I want to host git repositories locally on my device (I've followed to set up a repository) and allow multiple users to access specific repositories. The guide I linked seems to set it up that every user that has their ssh key authorized to the git user, which is consistent with how well-known servers handle this. Despite everyone being authorized to the same user, though, on the well-known servers, users have different access rights.

My question is two-fold:

1. Is there a simple solution to this using the basic tools included in Linux (ie without installing a specialized server, just using ssh, git, and whatever utilities are baked into Linux). I realize that a potential solution is to add a system user per user rather than linking everyone to the git user, I'm more curious about not doing this, if for no other reason than to understand the underlying mechanism.
2. If 1 is false, how do commercial git server's achieve this purpose? Do they roll their own ssh server implementation?

I want to host git repositories locally on my device (I've followed https://git-scm/book/en/v2/Git-on-the-Server-Setting-Up-the-Server to set up a repository) and allow multiple users to access specific repositories. The guide I linked seems to set it up that every user that has their ssh key authorized to the git user, which is consistent with how well-known servers handle this. Despite everyone being authorized to the same user, though, on the well-known servers, users have different access rights.

My question is two-fold:

1. Is there a simple solution to this using the basic tools included in Linux (ie without installing a specialized server, just using ssh, git, and whatever utilities are baked into Linux). I realize that a potential solution is to add a system user per user rather than linking everyone to the git user, I'm more curious about not doing this, if for no other reason than to understand the underlying mechanism.
2. If 1 is false, how do commercial git server's achieve this purpose? Do they roll their own ssh server implementation?

• git
• ssh
• openssh

• Rolling one's own ssh server is not hard. It's outright easy -- there are lots of frameworks for the purpose (paramiko for Python, x/crypto/openssh in golang, etc). I've done it and I'm sure plenty of other people have too. – Charles Duffy Commented Jan 31 at 18:15
• There are also ways to get something similar to the desired effect with standard OpenSSH, but I'm not sure going into the details is on-topic -- that's a system administration question not a programming one. Basically, though, you can have an authorized_keys file that lists environment variables to set (or commands to run) when a given key is seen. – Charles Duffy Commented Jan 31 at 18:16
• (Also, read the tags -- the linux tag is only for questions about Linux-specific APIs and programming interfaces) – Charles Duffy Commented Jan 31 at 18:18
• "a potential solution is to add a system user per user" Yes, that's the solution; users will do git clone/fetch/pull/push myuser@host instead of git@host. "how do commercial git server's achieve this purpose? Do they roll their own ssh server implementation?" Yes. There is a tool that maps a single system account like git@ to different users: gitolite/gitolite/index.html – phd Commented Jan 31 at 18:20
• 1 (Instead of having an authorized_keys file, openssh also lets you specify an arbitrary command to use to look up available entries; so again, lots of available options, enough that I'm not sure knowing how any one specific tool does it is very relevant or important) – Charles Duffy Commented Jan 31 at 18:21

1 Answer 1

OpenSSH lets you specify a custom command and/or custom environment variables per-key in the authorized_keys files. See the section AUTHORIZED_KEYS FILE FORMAT in man 5 authorized_keys. You can use that to associate each permitted key with the associated user, and to run everything through a wrapper that does the necessary permission checks.

Alternatively (thanks Charles Duffy for mentioning it), you can set up an external program to validate SSH keys with AuthorizedKeysCommand in the sshd config. The AuthorizedKeysCommand can set anything that can be set in the authorized_keys file, but you don't have to have everything in a big static file — you can consult a database or something instead.

Larger commercial providers probably don't do it this way (GitHub doesn't use OpenSSH anymore, judging by their SSH version banner), but it should be practical up to hundreds of users with authorized_keys, and probably quite a bit further than that with an external command.