Skip to content

Setting up git securely and easily using gitosis

As mentioned in the earlier article on git (What is git?), git uses Linux user accounts to controll access to the repository. But, what if you want to be a bit more secure, and not give your users shell access? What if you want to be able to administer access without shell access? There’s an easy way around this, and it actually even makes setting up git itself for multiple users easier, and it’s called gitosis.

gitosis is available in most distro’s as a package of some sort or another (apt-get install gitosis, yum install gitosis, ext), however if your feeling adventurous, there’s also source available (via git at git://

Below is my little walk through. It starts out on the server that is going to act as the master/origin, and then later on (with warning) I’ll switch over to talk about interfacing with it. So, without further delay, here it is, using Debian (because it’s better.):

  1. Recommended, but not necessarily needed: make sure you’re up-to-date.
    apt-get update ; apt-get upgrade
  2. Install git core, gitosis, and the docs if you feel randy.
    apt-get install git-core gitosis git-doc
  3. Next, your going to need to initialize gitosis with a public key, so that next, you can initialize gitosis. If you already have a key, you can skip this step, or if you want to generate a different key, you can specify a different location in the prompt.
    ssh-keygen -t rsa

    I also highly recommend specifying a passphrase. You may also specify a comment with the -C parameter. This comment is used by gitosis in initialization of the ACL to determine the name of the user, so keep that in mind when you use it. By default, it is the fully qualified name of the user you where logged in as when you created it (ex: root@local.localdomain).

  4. Initializing the git-admin repository:
    sudo -H -u gitosis gitosis-init < ~/.ssh/

    This should result in output like below (with /srv/gitosis being the default home directory for the gitosis user on Debian)

    Initialized empty Git repository in /srv/gitosis/repositories/gitosis-admin.git/
    Reinitialized existing Git repository in /srv/gitosis/repositories/gitosis-admin.git/

    If you’re wondering, this basically says using my sudoer’s access, switch over to the gitosis user (that installing git created), change directories to that user’s home directory (-H), and run gitosis-init, passing it the key you created.

  5. At this point, you’re sort-of all set up. git is installed, and so is gitosis, and you can connect and pull down the repository gitosis created for administration like so:
    git clone gitosis@localhost:gitosis-admin.git

    Which, assuming you’ve done everything correctly thus far, will output something like so:

    Initialized empty Git repository in /root/gitosis-admin/.git/
    The authenticity of host 'localhost (' can't be established.
    RSA key fingerprint is 24:d3:af:34:ce:79:f6:02:fc:43:ac:63:e6:7b:34:8a.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
    remote: Counting objects: 5, done.
    remote: Compressing objects: 100% (4/4), done.
    remote: Total 5 (delta 0), reused 5 (delta 0)
    Receiving objects: 100% (5/5), done.
  6. Let’s hop into that directory real quick.
    cd gitosis-admin

    And a listing will show two items in the directory, gitosis-conf and keydir. gitosis-conf is basically your ACL, and keydir holds the ssh public keys for authentication for each of your users.

  7. Now, for each user, you’re going to:
    1. Generate a new public/private key pair. In the example below, I did it as root like everything else, but specified a different location to save it. NOTE: keys should be named , where the username is the name your going to put in gitosis.conf. This will yield two files, one named , and one named .pub.
      ssh-keygen -t rsa -C -f ~/.ssh/css

      So, as I said, this will yield two files:

      # ls -1 ~/.ssh/css*
    2. Copy the public key(s) you created into the keydir.
      cp -vpr ~/.ssh/*.pub keydir

      If you have that file we created earlier in your .ssh folder, that will also have copied over, to give you something like:

      # ls -1 keydir

      I deleted the afterwards, just to get rid of the unnecessary file.

    3. Update your gitosis.conf to give your new users access to the new repository we’ll create in a minute, called TestRepo.
      vim gitosis.conf

      Here’s what looks like before any changes:

      [group gitosis-admin]
      writable = gitosis-admin
      members = admin

      Before anything else, we have the gitosis global configuration options (none specified, so it’s going to use the defaults). Then, there’s another section, the group for gitosis-admin. How this one is specified makes it act as a user group and also a repository definition, and reads something like “The group gitosis-admin can write to the gitosis-admin directory, and has the members admin.”
      To add access to our new repository, we’re simply going to duplicate this. In a later article, I’ll go into more intimate details of the gitosis configuration.

      [group TestRepo]
      writable = TestRepo
      members = css

      With the addition of the above, the gitosis.conf will look like this:

      [group gitosis-admin]
      writable = gitosis-admin
      members = admin
      [group TestRepo]
      writable = TestRepo
      members = css
  8. Once that’s saved, add it into the repository. Executing the following will have git look for anything that’s different from the original state.
    git add .

    Checking the status…

    # git status

    you should see the additional file, and gitosis.conf marked as modified.

    # On branch master
    # Changes to be committed:
    #   (use "git reset HEAD ..." to unstage)
    #       modified:   gitosis.conf
    #       new file:   keydir/
  9. Now, commit all (-a) your changes, and push them back to the master.
    git commit -a -m "Initial user setup and addition of the TestRepo"
    git push
  10. And now all you have to do is initialize that repository and push it back up to the master!
    cd ~
    mkdir TestRepo
    cd TestRepo
    git init
    git commit --allow-empty -m "Initialization of the repositry"
    git push
  11. Now you’re free to do whatever! One thing to note: since this was all done on our master, we used gitosis@localhost, however, when you’re not on that server, you would use gitosis@< server address >, ex:
Be Sociable, Share!

Posted in Version Control. Tagged with , , .

2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Lalit Kapoor said

    nice post!, my svn repository is messed up, so i’m going to use git. :)

  2. nice post!, my svn repository is messed up, good time to switch to git. I hope you are liking it. It is much nicer than most other source control versioning systems in my opinion.