git权限管理插件gitolite
如今通常安装的linux系统都会自带git代码仓库服务器,若是使用git原生的权限管理则须要修改每一个repo的配置文件。同时若是使用到了ssh还得把每一个都放到authorized_keys文件中,这还会会带来必定的安全隐患。这样咱们可使用一个git的权限管理小插件gitolite。html
系统要求
- Any Unix system with a posix compatible "sh" and a sane file system.
- Git version 1.6.6 or later.
- Perl 5.8.8 or later (see https://lwn.net/Articles/348084/ if this does not seem to be enough).
- Openssh (almost any version). Optional if you're using smart http.
- A dedicated Unix userid to be the hosting user, usually "git" but it can be any user, even your own normal one. (If you're using an RPM/DEB the install probably created one called "gitolite").
SSH配置
验证服务器ssh服务
先在git服务器生成一对密匙,而后经过服务器用户ssh到服务器,以确认服务器的ssh服务争取。须要注意的是如下两点:
- 须要对.ssh文件夹和.ssh/authorized_keys受权
- 若是系统没有自动将私钥加载,可使用ssh-add命令
[git@localhost ~]$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/git/.ssh/id_rsa): Created directory '/home/git/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/git/.ssh/id_rsa. Your public key has been saved in /home/git/.ssh/id_rsa.pub. The key fingerprint is: 44:92:09:a1:fe:99:54:66:c6:6b:b8:51:2c:62:c2:14 git@localhost.localdomain The key's randomart image is: +--[ RSA 2048]----+ | E. oo.o. | |o . ooo | |..+ . O . | | + . O o | | . + o S | | o * | | = | | | | | +-----------------+ [git@localhost ~]$ cd .ssh/ [git@localhost .ssh]$ cat id_rsa.pub >> authorized_keys [git@localhost .ssh]$ ssh 192.168.137.2 The authenticity of host '192.168.137.2 (192.168.137.2)' can't be established. ECDSA key fingerprint is 95:85:14:9c:c4:9e:0f:e1:a6:e6:94:3e:9f:d8:50:a1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.137.2' (ECDSA) to the list of known hosts. git@192.168.137.2's password: [1]+ 已中止 ssh 192.168.137.2 [git@localhost .ssh]$ su 密码: [root@localhost .ssh]# cd .. [root@localhost git]# chmod 755 .ssh/ [root@localhost git]# chmod 600 .ssh/authorized_keys [root@localhost git]# exit exit [git@localhost .ssh]$ ssh 192.168.137.2 Agent admitted failure to sign using the key. git@192.168.137.2's password: [2]+ 已中止 ssh 192.168.137.2 [git@localhost .ssh]$ ssh-add Identity added: /home/git/.ssh/id_rsa (/home/git/.ssh/id_rsa) [git@localhost .ssh]$ ssh 192.168.137.2 Last login: Wed Feb 4 15:37:10 2015 from panda-windows8.mshome.net [git@localhost ~]$ exit 登出 Connection to 192.168.137.2 closed. [git@localhost .ssh]$
权限管理员经过SSH链接到服务器
个人权限管理员使用的windows8系统,使用xshell经过ssh链接到服务器
一、使用xshell生成密匙对
二、将生成的公钥,私钥都导出
三、将公钥上传到服务器并添加到authorized_keys中
[git@localhost ~]$ cd .ssh/ [git@localhost .ssh]$ ls authorized_keys gitolite-admin.pub id_rsa id_rsa.pub known_hosts [git@localhost .ssh]$ cat gitolite-admin.pub >> authorized_keys [git@localhost .ssh]$四、权限管理员经过xshell链接到服务器
五、验证结果
gitolite安装
gitolite安装后会自动新建一个gitolite-admin的仓库,权限管理员客户端经过克隆、修改而后上传这个仓库中的配置文件来完成对git的权限管理。
安装gitolite
在安装以前咱们须要将咱们验证权限管理员客户机到git服务器ssh通讯时在authorized_keys中添加的公钥删除
[git@localhost ~]$ git clone git://github.com/sitaramc/gitolite 正克隆到 'gitolite'... remote: Counting objects: 8802, done. remote: Total 8802 (delta 0), reused 0 (delta 0) 接收对象中: 100% (8802/8802), 3.64 MiB | 19.00 KiB/s, done. 处理 delta 中: 100% (4996/4996), done. [git@localhost ~]$ cd gitolite/ [git@localhost gitolite]$ mkdir ~/bin [git@localhost gitolite]$ ./install -to ~/bin [git@localhost gitolite]$ gitolite setup -pk ~/.ssh/gitolite-admin.pub 初始化空的 Git 版本库于 /home/git/repositories/gitolite-admin.git/ 初始化空的 Git 版本库于 /home/git/repositories/testing.git/ [git@localhost gitolite]$
此时权限管理员经过ssh链接到服务器也会被屏蔽,以控制权限管理员只能经过gitolite-admin仓库来管理git仓库的权限,而不能作其余的修改。
克隆gitolite-admin
个人权限管理员使用的TortoiseGit软件来下载git服务器的仓库
一、配置TortoiseGit
二、转换密匙
可是TortoiseGit不支持Xshell经过openssh生成的密匙,咱们须要将秘钥转换一下,TortoiseGit自带的PuTTY工具(TortoiseGit安装目录/bin)能够作到。
三、克隆gitolite-admin仓库
总结
- gitolite经过授权权限管理员管理一个权限管理仓库的方式来实现对仓库权限的管理,这样就把git管理员与权限管理员分割开来,使得git更安全,也更方便。
- 个人示例中先经过权限管理员ssh到git服务器,只是为了验证权限管理员到git服务器的ssh链接。按照上面提到的思路,是不会容许权限管理员直接登陆git服务器的。
- gitolite官方参考文档:http://gitolite.com/gitolite/gitolite.html#rtfm。