2

I'm reading Scott Chacon's Git book, and just wanted to confirm something. This part:

You also have access to the user doing the pushing if the push is being run over SSH. If you’ve allowed everyone to connect with a single user (like “git”) via public-key authentication, you may have to give that user a shell wrapper that determines which user is connecting based on the public key, and set an environment variable accordingly. Here we’ll assume the connecting user is in the $USER environment variable, so your update script begins by gathering all the information you need:

#!/usr/bin/env ruby

$refname = ARGV[0]
$oldrev  = ARGV[1]
$newrev  = ARGV[2]
$user    = ENV['USER']

puts "Enforcing Policies..."
puts "(#{$refname}) (#{$oldrev[0,6]}) (#{$newrev[0,6]})"

I presume that it's required for the pusher to install a script wrapping around the ssh command. For example, the script would perhaps set the GIT_SSH or GIT_SSH_COMMAND environment variable to point to a shell script that may have something like

#!/bin/bash

HOST=$1
shift
ssh -i ~/.ssh/id_rsa $HOST USER=foo $@

Now anytime a git push is done and the remote contains an ssh url, it will invoke that script and update the refs while passing the USER environment variable.

The other way would be to use "SendEnv USER" in ~/.ssh/config on the local machine and "AcceptEnv USER" in /etc/ssh/sshd_config on the remote git server.

Any other ways that come to mind that expand on the part in bold? I'm particularly looking for a way that doesn't require the pusher to do much work in regards to configuring his environment. Assume everyone's running some form of Windows and needs to setup ssh through some Unix emulator like Cygwin.

Improve this question

1 Answer 1

Reset to default
2

This example is not about the shell or the ssh command.

It is taken from the "Server-Side Hook" section, and describe how to tailored the update hook based on the user (authenticated through ssh)

Here we’ll assume the connecting user is in the $USER environment variable

There is no indication on how this is done, but gitolite (a perl-based authorization layer, which very much needs the user authenticated id) is using ssh forced command: each public key in the ~git/.ssh/authorized_keys include the call to a wrapper script which takes in parameters the user id.
That script will:

  • execute the git command
  • fails if this the command is anything else but a git command

In the ~git/.ssh/authorized_keys, you don't have just the public key, but the call to the wrapper with the user id as a parameter:

command="/wrapper/script userid",no-port-forwarding,no-X11-for        warding,no-agent-forwarding,no-pty ssh-rsa AAAAB3N...
         ^^^^^^^^^^^^^^^
         (forced command)

You can see the environment variable being set by the (gitolite here) wrapper script in src/gitolite-shell#L102-L108.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Hmm, yes, I've considered Gitolite and I've gotten to the part of an article, regarding installing it on Windows, where all I need to do now is just follow the official Gitolite doc to get it installed. I took another look at the Gitolite docs and researched quite a bit on sshd, authorized_keys, and the ssh forced command option. At the moment, it seems like it's a bit overkill. However, if I take the Gitolite route, ultimately, I'll need to access that userid string in a post-receive to do some conditional behavior based on who's pushing. Thanks for the input. Much appreciated.
Oh I see, it looks like I can just do what I want with the GL_USER env var, but it also looks like the bare git repos have to exist in the ~/repositories folder which makes things a little bit less transparent in that the devs would have to alter their remote config in their local repos.
@solstice333 my point was more to illustrate how to set an environment variable with the iser id, based on an ssh forced command calling a script of yours (and not necessarily calling gitolite). Gitolite was just an example on how to do that, but you could write your own script.
@solstice333 if you write your own script, you only need to figure out how to get the users public key and user id, in order to register them in ~/.ssh/authorized_keys (with a forced command syntax). Then the repos can be anywhere you want since your script will call the git command on them.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.