我希望按照说明设置 gitolite,一切都按计划进行。
我有点不确定用户名部分是如何工作的,并且浏览文档并没有帮助我 - 也许我错过了一些简单的东西。
如果我有两台客户端计算机,供一个真人使用,但在每台计算机上,用户名都是 dave 和 david。如何组织 keydir 和任何配置文件中的密钥,以便它们都代表同一用户?我得到了后缀,dave@laptop,dave@desktop(我认为),只是不知道如何连接不同的客户端计算机用户名,因为它似乎在身份验证时寻找这个(可能是因为包含 user@host 信息的公钥?)
如果需要的话我可以提供更多细节 - 我只是不想用不相关的信息轰炸你们所有人。
非常感谢。
I have set up gitolite hopefully as per the instructions, and everything is working as planned.
I am slightly unsure as to how the usernames part works, and looking through the docs hasn't helped me - perhaps I'm missing something simple.
If I have two client machines, for use by one real person, but on each of those machines the usernames are, let's say dave and david. How can I organise the keys in keydir and any config file so that they both represent the same user? I get the suffix thing, dave@laptop, dave@desktop (I think), just not how to have different client machine usernames connecting, as it seems to look for this when authenticating (perhaps because of the public key containing user@host information?)
I can give more details if needed - I just didn't want to bombard you all with irrelevant information.
Thanks very much.
发布评论
评论(8)
目前根据文档推荐的方式
参考:https: //gitolite.com/gitolite/basic-admin.html#multiple-keys-per-user
旧方法
如果您询问如何完成以下任务:
在每台计算机上使用不同的 ssh 密钥,您只需创建密钥(即:keygen "[email protected]"),然后将公钥复制到您的 gitolite keydir 目录 (gitolite-admin/keydir)。执行此操作时,只需将密钥命名为
[email protected]< /code>,[电子邮件受保护],和[电子邮件受保护]。将密钥添加到存储库 (git add keydir/.)、提交 (git commit -m "added David's extra keys") 和git Push> 返回服务器。Gitolite 足够聪明,知道即使它是不同的密钥,用户名(在
@之前)仍然是david并且会让该用户登录并使用 ACL对于david希望这有助于
修复您可能有
john_home.pubjohn_work.pub打开您的 gitolite 存储库(管理存储库)并将kedir中的密钥重命名为[email protected] ]和[电子邮件受保护]提交并推送。现在,您的用户john可以从任意一台计算机登录并使用相同的用户名。请记住,为了使其正常工作,SSH 密钥中的电子邮件地址对于所有用户的密钥都必须相同。因此,使用上面的示例,在键
[email protected],[电子邮件受保护]和 [email protected] 都应该有[电子邮件受保护]的电子邮件地址。以上是“旧方法”,如果您以“电子邮件地址方式”命名密钥,则可能会导致复杂化,这与我上面所说的相反,gitolite 不会检查您的密钥是否有正确的电子邮件地址。请忽略(为了清楚起见,我保留了原始评论)。
The current recommended way according to the documentation
reference: https://gitolite.com/gitolite/basic-admin.html#multiple-keys-per-user
The old way
If you are asking how you accomplish the following:
With different ssh keys on each computer you would simply create the key (ie: keygen "[email protected]") and then copy the public key to your gitolite keydir directory (gitolite-admin/keydir). When you do that simply name the key
[email protected],[email protected], and[email protected]. Add the keys to the repository (git add keydir/.), commit (git commit -m "added David's additional keys") andgit pushback to the server.Gitolite is smart enough to know that even though it is a different key the user name (before the
@) is stilldavidand will let that user log in and use the ACL fordavidHope this helps
To fix a scenario where you might have
john_home.pubjohn_work.pubopen up your gitolite repo (admin repo) and rename the keys in yourkedirto[email protected]and[email protected]commit and push. Now your userjohncan login from either machine and use the same username.Keep in mind, in order for this to work, the email address in the SSH Keys needs to be the same for all of the user's keys. So using the example above, in the keys
[email protected],[email protected], and[email protected]all should have the email address of[email protected].Above was the "old way" do to this and may cause a complication if you have named your keys in the "email address way" contrary to what I stated above gitolite DOES NOT inspect your key for the proper email address. Please ignore (I left the original comment in for clarity).
至少适用于 Gitolite v3
最简单的解决方案是使用此处记录的子文件夹系统 http://sitaramc.github.com/gitolite/users .html
Gitolite 将通过 keydir 递归搜索,并将所有 .pub 关联为一个用户。
我现在在 Windows 笔记本电脑和 Linux 开发机上使用子文件夹系统,并且工作正常。
user@host 约定似乎太复杂了。
我正在做这样的事情:
For Gitolite v3 at least
Easiest solution is to use the subfolder system documented here http://sitaramc.github.com/gitolite/users.html
Gitolite will search recursively through the keydir and associate all the .pub as one user.
I am using the subfolder system now with a windows laptop and linux dev machine and working fine.
The user@host convention seems way too complicated.
I'm doing something like this:
自 gitolite v3.5.2-10-g437b497 (2013 年 9 月,提交 59c817d0 )以来,有是一个更简单的解决方案:
ukm,用于“用户密钥管理”< /a>.
它可以引入一定程度的委托,不仅 gitolite 管理员用户可以添加新的 ssh 公钥,其他用户现在也可以这样做。
它还有助于添加/删除公共 ssh 密钥。
您可以在“
contrib/t 中查看它的实际效果/ukm.t”:Gitolite 文档 包含有关该主题,但使用
ukm,它更容易(“想要管理多个密钥的用户"):Since gitolite v3.5.2-10-g437b497 (September 2013, commit 59c817d0), there is an even simpler solution:
ukm, for "user key management".
It can introduce a level of delegation, when not just the gitolite admin user can add new ssh public keys, but other users can now do so as well.
It also facilitate adding/removing public ssh keys.
You can see it in action in "
contrib/t/ukm.t":Gitolite documentation includes a section on that topic, but with
ukm, it is easier (section "Users that want to manage multiple keys"):我已经重新组织了我的 gitolite admin keydir 几次,但仍然没有真正决定哪种是组织事物的最佳方式。如果你能坚持一些约定,事情肯定会变得更容易,但这并不总是可能的。幸运的是,gitolite 很灵活。
一般来说,我不喜欢使用包含所有密钥的单个平面目录,仅依赖于命名约定“[电子邮件受保护]" 以保持正常。 (这似乎在其他答案中有所暗示?)如果您在多个主机上有多个密钥并且单个“真实”用户有多个用户名(甚至两个不同主机上的两个不同用户有相同的用户名),那么这可能会变得令人困惑。使用子目录有助于组织事物——使用任何深度的树,但通常我只使用一层。
两个主要选项(甚至是其组合):
该用户(例如,通常每个主机一个)。
在该主机上工作。尽管用户可以将其私钥复制到另一个
主机,(就我而言)感到气馁。无论如何,子目录均以最初生成密钥的主机命名。
作为每个用户一个子目录的示例(选项#1):
请注意:
一般来说,我更喜欢并且确实使用选项#1,其中也有一些选项#2 的示例。如果您有服务器来来去去(可能是配置和回收虚拟机)并且希望在主机级别而不是用户级别维护事物,那么选项#2可能会简化 Intranet 自动化,因此您可以(例如)轻松清理已退役主机上的过时密钥(例如,短期测试虚拟机)。
gitolite 的好处是 keydir 目录的(重新)组织不会影响用户。但如果不小心,您很容易(无意中)锁定您的用户(或您自己)。
I've reorganized my gitolite admin keydir a couple times, and still haven't really decided which is the best way to organize things. If you can stick to some conventions, things will certainly be easier, but that isn't always possible. Luckily gitolite is flexible.
In general I prefer not to use a single, flat directory containing all keys, relying solely on the naming convention "[email protected]" to keep things straight. (This seems to be implied in other answers?) That can become confusing if you have multiple keys on multiple hosts and multiple usernames for a single "real" user (or even the same username for two different users on two different hosts). Using subdirectories helps to organize things -- using a tree of any depth, but typically I just use one level.
The two main options (or even a combination thereof):
that user (e.g., typically one per host).
working on that host. Although the user could copy their private key to another
host, that is (in my case) discouraged. In any case, the subdirectories are named after the host where the key was originally generated.
As an example of one subdirectory per user (option #1):
Note that:
In general I prefer and do use option #1, sprinkled with a few examples of option #2. Option #2 could possibly simplify intranet automation if you have servers coming and going (perhaps provisioning & recycling VM's) and want to maintain things at a host level rather than at the user-level, so you can (for example) easily clean up obsolete keys on a decommissioned host (e.g., short-term test VM).
The nice thing about gitolite is that the (re-)organization of the keydir directory does not impact users. But you can easily (inadvertently) lock out your users (or yourself) if not careful.
您总是这样连接:
无论您是什么用户。 Gitolite 通过您提供的公钥来识别您的身份。例如,该密钥称为 dave.pub。通过使用此公钥的 ssh 连接完成的任何操作都将由 gitolite 根据配置文件中使用的“dave”或“all”进行审查。
您可以在不同的机器和不同的存储库上随意设置名称和电子邮件。提交将包含该信息。但是,如果您对 ssh 使用相同的公钥/私钥,则您可以读取或写入哪些分支、树或存储库取决于管理存储库中的配置文件中“dave”的限制方式。
希望这有帮助。
You always connect like this:
no matter what user you are. Gitolite identifies you by what public key you are providing. This key is called dave.pub, for example. Anything that is done through an ssh connection with this public key, will be scrutinized by gitolite according where "dave" or "all" is used in the config file.
You are free to set the name and email to be what ever you want on different machines and different repositories. The commits will have that information. But what branch, tree or repositories you can read or write to/from is dictated by how "dave" is restricted in the config file in the admin repo - if you use the same public/private key for ssh.
Hope this helps.
您在服务器上的一个用户下安装 gitolite;通常是
git,并且在 SSH 连接字符串中,您始终显式使用git@servername连接到 Git 用户帐户。然后,Gitolite 将查看您提供的公钥,在您的配置中找到该公钥,并将您视为关联用户。You install gitolite under one user on the server; usually
git, and in your SSH connection string, you always explicitly usegit@servernameto connect to the Git user account. Gitolite will then look at what public key you are offering, find that in your configuration, and treat you as though you are the associated user.每个人似乎都忽略了一个微妙的点,或者至少没有明确回答。
OP询问如何在两个不同的平台上使用两个不同的用户名和两个不同的(关联的)公钥来处理同一个人。
例如。 dave@platform_a.pub 和 david@platform_b.pub 都代表同一个真实的 git 用户。
添加 dave & 就很容易了。 david 作为 gitolite.conf 文件中“@known”(已知用户)行上的用户,并将两个密钥放入 keydir 中,但是无法判断这是两个单独的用户还是同一个人。
例如。 “git Blame”会将 dave 和 david 视为两个独立的用户。
除了OP的帖子之外,进一步复杂化的是,如果有几个大卫在同一个项目上工作,会发生什么?
我想有关的戴维斯必须制定一个系统(或者满足于互相指责;-)。
There's a subtle point everyone seems to be missing here, or at least not answering clearly.
The OP asked how to handle the same PERSON using two different USERNAMES and two different (associated) pub-keys on two different PLATFORMS.
Eg. dave@platform_a.pub, and david@platform_b.pub both represent the same real git user.
It'd be easy enough to add both dave & david as users on the "@known" (known users) line in the gitolite.conf file, and put both keys in the keydir, but then there's no way to tell whether that's two separate users, or the same person.
Eg. "git blame" would treat dave and david as two separate users.
Beyond the OP's post, a further complication is what happens if there ARE several Davids working on the same project?
I guess the Davids concerned would have to work out a system (or be content to blame each other ;-).
Gitolite 使用 ssh 强制命令进行身份验证。每个有权访问 gitolite 存储库的用户都在安装 gitolite 的位置登录。挂钩在 keydir 中获取新密钥并将它们添加到配置为使用强制命令的授权密钥文件中。
用户被迫使用带参数的 gitolite shell,该参数就是用户名。相关挂钩的以下部分获取文件路径并将其分配给用户,然后删除名称中带有
/的所有目录和文件。剩下的内容将成为用户名,只要它以.pub结尾,并且它将忽略.pub前面的单个@符号后缀,只要至少有一个附加字符即可。这提供了这样的功能:
目录是任意的,但出于组织目的,主机用于提供结构。您最终会得到两个
dave用户和一个david用户。我使用的配置更像是这样:
同样,目录结构并不重要。这为我提供了用户
[email protected]、jenkins、redmine、和jira。[email protected]用户有两个密钥以及 jenkins 用户。如果我有多个用户,我可能会有一个包含 steve key 目录的 users 子目录。Gitolite does authentication with ssh forced commands. Every user that has access to a gitolite repository logs in at the use that gitolite is installed under. The hooks take new keys in the keydir and add them to it's authorized keys file configured to use forced commands.
The users are forced to use gitolite shell with a paramater, and that parameter is the username. The following piece of the relevant hook takes the filepath and assigns it to user, it then strips all directories and files with a
/in the name. what is left of that will become the username as long as it ends in.puband it will disregard a single@sign preceding the.pubsuffix as long as there is at least one additional character.This provides functionality as such:
The directories are arbitrary, but for organizational purposes the hosts are used to give structure. You end up with two
daveusers and onedaviduser.I use a configuration more like this:
Again, the directory structure does not matter. This gives me the users
[email protected],jenkins,redmine, andjira. The[email protected]user has two keys as well as thejenkinsuser. If I had more than a single user I would probably have a users subdirectory containing the steve key directory.