Many people seem to get the following error message when trying to manipulate a remote git/-olite repository:
fatal: ‘foo’ does not appear to be a git repository
fatal: The remote end hung up unexpectedly
The problem here, which is absolutely not explained by the above error message, is likely to be that the remote command gitolite specifies in ~/.ssh/authorized_keys is not used.
This can in turn be caused by two things, as far as I know:
- You are using an ssh key which appears in the authorized_keys file without gitolite’s “command=…” configuration, in which case the solution is to use a separate public/private key pair for git
- Your SSH server has a ForceCommand directive in sshd_config (/etc/ssh/sshd_config on debian) which overrides the “command=…” setting in authorized_keys. To solve this, that directive has to go, or an exception needs to be added for your git user with a Match clause in sshd_config.
In the latter case, there does not seem to be any sane way to retrieve the contents of the “command=…” statement. While the user supplied command is available in the environment variable $SSH_ORIGINAL_COMMAND while using ForceCommand, the command supplied by authorized_keys seems nowhere to be found. Thus you need an exception for the ForceCommand directive. If you find another way to avoid this, please leave a comment below?
3 Comments
Just one of the users’ id_rsa.pub can NOT be added to authorized_keys by gitolite.
Do you known why?
Thanks.
That’s kind of hard without having the authorized_keys file. By saying it “can NOT be added”, I assume you are actually able to paste the text into the file and save it. Thus I also assume your problem is that the file gets somehow malformed and no longer works after appending the key? If the key in question is not used many places, just have the user generate a new one.
I had this issue running two-factor with Duo Security. That uses a ForceCommand in the sshd file that made the otherwise simple Gitolite install into 4 hours of screwing around. Your post was the thing that saved me. Thanks.
Note that my OpenSSH does not support the Match conditions you mentioned, so it may be hard for some folks on older versions to do a conditional ForceCommand and not break Gitolite SSH auth.
Thanks,
Jim