This is a small thing : Some users don’t seem to be recognised when they’re added to the gitolite.conf, despite the keys being added to the keydir/ and everything being triple-checked.

One thing to check out is the contents of the server’s ~/.ssh/authorised_keys, which is autogenerated by gitolite in a post-update hook.

For most user’s public keys, their username@machine.domain is spelled out in both the filename and inside the key. However, if there’s no . in the machine-domain, the username become simply username when ~/.ssh/authorised_keys is built.

Most machines will default to username@localhost.localdomain if nothing better is suggested. However, Macs apparently do not. And some people also deliberately choose short usernames/hostnames. I was hit by both issues last weekend at a hackathon.
Which cost us a fair bit of time and head-scratching.

Unfortunately, this seems to be by design :

sub optionise {
  my $f = shift;

  my $user = $f;
  $user =~ s(.*/)();                # foo/bar/ ->
  $user =~ s/(\@[^.]+)?\.pub$//;    #, -> baz  ###HERE###

  my @line = slurp($f);
  if ( @line != 1 ) {
    _warn "$f does not contain exactly 1 line; ignoring";
    return '';
  return "command=\"$glshell $user" . ( $kfn ? " $f" : "" ) . "\",$auth_options $line[0]";

The solution is to either fix up ~/.ssh/authorised_keys to use the complete (which will have to be done repeatedly), or (better, though trickier, since there may be user-name overlap, or stupid-short usernames like ‘m’) just refer to these users by username only in gitolite.conf.

Martin Andrews

{Finance, Software, AI} entrepreneur, living in Singapore with my family.

blog comments powered by Disqus