Ssh – Allow users to ssh to specific user through ldap and stored public keys

gitldapssh

I recently setup gitolite, where users access git repository with "gitolite" user through ssh.

Now I would like to integrate that into LDAP. Each user has pubkey in LDAP and if he has "git" objectClass, he would be able to access "gitolite" user through ssh.

I know it's possible to store public keys in LDAP, I'm not sure if it possible to allow authentication in "gitosis" account based on objectClass.

EDIT: To clarify, with objectClass git, user "foobar" would be able to login as "gitolite" through ssh

Best Answer

The author of gitolite has added some features that help support external key stores and group membership information. Search the CHANGELOG for LDAP.

To use an external key store your sshd needs to support the usual .ssh/authorized_keys file (this is the file that tells sshd to run gl-auth-command when a gitolite user logs in).

Turn off the normal authkey generation (the one based on the keydir in the gitolite-admin repository):
$GL_NO_SETUP_AUTHKEYS = 0; in your .gitolite.rc.
Periodically (any time a key is changed, a user is added, etc.):
1. Extract all the SSH keys from your key store into some convenient, temporary directory (use the same names for key files as if they were in the normal repository-based keydir).
2. Run gl-setup-authkeys to have gitolite rebuild its part of the authorized_keys file.

See the commit message that introduced gl-setup-authkeys for the author’s own description.

Using externally defined user groups is a bit trickier since it usually involves interposing another program between sshd and gl-auth-command (the group memberships are passed as extra arguments to gl-auth-command). See “usergroups and LDAP/similar tools”.

Best Answer

Related Solutions

Ssh – Cannot access gitosis repository from local machine. gets “Permission denied (publickey).”

Ldap – Git/LDAP Accounts/Gitolite

Related Topic