Git user with ssh keys

Pushing changes of a git repository requires a ssh connection to the server. The default behavior is to push with a normal Unix account with username and password. In some cases it is necessary to push without entering a password. For this purpose ssh allows to authenticate via a ssh-key pair consisting of a public and a private key. With this solution scripts can automatically push git repositories to other servers.

Creating git user

The first step is to create the Unix user git on the server. Some special parameters are required to enhance the security of the password-free user. The parameter --disbled-login disallows to login via ssh with the specified user. The --shell statement sets the allowed shell to the restricted git-shell. The git-shell comes with the [[Git installation]] and executes only git commands.

server# adduser --shell /usr/bin/git-shell --disabled-login --home /home/git --disabled-password git

Generate ssh key pair

The second step is to generate the ssh-key pair on the client for the ssh authentication. The command must be executed with the user who should be able to push to the repository on the server. The public key will be added to the server with the git repository. The OpenSSH command ssh-keygen generates the private and the public key based on different algorithms (for example RSA). The parameter -b 4096 specifies the number of bits for the key (default 2048). The statement -t rsa defines the algorithm RSA, while the -P "" part describes an empty passphrase. The empty passphrase deactivate the need to enter the phrase while pushing. The -f /home/CLIENT_USER/.ssh/id_rsa specifies the file name and path of the key file.

client# ssh-keygen -b 4096 -t rsa -f /home/CLIENT_USER/.ssh/id_rsa -P ""

The ssh-keygen will output something like the following:

Generating public/private rsa key pair.
Your identification has been saved in /home/CLIENT_USER/.ssh/id_rsa.
Your public key has been saved in /home/CLIENT_USER/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx CLIENT_USER@client

Adding the public key to server

The last step is to copy the public key to the server and add it to the authorized keys. The following statement copies the public key from /home/CLIENT_USER/.ssh/id_rsa.pub to /home/git/ on the server ssh_host.domain.com with the valid user VALID_SERVER_USER

client# scp /home/CLIENT_USER/.ssh/id_rsa.pub VALID_SERVER_USER@ssh_host.domain.com:/home/git/

On the server the public key will be added to the authorized keys of the user git. First prepare the .ssh directory and the authorized_keys file. This is only necessary once the git user is created.

server# mkdir /home/git/.ssh
server# touch /home/git/.ssh/authorized_keys
server# chown -R git:git /home/git/.ssh

The following command appends the content of the public key id_rsa.pub into the file authorized_keys. 

server# cat /home/git/id_rsa.pub >> /home/git/.ssh/authorized_keys

Now the user on the client can authenticate itself on the server with the user git using the ssh-key pair. The last step is to change the owner of the git repositories with the chown command:

server# chown -R git:git /home/git/PROJECT.git/

Short version

  1. Add user git on Server:

    server# adduser --shell /usr/bin/git-shell --disabled-login --home /home/git --disabled-password git

  2. Create a bare repo on the Server:

    server# cd /home/git/PROJECT.git/ server# git init --bare --shared-group server# chown -R git:git /home/git/PROJECT.git/

  3. Create a ssh key on the Client:

    client# ssh-keygen -b 4096 -t rsa -f /home/CLIENT_USER/.ssh/id_rsa -P ""

  4. Copy the public key from the Client to the Server:

    client# scp /home/CLIENT_USER/.ssh/id_rsa.pub VALID_SERVER_USER@ssh_host.domain.com:/home/git/

  5. Append the public key to the authorized keys on the Server:

    server# mkdir /home/git/.ssh server# touch /home/git/.ssh/authorized_keys server# chown -R git:git /home/git/.ssh server# cat /home/git/id_rsa.pub >> /home/git/.ssh/authorized_keys

See Also

External Links

published on 22 Feb 2012

written by Martin Hauser

contact
about me

I'm a system engineer and developer from Vienna, Austria.