I have the following setup:
我有以下设置:
A server (centOS) with git and a repository for a project on the same server.
带有git的服务器(centOS)和同一服务器上项目的存储库。
What I need to do is to be able to pull from the repository without being asked for password (because is annoying).
我需要做的是能够从存储库中提取而不被要求输入密码(因为很烦人)。
Note: I am logged as root when I pull.
注意:当我拉动时,我以root身份登录。
Can anyone help me with that?
任何人都可以帮助我吗?
3 个解决方案
#1
4
There are a few options, depending on what your requirements are, in particular your security needs. For both HTTP and SSH, there is password-less, or password required access.
根据您的要求,有几种选择,特别是您的安全需求。对于HTTP和SSH,都有无密码或密码要求的访问权限。
HTTP
==============
Password-Less
Useful for fetch only requirements, by default push is disabled. Perfect if anonymous cloning is the intention. You definitely shouldn't enable push for this type of configuration. The man page for git-http-backend contains good information, online copy at http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html. It provides an example of how to configure apache to provide this.
对于仅提取要求很有用,默认情况下禁用推送。如果匿名克隆是意图,那就完美了。你肯定不应该为这种类型的配置启用推送。 git-http-backend的手册页包含很好的信息,网址为http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html。它提供了一个如何配置apache来提供此功能的示例。
User/password in .netrc or url embedded
Where .netrc files are using in the form:
.netrc文件在表单中使用的位置:
machine <hostname> login <username> password <password>
And embedded urls would be in the form:
嵌入式网址将采用以下形式:
http://user:pass@hostname/repo
Since git won't do auth for you, you will need to configure a webserver such as apache to perform the auth, before passing the request onto the git tools. Also keep in mind that using the embedded method is a security risk, even if you use https since it is part of the url being requested.
由于git不会为您执行auth,因此在将请求传递给git工具之前,您需要配置一个Web服务器(如apache)来执行auth。另请注意,即使您使用https,使用嵌入式方法也存在安全风险,因为它是所请求网址的一部分。
If you want to be able to pull non-interactive, but prevent anonymous users from accessing the git repo, this should be a reasonably lightweight solution using apache for basic auth and preferably the .netrc file to store credentials. As a small gotcha, git will enable write access once authentication is being used, so either use anonymous http for read-only, or you'll need to perform some additional configuration if you want to prevent the non-interactive user from having write access.
如果你想能够提取非交互性,但阻止匿名用户访问git repo,这应该是一个相当轻量级的解决方案,使用apache进行基本身份验证,最好使用.netrc文件来存储凭据。作为一个小问题,git将在使用身份验证后启用写访问,因此要么使用匿名http进行只读,要么如果要阻止非交互式用户具有写访问权限,则需要执行一些其他配置。
See:
- httpd.apache.org/docs/2.4/mod/mod_auth_basic.html for more on configuring basic auth
- www.kernel.org/pub/software/scm/git/docs/git-http-backend.html for some examples on the apache config needed.
httpd.apache.org/docs/2.4/mod/mod_auth_basic.html了解有关配置基本身份验证的更多信息
www.kernel.org/pub/software/scm/git/docs/git-http-backend.html有关所需apache配置的一些示例。
SSH
==============
Passphrase-Less
Opens up for security issues, since anyone who can get a hold of the ssh private key can now update the remote git repo as this user. If you want to use this non-interactively, I'd recommend installing something like gitolite to make it a little easier to ensure that those with the ssh private key can only pull from the repo, and it requires a different ssh key pair to update the repo.
打开安全问题,因为任何能够获取ssh私钥的人现在都可以以此用户身份更新远程git仓库。如果你想以非交互方式使用它,我建议安装类似gitolite的东西,以便更容易确保那些带有ssh私钥的人只能从repo中提取,并且它需要一个不同的ssh密钥对来更新回购。
See github.com/sitaramc/gitolite/ for more on gitolite.
有关gitolite的更多信息,请参阅github.com/sitaramc/gitolite/。
stromberg.dnsalias.org/~strombrg/ssh-keys.html - for creating password less ssh keys: May also want to cover managing multiple ssh keys: www.kelvinwong.ca/2011/03/30/multiple-ssh-private-keys-identityfile/
stromberg.dnsalias.org/~strombrg/ssh-keys.html - 用于创建密码少的ssh密钥:也可能需要涵盖管理多个ssh密钥:www.kelvinwong.ca/2011/03/30/multiple-ssh-private-按键-identityfile /
Passphase protected
Can use ssh-agent to unlock on a per-session basis, only really useful for interactive fetching from git. Since you mention root and only talk about performing 'git pull', it sounds like your use case is non-interactive. This is something that might be better combined with gitolite (github.com/sitaramc/gitolite/).
可以使用ssh-agent在每个会话的基础上解锁,只对从git交互式提取非常有用。既然你提到root并只谈论执行'git pull',听起来你的用例是非交互式的。这可能与gitolite(github.com/sitaramc/gitolite/)结合得更好。
Summary
==============
Using something like gitolite will abstract a lot of the configuration away for SSH type set ups, and is definitely recommended if you think you might have additional repositories or need to specify different levels of access. It's logging and auditing are also very useful.
使用像gitolite这样的东西会为SSH类型设置抽象很多配置,如果您认为可能有其他存储库或需要指定不同的访问级别,那么绝对建议使用。它的日志记录和审计也非常有用。
If you just want to be able to pull via http, the git-http-backend man page should contain enough information to configure apache to do the needful.
如果你只是想通过http来提取,那么git-http-backend手册页应该包含足够的信息来配置apache以满足需要。
You can always combine anonymous http(s) for clone/pull, with passphrase protected ssh access required for full access, in which case there is no need to set up gitolite, you'll just add the ssh public key to the ~/.ssh/authorized_keys file.
您始终可以将匿名http(s)用于克隆/拉取,以及完全访问所需的密码短语保护ssh访问,在这种情况下,无需设置gitolite,您只需将ssh公钥添加到〜/。 ssh / authorized_keys文件。
#2
2
See the answer to this question. You should use the SSH access instead of HTTPS/GIT and authenticate via your SSH public key. This should also work locally.
看到这个问题的答案。您应该使用SSH访问而不是HTTPS / GIT,并通过SSH公钥进行身份验证。这也应该在本地工作。
#3
1
If you're using ssh access, you should have ssh agent running, add your key there and register your public ssh key on the repo end. Your ssh key would then be used automatically. This is the preferred way.
如果您正在使用ssh访问,则应该运行ssh代理,在那里添加密钥并在repo端注册您的公共ssh密钥。然后,您的ssh密钥将自动使用。这是首选方式。
If you're using https access, you one would either
如果您正在使用https访问权限,那么您也可以
- use a .netrc file that contains the credentials or
- provide user/pass in the target url in the form https://user:pass@domain.tld/repo
使用包含凭据或的.netrc文件
以https:// user:pass@domain.tld/repo的形式提供目标网址的用户/传递
With any of these three ways, it shouldn't ask for a password.
使用这三种方式中的任何一种,都不应该要求输入密码。
#1
4
There are a few options, depending on what your requirements are, in particular your security needs. For both HTTP and SSH, there is password-less, or password required access.
根据您的要求,有几种选择,特别是您的安全需求。对于HTTP和SSH,都有无密码或密码要求的访问权限。
HTTP
==============
Password-Less
Useful for fetch only requirements, by default push is disabled. Perfect if anonymous cloning is the intention. You definitely shouldn't enable push for this type of configuration. The man page for git-http-backend contains good information, online copy at http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html. It provides an example of how to configure apache to provide this.
对于仅提取要求很有用,默认情况下禁用推送。如果匿名克隆是意图,那就完美了。你肯定不应该为这种类型的配置启用推送。 git-http-backend的手册页包含很好的信息,网址为http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html。它提供了一个如何配置apache来提供此功能的示例。
User/password in .netrc or url embedded
Where .netrc files are using in the form:
.netrc文件在表单中使用的位置:
machine <hostname> login <username> password <password>
And embedded urls would be in the form:
嵌入式网址将采用以下形式:
http://user:pass@hostname/repo
Since git won't do auth for you, you will need to configure a webserver such as apache to perform the auth, before passing the request onto the git tools. Also keep in mind that using the embedded method is a security risk, even if you use https since it is part of the url being requested.
由于git不会为您执行auth,因此在将请求传递给git工具之前,您需要配置一个Web服务器(如apache)来执行auth。另请注意,即使您使用https,使用嵌入式方法也存在安全风险,因为它是所请求网址的一部分。
If you want to be able to pull non-interactive, but prevent anonymous users from accessing the git repo, this should be a reasonably lightweight solution using apache for basic auth and preferably the .netrc file to store credentials. As a small gotcha, git will enable write access once authentication is being used, so either use anonymous http for read-only, or you'll need to perform some additional configuration if you want to prevent the non-interactive user from having write access.
如果你想能够提取非交互性,但阻止匿名用户访问git repo,这应该是一个相当轻量级的解决方案,使用apache进行基本身份验证,最好使用.netrc文件来存储凭据。作为一个小问题,git将在使用身份验证后启用写访问,因此要么使用匿名http进行只读,要么如果要阻止非交互式用户具有写访问权限,则需要执行一些其他配置。
See:
- httpd.apache.org/docs/2.4/mod/mod_auth_basic.html for more on configuring basic auth
- www.kernel.org/pub/software/scm/git/docs/git-http-backend.html for some examples on the apache config needed.
httpd.apache.org/docs/2.4/mod/mod_auth_basic.html了解有关配置基本身份验证的更多信息
www.kernel.org/pub/software/scm/git/docs/git-http-backend.html有关所需apache配置的一些示例。
SSH
==============
Passphrase-Less
Opens up for security issues, since anyone who can get a hold of the ssh private key can now update the remote git repo as this user. If you want to use this non-interactively, I'd recommend installing something like gitolite to make it a little easier to ensure that those with the ssh private key can only pull from the repo, and it requires a different ssh key pair to update the repo.
打开安全问题,因为任何能够获取ssh私钥的人现在都可以以此用户身份更新远程git仓库。如果你想以非交互方式使用它,我建议安装类似gitolite的东西,以便更容易确保那些带有ssh私钥的人只能从repo中提取,并且它需要一个不同的ssh密钥对来更新回购。
See github.com/sitaramc/gitolite/ for more on gitolite.
有关gitolite的更多信息,请参阅github.com/sitaramc/gitolite/。
stromberg.dnsalias.org/~strombrg/ssh-keys.html - for creating password less ssh keys: May also want to cover managing multiple ssh keys: www.kelvinwong.ca/2011/03/30/multiple-ssh-private-keys-identityfile/
stromberg.dnsalias.org/~strombrg/ssh-keys.html - 用于创建密码少的ssh密钥:也可能需要涵盖管理多个ssh密钥:www.kelvinwong.ca/2011/03/30/multiple-ssh-private-按键-identityfile /
Passphase protected
Can use ssh-agent to unlock on a per-session basis, only really useful for interactive fetching from git. Since you mention root and only talk about performing 'git pull', it sounds like your use case is non-interactive. This is something that might be better combined with gitolite (github.com/sitaramc/gitolite/).
可以使用ssh-agent在每个会话的基础上解锁,只对从git交互式提取非常有用。既然你提到root并只谈论执行'git pull',听起来你的用例是非交互式的。这可能与gitolite(github.com/sitaramc/gitolite/)结合得更好。
Summary
==============
Using something like gitolite will abstract a lot of the configuration away for SSH type set ups, and is definitely recommended if you think you might have additional repositories or need to specify different levels of access. It's logging and auditing are also very useful.
使用像gitolite这样的东西会为SSH类型设置抽象很多配置,如果您认为可能有其他存储库或需要指定不同的访问级别,那么绝对建议使用。它的日志记录和审计也非常有用。
If you just want to be able to pull via http, the git-http-backend man page should contain enough information to configure apache to do the needful.
如果你只是想通过http来提取,那么git-http-backend手册页应该包含足够的信息来配置apache以满足需要。
You can always combine anonymous http(s) for clone/pull, with passphrase protected ssh access required for full access, in which case there is no need to set up gitolite, you'll just add the ssh public key to the ~/.ssh/authorized_keys file.
您始终可以将匿名http(s)用于克隆/拉取,以及完全访问所需的密码短语保护ssh访问,在这种情况下,无需设置gitolite,您只需将ssh公钥添加到〜/。 ssh / authorized_keys文件。
#2
2
See the answer to this question. You should use the SSH access instead of HTTPS/GIT and authenticate via your SSH public key. This should also work locally.
看到这个问题的答案。您应该使用SSH访问而不是HTTPS / GIT,并通过SSH公钥进行身份验证。这也应该在本地工作。
#3
1
If you're using ssh access, you should have ssh agent running, add your key there and register your public ssh key on the repo end. Your ssh key would then be used automatically. This is the preferred way.
如果您正在使用ssh访问,则应该运行ssh代理,在那里添加密钥并在repo端注册您的公共ssh密钥。然后,您的ssh密钥将自动使用。这是首选方式。
If you're using https access, you one would either
如果您正在使用https访问权限,那么您也可以
- use a .netrc file that contains the credentials or
- provide user/pass in the target url in the form https://user:pass@domain.tld/repo
使用包含凭据或的.netrc文件
以https:// user:pass@domain.tld/repo的形式提供目标网址的用户/传递
With any of these three ways, it shouldn't ask for a password.
使用这三种方式中的任何一种,都不应该要求输入密码。