Symetrik Domino Consulting

Requirements: I have a need to share a git repository on a publicly facing server with our development team who are geographically disparate. The team should not have full root SSH access to the server, and the repository should be private (not publicly accessible).

We would like to use SSH keys for authentication so that the developer does not have to type in their password each time they issue a git command that interacts with the server.

These instructions assume Ubuntu Linux 10.04 and Mac OS X client. The instructions are pretty identical if your local workstation is some flavour of Linux. If you want instructions on how to generate a SSH key on Windows, follow these instructions from github.com, which are listed at the bottom of this post.

Begin on the server in question that we’ll call repository.yourtestserver.com:

#create a group for a repository
create group in webmin (gittestuser)

#create a user for the repository and add it to the group.
#Make sure and create a home directory for that user.
create user in webmin (gittestuser)

#give the group rights to the repository – in our example: gittest

chgrp -R gittestuser /srv/repos/git/gittest
chmod -R g+swX /srv/repos/git/gittest

then issue these commands

su gittestuser              # switch to the git user
cd ~                            # change to gittestuser's home directory
mkdir .ssh                   # make the .ssh dir
touch .ssh/authorized_keys      # create an empty authorized_keys file

On Mac OS X client
#generate your local SSH Public key

cd ~/.ssh
ssh-keygen -t rsa -C "david@symetrikdesign-test.com"

# stores it in /.ssh/

cd ~/.ssh

#copy the public key to the .ssh/authorized_keys file for the gittestuser user using
#handy utility called ssh-copy-id
NOTE: You will need to download a copy of the ssh-copy-id script which is not part of Mac OS X for some reason.
#install and set permissions for ssh-copy-id on your local Mac OS X machine

$ sudo curl "http://phildawson.co.uk/ssh-copy-id" -o /usr/bin/ssh-copy-id
$ sudo chmod +x /usr/bin/ssh-copy-id

#once you’ve downloaded the ssh-copy-id script, you want to use it to copy your rsa id to the ~/.ssh/authorized_keys file on the server using the following command.

$ /usr/bin/ssh-copy-id gittestuser@repository.yourtestserver.com

#SSH into the server with root and verify that the authorized_keys file has been updated

$ ssh root@repository.gittestserver.com
$ less /home/gittestuser/.ssh/authorized_keys

#test ssh access using the gittestuser account and that it is using the SSH key, not requiring a password

$ ssh gittestuser@repository.gittestserver.com

#Once, normal SSH access is enabled change the shell for gittestuser to /usr/lib/git-core/git-shell
#so that the only type of access the user has to the server is git.
#First, find out where the git-shell is located:

$ which git-shell
$ which results in "/usr/lib/git-core/git-shell"

#edit passwd file for gittestuser (make sure you are logged in as root if not, use sudo)

$ sudo nano /etc/passwd

#change gittestuser shell from /bin/sh to /usr/lib/git-core/git-shell the following line should look like:

gittestuser:x:1000:100::/home/gittestuser:/usr/lib/git-core/git-shell

I’ve also found that you can change the shell to /usr/lib/git-core/git-shell by editing the user through the webmin interface, which is obviously alot easier.

#Now you can try accessing the server with the shell changed and you should be disconnected.
#The following lines are what you should see when trying to connect via regular shell.

fatal: What do you think I am? A shell?
Connection to repository.gittestserver.com closed.

The reason that you change the shell, is so that your developers can only issue git type commands on the server through SSH access, they don’t get any real SSH access to the server.

#now try to clone the repository from the local Mac OS X machine.

git clone gittestuser@repository.gittestserver.com:/srv/repos/git/gittest/.git

Instructions for Windows that may be helpful to you:
For Windows, the best way to do generate an SSH key is to install Win/msysgit, the instructions for Win/msysgit can be found at github.com

The instructions for generating the key are very similar to Linux, but can be found here.