Gitolite is an excellent hosting system for git repositories. I have some 20 git repos on a local server, administered with gitolite. I find that once I have a repo set up, the server just sits there and serves up repos. Because I have automated backups, including offsite backups, anything in a repo is about as secure as it can be for anything short of the Yellowstone caldera blowing.
I used to have the same key (under different names) for both my user account on one machine, and for the admin account. For security concerns, I decided to separate those two. One concern is that if I open my server up to other people, I don't even want them to know that a gitolite-admin repo exists.
Here's how I did it.
-
Generate the admin key pair
Something like:
$ ssh-keygen -t ed25519 -f id_gitolite
Then copy it over the old admin key in gitolite-admin/keys`.
-
Add a new entry in your ssh config file
I have one stanza for my regular ID in my
~/.ssh/config
file, like so:host gitolite user gitolite3 hostname gitolite port 22 ForwardX11 no ForwardX11Trusted no
I simply copied that over and edited it to suit the new account:
host gitoliteadmin user gitolite3 hostname gitolite IdentityFile ~/.ssh/id_gitolite port 22 ForwardX11 no ForwardX11Trusted no
Note the new line for the IdentityFile, which specifies the new key.
Also, the hostename, gitolite, is an alias in my local name server. That will let me move the whole kazoo to another server should I ever want to.
-
Use the admin key only for the gitolite-admin repo
In
gitolite.conf
, set up the admin repo to use the new key, and only that key; and all others not to.repo gitolite-admin RW+ = admin
-
Re-clone the gitolite-admin repo
Your old local copy of the gitolite-admin repo is now as dead as a politician's ethics, as it was cloned with the old key. No worries. Just clone it again with the new key, by specifying the admin ssh configuration, like so:
$ git clone ssh://gitoliteadmin/gitolite-admin
And that should do it.