in
> keydir/howard and then use "howard" in the config file. gitosis will
> add the relevant
>
> command="gitosis-server howard" ssh-whatever <your-key-here> <irrelevant-comment>
>
> to the ~git/.ssh/auhtorized_keys file.
>
> You chose your "name" by chosing the filename, then you use this name
> in the config file, and then gitosis does the job.

Ok... so is it completely ignoring the @host bit then? None of my
public key files are called howard@host1.pub (for example).

Just so you don't think I'm completely crazy, I actually use three
different machines for development and (of course) I'm 'howard' on all
of them. I was trying to get my head around the best way to set it up.
I wasn't clear if I could simply recycle the same public key or if I
needed to be three different users in gitosis.

Cheers.... Howard

Re: How does gitosis know who the key belongs to

[Sitaram Chamarty]

On Thu, Sep 24, 2009 at 8:21 PM, Howard Miller
<howard@e-learndesign.co.uk> wrote:
> Hi,
>
> This is probably another one of my stupid questions.
>
> Gitosis obviously uses keypairs but the config file addresses the user
> by name/host. How does gitosis connect the two together? Is it any
> more complicated than the user detail at the end of the public key?
>
> The second part of my question then is is it possible to use the same
> private key on more than one host?

Everything you ever wanted to know about how gitosis and ssh work
together: http://sitaramc.github.com/0-installing/9-gitosis-server-install.html

Very verbose.  (I've even been told it is too verbose but I chose to
ignore him ;-)

-- 
Sitaram