for security reasons, we refuse to create ~/.ssh/authorized_keys if it doesn't exist. Explain this better and point to the documentation
2.6 KiB
administering and running gitolite
Note: some of the paths in this document use variable names. Just refer to
~/.gitolite.rc
for the correct values for your installation.
administer
-
ask each user who will get access to send you a public key. See other sources (for example here) for how to do this
-
rename each public key according to the user's name, with a
.pub
extension, likesitaram.pub
orjohn-smith.pub
. You can also use periods and underscores -
copy all these
*.pub
files to$GL_KEYDIR
-
edit the config file (
$GL_CONF
) and give the new users permissions as required. The users names should be exactly the same as their keyfile names, but without the.pub
extension -
backup your
~/.ssh/authorized_keys
file if you feel nervous :-)- that's "backup" as in "copy", not "move". The next step won't work if the file doesn't exist. Even an empty one is fine but it must be present
- if you don't have an
~/.ssh/authorized_keys
file at all, you may have logged in with a password, which in turn might mean you are not familiar with ssh and authkeys etc. If so, please read up at least this, and preferably also the man pages for sshd and sshd_config, to make sure you understand the security implications of what you are doing. Once you have understood that, create at least an empty~/.ssh/authorized_keys
file before proceeding to the next step
-
cd to
$GL_ADMINDIR
and runsrc/gl-compile-conf
That should be it, really. However, if you want to be doubly sure, or maybe the first couple of times you use it, you may want to check these:
-
check the outputs
~/.ssh/authorized_keys
should contain one line for each "user" pub key added, between two "marker" lines (which you should please please not remove!). The line should contain a "command=" pointing to a$GL_ADMINDIR/src/gl-auth-command
file, then some sshd restrictions, the key, etc.$GL_CONF_COMPILED
should contain an expanded list of the access control rules. It may look a little long, but it's fairly intuitive!
-
if the run threw up any "initialising empty repo" messages, check the individual repos (inside
$REPO_BASE
) if you wish. Especially make sure the$REPO_BASE/[reponame].git/hooks/update
got copied OK and is executable