search for: gitolit

Hi everyone, we are suddenly having a problem with executing our backup jobs. For a long time, we have used a shell script which contains the following code to backup all our virtual machines: for domain in Testserver Faktura Fileserver Gitolite Jenkins Nexus SimpleHelp VpnGateway Wiki; do echo -n "$(date +"%Y-%m-%d %H:%M:%S") starting backup for vm ${domain} ... " >> ${vmlog} virsh dumpxml --security-info ${domain} > ${vmdir}/${domain}.xml virsh undefine $...

...ost. Everything works except ethernet. When I boot the host, --- # dmesg |tail [ 8.265493] Bridge firewalling registered [ 8.514547] IPv6: ADDRCONF(NETDEV_UP): virbr0: link is not ready [ 8.645303] ip6_tables: (C) 2000-2006 Netfilter Core Team --- Then I do --- # virsh -c lxc:/// start gitolite Domain gitolite started # dmesg |tail [ 348.793398] device veth0 entered promiscuous mode [ 348.793553] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 348.997973] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 348.997998] virbr0: topology change detected, propagating [ 348...

When using client certificate authentication, is there any way to extract the key ID from the certificate in a force command on the server? I would like to be able to configure Gitolite [1] with a certificate authority key and then use the key ID as the Gitolite user ID when a client connects. Currently I can achieve the same effect by embedding the username in a "force-command" certificate extension, but it seems like it would be simpler if I could just configure the...

Hi all, Apologies if this has been dealt with before, but I haven''t managed to find an answer yet. I have a working "dynamic environments" setup: * A gitolite repository (on a dedicated host) with multiple branches - one for each environment. * I use r10k ro deploy the environments on the master to $confdir/environments/$::environment. This all works *really* well, but I would also like to get the rest of the puppet configuration under version contr...

...efault, one would assume that it is only enabled on a case-by-case basis for users or groups who already have the necessary privileges to run arbitrary code on the server and therefore have nothing to gain from exploiting this bug. With X11Forwarding on by default, it might remain enabled for e.g. gitolite users. DES -- Dag-Erling Sm?rgrav - des at des.no

I want to login in remote server, git server, with two accounts (mars and gitolite) without password. e.g. (steps) 1. ssh-keygen? # no password 2. scp .ssh/id_rsa.pub gitolite at gitserver:/tmp/ 3. ssh gitolite at gitserve 4. cat /tmp/id_rsa.pub >> .ssh/authorized_keys 5. exit Then, do : ssh gitolite at gitserver ls But error message occurs:? Permission denied (publi...

...think it may also be generally useful, which is why I filed it as a separate enhancement request. It would be nice if sshd could "redirect" a connection to user foo to another local user bar, consider roughly the following sshd_config: Match User foo User bar Let me bring again my git/gitolite use case as an example where this could be helpful for vhosting: Match User git LocalAddress 11.22.33.44 User git-a Match User git LocalAddress 11.22.33.55 User git-b So one would have e.g. two domains, pointing to different IPs, which however both go to the same physical host (and thus sshd)...

Hi guys, It might be nice if AuthorizedKeysCommand would receive the fingerprint of the offered key as an argument, so that programs like gitolite could implement more refined key-based identity lookup that offers better performance than AuthorizedKeysFile's linear scan. The following patch is untested but is the basic idea: diff -ru openssh-6.2p1/auth2-pubkey.c openssh-6.2p1-modified/auth2-pubkey.c --- openssh-6.2p1/auth2-pubkey.c 201...

Hey, I use gitolite for git hosting on my server, and because I want to use kerberos authentication I patched OpenSSH to put the name of the kerberos principal name or the ssh fingerprint as environment variables so my ForceCommand script can use them to actually authorize the user by the principal/fingerprint....

...W Severity: enhancement Priority: P5 Component: Kerberos support Assignee: unassigned-bugs at mindrot.org Reporter: enrico.scholz at sigma-chemnitz.de It would be nice to have information which principal was used for log in via .k5login. E.g. 'gitolite' uses by default ssh public keys (where real identity can be easily recorded by environment/commands in ~/.ssh/authorized_keys) and it will be trivial to implement a similar mechanism for kerberos auth, when original principal is exported somehow. A patch is available at http://geggus.net/sv...

...h-lookup-key-git Relevant server debug output: debug3: subprocess: AuthorizedKeysCommand command "/usr/local/sbin/ssh-lookup-key-git git" running as sshkeys debug3: subprocess: AuthorizedKeysCommand pid 86183 debug2: user_key_allowed: check options: 'command="/usr/local/git/bin/gitolite-shell tom at torchbox.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAAB3NzaC1kc3MAAACBALtPYyEOw+gvvWvW45iTR7SAkdH8FIML+4SBFPeXBp4ntT0JaRrkaTwm2C2PkZUaOShvFHCcTc7muNBMB/qmLYuWAcbCeKoxv08RMruGheGp6BB/9sByGjPfHssYNk4qxCqHTL6ZRjPRgApV5qz+OP8cTNlT0YXi2WA5Ubact4DhAA...

...f84523e666 sp 00007fff2cc1d908 error 4 in libc-2.19.so[7f845236a000+19f000] [537088.405962] traps: sshd[27582] general protection ip:7f349cde6664 sp:7fffaf183ee8 error:0 in libc-2.19.so[7f349cd6a000+19f000] What I do is basically the following: Having sshd running (my sshd_config is attached), and gitolite3 (from sid) installed. Gitolite (which I use with the "git" username) in turn has entries like these: command="/usr/share/gitolite3/gitolite-shell admin",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 ... in its authorized_key files Then I repeat...

...po is set up, nothing that's up for decision right now. > The main reason to move to GitHub/Lab is one of cost: storage, > bandwidth and uptime, not one of tools. For that, public git hosting services are a no-brainer. You need to look at permissions because you can't simply set up gitolite, you have to live with whatever the service offers. > Even if we end up using the > GitHub interface in the future, I think we should consider a less > radical move first. The opportunities will be there from day one. Whether they are being used, or useful, is something to explore. &g...

...I was wondering if you had some technical issues with git not being suitable. It seems there isn't anything particularly broken, that some hooks can't fix. > For that, public git hosting services are a no-brainer. > You need to look at permissions because you can't simply set up gitolite, > you have to live with whatever the service offers. That's a small cost, I'd say. And we can always move providers later on, which is a lot simpler with git than SVN. > The GitHub "flow" isn't the right one for every project, so the tooling does > matter. As a...

This is a good suggestion - and maybe I'm not totally clear on the restrictions... So - in these situations gitolite will actually append things to your authorized_keys file. Which can get very long. And after a while - it gets *very* long. I think I saw comments that it should be limited to about 20k or so. And around 20k the look up times are in the seconds. So that wouldn't be enough for me. I have anot...

I guess I didn't want to litter the users table either - it just seems "wrong" to be actually adding things to the host when it is really so transient. It feels like it should be LDAP-ish. Just ask the server for the keys and do a one-off authentication. But I've seen even LDAP creates the user directories. I see that 2.6 kernels can have some 4B users, which should last me a

...h write access to completely wipe out the repo. This depends very much on repo configuration. For git itself, write access is roughly equivalent to svn administrator access. However, all public-writable repos have an authorization layer that prevents history from ever being wiped. Take a look at gitolite, that's the standard tool for managing such a layer. > If anyone with more git experience than me can come up with a safe way > to have 100s of committers pushing to master, I'd be happy to know. Nobody is allowing 100s of committers to push to master, that would be silly. You pu...

Nico Kadel-Garcia <nkadel at gmail.com> writes: > I'm just trying to figure out under what normal circumstances a > connection with X11 forwarding enabled wouldn't be owned by a user who > already has normal system privileges for ssh, sftp, and scp access. Some OS distributions (FreeBSD, RHEL / CentOS, probably Fedora) have X11Forwarding enabled by default. DES --

...;m running a Centos server on machine B. I'd like to "publish" the project on machine B (mainly for my own use, so I can access it from various sites). I've asked about this on a Git mailing list, but haven't understood the replies. In particular, a couple of people suggested gitolite, but when I examined this I couldn't make out what it did. As will be obvious I am a Git newbie, having been reared on SVN. But I thought some CentOS users might have met this problem and come to a simple solution. -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +...

Hi, AFAICT, there is no .ssh/config option for disabling pseudo-tty allocation. It would be nice to have one. Context: we're using gitolite in our project, and it sets things up to run a command with "no-pty". Every once in a while, users will try to ssh to the machine to see that things are working, and when they see the "PTY allocation request failed on channel 0" warning, they assume that something is broken....