I am trying to set up a Git server on a Debian server, but can not seem to add users that can successfully access it.
After doing gitosis-init, and cloning the gitosis-admin repository and adding the public key of the local machine in to the /keydir, and edit the gitosis.conf file, I commit and push. Just as many of the tutorials tell me to.
I have confirmed that the gitosis-admin repository has been updated correctly by cloning it to another location, and the updates have been made.
gitosis.conf
[gitosis]
[group gitosis-admin]
writable = gitosis-admin
members = saifis@debian, saifis@local
Now, I try to clone gitosis-admin to a file on my local machine, and it gives a
Permission denied (publickey).
error.
ssh -v gitosis@DebianAddress gives me
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to 192.168.xxx.xxx [192.168.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /Users/saifis/.ssh/identity type -1
debug1: identity file /Users/saifis/.ssh/id_rsa type 1
debug1: identity file /Users/saifis/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.xxx.xxx' is known and matches the RSA host key.
debug1: Found key in /Users/saifis/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
-----------------
debug1: Trying private key: /Users/saifis/.ssh/identity
debug1: Trying private key: /Users/saifis/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).
I do not think its a key related problem since the same public key is used to signing in to the same server via SSH, and that works fine.
If anymore information is needed please fill me in.
—Added—-
About the ~/gitosis/.ssh/authorized_keys. As my understanding, since authorized git users access via SSH through gitosis account, adding the public key to the authorized_keys does sound like the right answer, however at the top of the file, it has
### autogenerated by gitosis, DO NOT EDIT
not saying I should blindly follow what ever it says, but adding the public key to authorized_keys would give all the users added in it access to the entire server via ssh, and I do not want to give that much control over to just repository users.
I thought that gitosis took care of that and only gave access when being accessed by the git methods, and not direct ssh access, or do they get added to authorized_keys anyway?
Best Answer
Before you've pushed anything, the only key that has any rights to the gitosis account is the one you passed to gitosis-init. That other keys have access to your regular user account is irrelevant. Compare the key in
~gitosis/.ssh/authorized_keysandssh-add -L.Gitosis works like this: on each push, a post-update hook runs and gitosis regenerates authorized_keys for its own account. If it didn't pick up your key, it most likely wasn't in the format gitosis expects. Since the hook is post-update the update will have been accepted even if it was invalid (gitosis could be more strict by having both an update and a post-update hook). Make a trivial change and push again from the host that has the initial key to look at gitosis error's messages. Adding the key to authorized_keys manually involves duplicating the correct line, replacing the key type, key data and username.