I have an issue with SSH keys and gitolite on my macbook.
Gitolite is running on my debian server: gitolite3 3.6.4-1 (Debian) on git 2.7.4
gitolite-admin/keydir i have the keys bob.pub and admin.pub
They are different keys.
my conf file is basically:
# this repo
repo gitolite-admin
RW+ = admin
repo myrepo
RW+ = bob
My ~/.ssh/config file is simply this to specify we use a different port:
Host gitserver
IdentityFile ~/keys/bob
Port 2222
I am testing with the command:
git clone git@gitserver:myrepo.git
These are the logs under /home/git/.gitolite/logs/
When ssh from my linux system, it works fine.
2016-10-14.15:54:53 11635 ssh ARGV=bob SOC=git-upload-pack 'myrepo' FROM=192....
2016-10-14.15:54:53 11635 pre_git myrepo bob R any refs/.*
2016-10-14.15:54:53 11635 system,git,shell,-c,git-upload-pack '/home/git//repositories/myrepo.git'
2016-10-14.15:54:53 11635 END
However, when I do the same thing with the SAME key on my macbook air, it seems that
2016-10-14.15:56:07 11652 ssh ARGV=admin SOC=git-upload-pack 'myrepo' FROM=192.168.0.105
2016-10-14.15:56:07 11652 die R any myrepo admin DENIED by fallthru<<newline>>(or you mis-spelled the reponame)
What I think is happening:
-
the underlying ssh connection is using the correct user (git) and key (bob) to get onto the server. It is done using /home/git/.ssh/authorized_keys (generated by gitolite) I can actually see in this file the
command="/usr/share/gitolite3/gitolite-shell bob"
showing that the command argument matching the key is correct. -
However after ssh connection, for some reason the command is changed to have the argument admin INSTEAD of bob!.
Again.
It does not happen on my linux machine.
This only happens on my macbook.
What DOES work from the mac is that i can clone testing or gitolite-admin.
Even with the bob key, when it really should be the admin key!
I think that this might actually be a security hole in gitolight!
I am running. 3.6.4 and there is nothing in the release notes of 3.6.5 or 3.6.6 to indicate a fix.
Best Answer
For anyone else coming here with a similar problem, there is a reply by gitolite author on the mailing list: https://groups.google.com/d/msg/gitolite/VRLAQaN2QoE/7EWN1I82BQAJ