Gitolite SSH Setup

Last modified by zhang zhen on 2021/07/15 04:24

Back to Support 

Gitolite SSH Setup

Note, that this is only required for performing a git push directly to (some projects push to via a service account).  If you only need to perform read-only operations, you should use http-based access to repositories (both public and private).

Create SSH key on Linux

SSH keys offer a highly secure way of logging into a server and are best practice for authentication, allowing more security than a simple password.  Again, this is only needed if you require write access.

  • To create a key-pair, run ssh-keygen with the -t option. The -t option specifies which crypto system you want the key to use. The valid options are "rsa", "dsa". In this example, we have elected to use RSA authentication with keys that are 2048 bits or greater:

      $ ssh-keygen -t rsa -b 2048
      Generating public/private rsa key pair

  • Next you will be prompted for a passphrase, which is used to encrypt the private key. After you enter the passphrase you will be asked to verify it.

      Enter file in which to save the key (/home/sshuser/.ssh/id_rsa):
      Enter passphrase (empty for no passphrase): **********************
      Enter same passphrase again: **********************

  • If the two passphrases do not match, you will be given an error message and asked to enter the passphrases in again, as shown below.

      Passphrases do not match. Try again.
      Enter passphrase (empty for no passphrase): **********************
      Enter same passphrase again: **********************

  • Once the passphrases match, ssh-keygen will display a message indicated where the public and private keys will be saved.

      Your identification has been saved in /home/sshuser/.ssh/id_rsa.
      Your public key has been saved in /home/sshuser/.ssh/
      The key fingerprint is:

Configure SSH client settings

  • Edit your ssh client configuration, such that ssh requests to are sent over port 9222 (if your site filters port 22). This is accomplished by creating or modifying /home/<sshuser>/.ssh/config file with the following values.
Host *
 IdentityFile ~/.ssh/id_rsa  # (The path to the private key you generated, such as: /home/<sshuser>/.ssh/id_rsa)
 User git
 Port 9222 # Optional: Can be used if a firewall is blocking port 22
 ControlPath ~/.ssh/%r@%h:%p
 ControlMaster auto
 ControlPersist 30m
  • Check that the file permissions are set properly on /home/<sshuser>/.ssh/config.  You can set the correct permissions by running the following command:
chmod 0700 ~/.ssh
chmod 0600 ~/.ssh/config
  • Check alternate ports:

To check if port 22 is open:
ssh -p 22 info <CAF_area>/<CAF_shortname>/<CAF_repository>

To check if port 9222 is open:
ssh -p 9222 info <CAF_area>/<CAF_shortname>/<CAF_repository>

Update /home/<sshuser>/.ssh/config with the port that succeeded in the above commands.

Submitting your SSH key to CAF

You must generate your SSH public/private key, pair and upload the public key to your request as specified below.   CAF only supports 1 SSH key per user.

  Keys less than 2048 bits in length will not be accepted for security reasons.

  1. Create a new support request on the CAF service desk under "Project write access".
  2. Paste your full ssh PUBLIC key in the "SSH Key" field.
  3. Fill out other fields and submit the request.

  Once we verify with the project administrators that you should have access, we will grant it.

Updating/Changing your SSH key

CAF only supports one SSH key per user. To change your SSH key on file, create a new support request on the CAF service desk under "Project write access" and specify in the description that it is a key replacement request.

Before accessing with the new key, ITPeople will need to update your keys permissions.  When complete, ITPeople will respond to the ticket to notify that access has been enabled with the new key.

Validate SSH key stored on CAF

You can use ssh-keygen to validate your public key matches what is uploaded on CAF.  For example if your SSH keys are in your home directory ~/.ssh/ directory you would run.

 ssh-keygen -l -f ~/.ssh/ -E md5

This will return your SSH public key fingerprint and you can validate it matches your public key fingerprint.

Also if you can run the following command to get extra ssh debug information:

 $ ssh -T -v

SSH Servers

Beginning April 14, 2018 at 10AM PDT        -> will resolve to one of the below depending on your location: -> ->

New IPs:  :  : :

Created by superadmin on 2020/04/18 20:53