3

I'm having trouble setting up IP restrictions with Gitolite. It may be something simple and this is my first time using it (I'm finally switching from Gitosis because it can't do what I need it to)

Basically my client sites each have a git repo. I push to that repo and the post-receive hook pushes out to her live site or dev depending on where I push to. Anyway, the thing is that a client wants access to the files on her site, and I'm okay with that, but because she'll have access to her SSH key for her repo in ~/.ssh, she'll have direct access to the repo which I don't want to allow from outside of the web server.

This is the relevant part of my config:

repo    example.com
        R VREF/FROM/127.0.0.1 = user

This would work except Gitolite is generating a bad authorized_keys file:

command="/usr/share/gitolite/gl-auth-command user",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ,from="127.0.0.1" ssh-rsa...

The issue is the space after no-pty. Remove the space and it works fine. Keep the space and the key is ignored.

Any ideas of how to set this up properly would be appreciated! I really don't want to run a sed on the authorized_keys file every time I change something unless there's no other way...

Thanks!

Chelsea Urquhart
  • 133
  • 5
  • 1
    What gitolite version are you using? I don't see how a VREF would add anything to authorized key, as shown in http://gitolite.com/gitolite/cookbook.html#example-2-restricting-by-source-ip-address – VonC Jul 13 '14 at 03:57
  • Version 2.3.1. Also, you're right. Argh. I forgot I threw the ips into my keys in an attempt to make it work with Gitosis. Well, that's embarassing. – Chelsea Urquhart Jul 13 '14 at 04:04

2 Answers2

1

The gitolite cookbook "example 2: restricting by source IP address" shows that this VREf doesn't add anything to authorized key.

And VREF are better define in gitolite V3 (instead of the virtual refs in gitolite V2).

Community
  • 1
VonC
  • 2,653
  • 5
  • 29
  • 48
  • Can you add code for an actual example? It seems VREFs are only called on write not read. – user1133275 Jun 09 '17 at 18:24
  • @user1133275 I don't have more than http://gitolite.com/gitolite/cookbook/index.html#example-2-restricting-by-source-ip-address. You can control the access with http://gitolite.com/gitolite/cookbook/index.html#access – VonC Jun 09 '17 at 20:33
  • That's a ... misleading example, but I figured it out anyway; see my answer below. – user1133275 Jun 10 '17 at 02:11
1

Solution:

1 Make triggers/ip-limit containing

#!/bin/bash

#
# ip-limit
#

UnrestrictedUserName=Me
PermittedIP=127.0.0.1

if [ "$GL_USER" == "$UnrestrictedUserName" ] ; then
    exit 0;
fi
IP=$(echo $SSH_CLIENT | perl -pe 's/ .*//g');
if [ "$IP" != "$PermittedIP" ] ; then
    echo "You ($GL_USER) are not permitted from the IP ($IP)" >&2
    exit 1;
fi
exit 0

2 Instruct gitolite to use it:

chmod 0777 triggers/ip-limit
cp .gitolite.rc .gitolite.rc.origonal
perl -pi -e 's/(^.*ENABLE)/    PRE_GIT => ['\''ip-limit'\''],\n$1/g' .gitolite.rc

Notes:

  • VREF is only called on push so it can't be used to restrict fetch etc.
  • GL_REPO my also be of use to some.
user1133275
  • 195
  • 1
  • 11