How does gitolite map a remote user to a repository user ?

Question

---

How does gitolite map a remote user accessing git via gitolite to a gitolite user (repo user) ?.Is this from the public key file name in keydir ?. Is it mandatory to name the public-key file as username.pub . Thanks.

Answer 1

It is the name of the public key registered in the gitolite-admin repo which is used as a parameter in the ~git/.ssh/authorized-keys file (generated by gitolite when detecting new users on a push of the gitolite-admin repo)

That ~git/.ssh/authorized-keys will call gitolite-shell on each ssh call, if said call is done with a user public ssh key registered in that file.
That call to gitolite-shell will be done with the username as a parameter.

See for more "how gitolite uses ssh".

Restricting users to specific commands is very important for gitolite.
If you read man sshd and look for authorized_keys file format, you'll see a lot of options you can add to the public key line, which restrict the incoming user in various ways.
In particular, note the command= option, which means "regardless of what the incoming user is asking to do, forcibly run this command instead".

Also note that when there are many public keys (i.e., lines) in the authorized_keys file, each line can have a different set of options and command= values.

Without this command= option, the ssh daemon will simply give you a shell, which is not what we want for our gitolite keys (although we may well have other keys which we use to get a shell).

Note: that command= mechanism is an ssh forced-command.

This is the backbone of what makes gitolite work; please make sure you understand this.

If you look in the authorized_keys file, you'll see entries like this (I chopped off the ends of course; they're pretty long lines):

command="[path]/gitolite-shell sitaram",[more options] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA18S2t...
command="[path]/gitolite-shell usertwo",[more options] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArXtCT...

First, it finds out which of the public keys in this file match the incoming login.
Once the match has been found, it will run the command given on that line; e.g., if I logged in, it would run [path]/gitolite-shell sitaram.
So the first thing to note is that such users do not get "shell access", which is good!

Before running the command, however, sshd sets up an environment variable called SSH_ORIGINAL_COMMAND which contains the actual git command that your workstation sent out.
This is the command that would have run if you did not have the command= part in the authorised keys file.

When gitolite-shell gets control, it looks at the first argument ("sitaram", "usertwo", etc) to determine who you are. It then looks at the SSH_ORIGINAL_COMMAND variable to find out which repository you want to access, and whether you're reading or writing.