gitolite/doc/monkeysphere.mkd

## (contributed doc: integrating gitolite with monkeysphere)

This document attempts to describe one way to integrate
[Monkeysphere](http://web.monkeysphere.info/) authentication
with [gitolite](http://github.com/sitaramc/gitolite).

We presuppose that you have a system with a new enough
version of Monkeysphere to support ssh `authorized_keys`
options, and that you are not making use of
monkeysphere-authentication on this system.

As a first step, import the key or keys you wish to
act as Monkeysphere certifiers into the GnuPG public
keyring of the gitolite user (for example,
`gpg --keyserver pool.sks-keyservers.net --recv-keys B0AE9A02`)
Then edit such keys (`gpg --edit B0AE9A02`) and assign them
*ultimate* ownertrust.

Next install a script of this nature as `post-update.secondary`
in the `hooks/` directory of the `gitolite-admin` repository.  You can also
follow the "using hooks" section in gitolite's "admin" document to let
gitolite put your new hook in the correct place.

	#!/bin/zsh
	
	# this should use locking
	
	pushd ${GL_ADMINDIR}
	
	if [[ -d monkeydir ]]
	then
	    cp ~/.monkeysphere/authorized_user_ids ~/.monkeysphere/old-authorized_user_ids
	    rm -f ~/.monkeysphere/new-authorized_user_ids
	    for i in monkeydir/*.pub
	    do
	        username=$i:t:r
		for j in ${(f)"$(<$i)"}
	        do
	            cat >> ~/.monkeysphere/new-authorized_user_ids <<EOF
	$j
	  command="/usr/share/gitolite/gl-auth-command $username"
	  no-port-forwarding
	  no-X11-forwarding
	  no-agent-forwarding
	  no-pty
	EOF
	
	        done
	    done
	
	    mv ~/.monkeysphere/new-authorized_user_ids ~/.monkeysphere/authorized_user_ids
	    monkeysphere update-authorized_keys
	fi
	
	popd
	
	ADMIN_POST_UPDATE_CHAINS_TO=hooks/post-update.tertiary
	
	if [[ -x $ADMIN_POST_UPDATE_CHAINS_TO ]]; then
	    exec $ADMIN_POST_UPDATE_CHAINS_TO "$@"
	fi

Finally, place *username*.pub files containing OpenPGP IDs into
 a directory called `monkeydir/` in the root of the gitolite-admin
repository.  If everything has been set up correctly, adding
and pushing these files should then result in the appropriate
generation of `~/.ssh/authorized_keys`.
(minor) less important docs have "## title" now this is so the make-gh-pages (not part of gitolite) script can boldface the ones which have "# title" 2011-01-29 10:58:57 +01:00			`## (contributed doc: integrating gitolite with monkeysphere)`
(minor doc fixes for next commit) 2011-01-26 02:22:09 +01:00
Monkeysphere integration documentation. 2010-10-25 00:00:36 +02:00			`This document attempts to describe one way to integrate`
			`[Monkeysphere](http://web.monkeysphere.info/) authentication`
			`with [gitolite](http://github.com/sitaramc/gitolite).`

			`We presuppose that you have a system with a new enough`
			version of Monkeysphere to support ssh `authorized_keys`
			`options, and that you are not making use of`
			`monkeysphere-authentication on this system.`

			`As a first step, import the key or keys you wish to`
			`act as Monkeysphere certifiers into the GnuPG public`
			`keyring of the gitolite user (for example,`
			`gpg --keyserver pool.sks-keyservers.net --recv-keys B0AE9A02`)
			Then edit such keys (`gpg --edit B0AE9A02`) and assign them
			`ultimate ownertrust.`

			Next install a script of this nature as `post-update.secondary`
			in the `hooks/` directory of the `gitolite-admin` repository. You can also
			`follow the "using hooks" section in gitolite's "admin" document to let`
			`gitolite put your new hook in the correct place.`

			`#!/bin/zsh`

			`# this should use locking`

			`pushd ${GL_ADMINDIR}`

			`if [[ -d monkeydir ]]`
			`then`
			`cp ~/.monkeysphere/authorized_user_ids ~/.monkeysphere/old-authorized_user_ids`
			`rm -f ~/.monkeysphere/new-authorized_user_ids`
			`for i in monkeydir/*.pub`
			`do`
			`username=$i:t:r`
			`for j in ${(f)"$(<$i)"}`
			`do`
			`cat >> ~/.monkeysphere/new-authorized_user_ids <<EOF`
			`$j`
			`command="/usr/share/gitolite/gl-auth-command $username"`
			`no-port-forwarding`
			`no-X11-forwarding`
			`no-agent-forwarding`
			`no-pty`
			`EOF`

			`done`
			`done`

			`mv ~/.monkeysphere/new-authorized_user_ids ~/.monkeysphere/authorized_user_ids`
			`monkeysphere update-authorized_keys`
			`fi`

			`popd`

			`ADMIN_POST_UPDATE_CHAINS_TO=hooks/post-update.tertiary`

oopsies... should be checking for "-x" not just "-f or -l" to chain a hook it was trying to execute a broken symlink! (Thanks to Jeff of KDE for catching this) 2011-05-28 16:56:55 +02:00			`if [[ -x $ADMIN_POST_UPDATE_CHAINS_TO ]]; then`
Monkeysphere integration documentation. 2010-10-25 00:00:36 +02:00			`exec $ADMIN_POST_UPDATE_CHAINS_TO "$@"`
			`fi`

			`Finally, place username.pub files containing OpenPGP IDs into`
			a directory called `monkeydir/` in the root of the gitolite-admin
			`repository. If everything has been set up correctly, adding`
			`and pushing these files should then result in the appropriate`
			generation of `~/.ssh/authorized_keys`.