gitolite/contrib/monkeysphere.mkd
Sitaram Chamarty 6e29365316 MASSIVE set of changes to documents!
I got tired of being told "TL;DR".  Now the online versions of most
documents fit on a page or two, or at least most of them do.  The rest
has been split out (and you can see the links to the split out sections
right where the text is in the raw Markdown).

This is much more pleasant to read, and I've improved the linking so
it's much less effort for me to keep the links correct.
2011-11-02 21:04:33 +05:30

2.1 KiB

F=monkeysphere (contributed doc: integrating gitolite with monkeysphere)

This document attempts to describe one way to integrate Monkeysphere authentication with gitolite.

We presuppose that you have a system with a new enough version of Monkeysphere to support ssh authorized_keys options, and that you are not making use of monkeysphere-authentication on this system.

As a first step, import the key or keys you wish to act as Monkeysphere certifiers into the GnuPG public keyring of the gitolite user (for example, gpg --keyserver pool.sks-keyservers.net --recv-keys B0AE9A02) Then edit such keys (gpg --edit B0AE9A02) and assign them ultimate ownertrust.

Next install a script of this nature as post-update.secondary in the hooks/ directory of the gitolite-admin repository. You can also follow the "using hooks" section in gitolite's "admin" document to let gitolite put your new hook in the correct place.

#!/bin/zsh

# this should use locking

pushd ${GL_ADMINDIR}

if [[ -d monkeydir ]]
then
    cp ~/.monkeysphere/authorized_user_ids ~/.monkeysphere/old-authorized_user_ids
    rm -f ~/.monkeysphere/new-authorized_user_ids
    for i in monkeydir/*.pub
    do
        username=$i:t:r
	for j in ${(f)"$(<$i)"}
        do
            cat >> ~/.monkeysphere/new-authorized_user_ids <<EOF
$j
  command="/usr/share/gitolite/gl-auth-command $username"
  no-port-forwarding
  no-X11-forwarding
  no-agent-forwarding
  no-pty
EOF

        done
    done

    mv ~/.monkeysphere/new-authorized_user_ids ~/.monkeysphere/authorized_user_ids
    monkeysphere update-authorized_keys
fi

popd

ADMIN_POST_UPDATE_CHAINS_TO=hooks/post-update.tertiary

if [[ -x $ADMIN_POST_UPDATE_CHAINS_TO ]]; then
    exec $ADMIN_POST_UPDATE_CHAINS_TO "$@"
fi

Finally, place username.pub files containing OpenPGP IDs into a directory called monkeydir/ in the root of the gitolite-admin repository. If everything has been set up correctly, adding and pushing these files should then result in the appropriate generation of ~/.ssh/authorized_keys.