5

When we create a repository on GitHub, we can always access it with the address "git@github.com:user/repo" but how does it work behind the scene?

...I mean, there is only one Unix account: "git" while several users use it with different keys and different directories...

I saw in another Server Fault post (How can you do dynamic, key-based SSH similar to GitHub?) it may use the command option, but how is it secured? (How does it restrict the user to the folder he has access to?)

Also, how is it managed? Does it use only one authorized_keys-file or is there another trick?

Community
  • 1
hl037_
  • 267
  • 2
  • 10

1 Answers1

6

We're using our own GIT repo, and we achieved this with multiple records in authorized_keys. The key point which is confusing you is that the git account does not have direct access to a terminal, but is using the git program. Internally, each key is recognized as particular user, which have particular access options, and the git itself is managing this. It is configurable.

Stanimir Stoyanov
  • 186
  • 2
  • 10
  • 5
    This is how a number of "Git Hosting" products work too. A particularly easy to configure variant is [Gitolite](http://gitolite.com/) if you're interested in seeing how it works. – plasmid87 Oct 25 '14 at 11:18
  • 1
    As an example (taken from GitLab), each key in `authorized_keys` has `command="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-N",`, where `key-N` is what `gitlab-shell` uses to identify the user. Then it's up to `gitlab-shell` to control access. – Bob Oct 25 '14 at 13:26
  • 1
    The main trick here is to not use Unix users and access control at all, but implementing your own user/user access control system. Then you can do whatever the hell you want. It's no different from MySQL or Apache in that regard. – Jörg W Mittag Oct 25 '14 at 17:51