I have an www-data
running with php
which is controlling a git server.
The www-data
user creates Unix users (having given it sudo adduser
), and those users are supposed to control their own private git directory, where each user can house his/hers repositories.
I've followed this guide at least ten times, in addition to which, I'm also following this guide in order to create the git server.
Apache adds a unix user
bar
, with a home in/var/www/git/bar
and the user has no password (--disable-password
)The user
bar
is part of groupgitusers
which allows+rwx
to the group members, and has his shell set to/usr/bin/git-shell
.This is done so that
www-data
can access his home directory and populate it with repositories and ssh keys.The skeleton home directory is also populated with
git-shell-commands
and the userwww-data
creates an/var/www/git/bar/.ssh/authorized_keys
where it appends my test user'sfoo
public key.
When www-data
adds a new user and then a new repository it does:
sudo adduser --disabled password\
--home /var/www/git/bar\
--conf /var/www/conf/adduser.conf\
--ingroup gitusers\
bar
The above ^^ is done via php.
The .ssh
and authorized_keys
are owned by www-data
.
Then www-data
proceeds to create a new directory and initialize it:
mkdir /var/www/git/bar/test.git
cd /var/www/git/bar/test
git --bare init
My test user foo
can read it from ssh (it just clones an empty repository).
Once I try to push an initial commit:
git clone ssh://foo@localhost:/var/www/git/bar/test.git
cd test
touch readme
vim readme
git add .
git commit -m "init"
git push origin master
foo@127.0.0.1's password:
Counting objects: 6, done.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (6/6), 411 bytes | 0 bytes/s, done.
Total 6 (delta 0), reused 0 (delta 0)
remote: error: insufficient permission for adding an object to repository database ./objects
remote: fatal: failed to write object
error: unpack failed: unpack-objects abnormal exit
To ssh://foo@localhost:/var/www/git/bar/random.git
! [remote rejected] master -> master (unpacker error)
error: failed to push some refs to 'ssh://foo@localhost:/var/www/git/bar/random.git'
I am asked for foo
user's password (which is the user with the public key).
This is NOT the Unix user who owns the home directory, that is user bar
who has a disabled password.
- why am I being asked for an ssh password? shouldn't they ssh key take care of that?
- If I create a
bar
with a password, then I can use that git repository, replacingfoo@localhost:/var/www/git/bar
withbar@localhost:/var/www/git/bar
- When I don't use
ssh://
at all, I am still able toclone
but get the same error when pushing asfoo
but not asbar
provided I enable the password.
What am I doing wrong?
Is it because the permissions of .ssh
and authorized_keys
are too open or not owned by bar
?
Even when I go (as sudo) into the bar
homedir and make everything owned by him, I still get the same error.
Finally, I have set my .ssh/config
for test user foo
so that:
Host localhost
Hostname 127.0.0.1
IdentityFile ~/.ssh/foo
User foo