Gitosis Unsafe SSH username in keyfile

gitosis-warningWhile configuring and using Gitosis you will probably see the following error sooner or later. This error will appear immediately when changed configuration is pushed to the gitosis-admin repository. With this error, the reported user keys are not provisioned properly in gitosis. This causes the keys/users to have no access to any repository.

WARNING:gitosis.ssh:Unsafe SSH username in keyfile

The above is just the plain error message while the output below shows the complete output of the push command. The example output below also shows that the error message can occur multiple times. The output shows this as a WARNING but actually it prevents this configured users from accessing any configured repository. As such I would categorize it as an error.

$ git push origin master
Counting objects: 5, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (5/5), 1.01 KiB | 0 bytes/s, done.
Total 5 (delta 3), reused 0 (delta 0)
remote: WARNING:gitosis.ssh:Unsafe SSH username in keyfile: 'user1@01host.example.com.pub'
remote: WARNING:gitosis.ssh:Unsafe SSH username in keyfile: 'user2@01host.example.com.pub'
remote: WARNING:gitosis.ssh:Unsafe SSH username in keyfile: 'user3@01host.example.com.pub'
remote: WARNING:gitosis.ssh:Unsafe SSH username in keyfile: 'user4@01host.example.com.pub'
To ssh://git@git.example.com/gitosis-admin.git
799176b..e783046  master -> master

The question is what causes this error. Investigation into the inner working of gitosis reveals the root cause of this error message. Gitosis has a built in check for the name of the user/key. This should prevent the use of disallowed characters. The pattern to check the user/key name looks like the following and is found in the file /usr/lib/python2.6/site-packages/gitosis/ssh.py (CentOS).

$ egrep "^_ACCEPTABLE_USER_RE" /usr/lib/python2.6/site-packages/gitosis/ssh.py
_ACCEPTABLE_USER_RE = re.compile(r'^[a-zA-Z][a-zA-Z0-9_.-]*(@[a-zA-Z][a-zA-Z0-9.-]*)?$')

This regular expression (regex) restricts the allowed characters in user/key names, as well as restricting the length indirectly. The above regex can be explained with the following rules.

* The user/key name can be just a user name or in an email-like format (user-part@domain-part.com)
* The user part has to start with a letter character “a-zA-Z”.
* The user part can then contain 0 or more of letters “a-zA-Z”, digits “0-9), “_”, “.” and “-” character.
* The domain part needs to start with a letter character “a-zA-Z”.
* The domain part then can contain 0 or more of letters “a-zA-Z”, digits “0-9), “.” and “-” character.
* The user part needs to be 1 character minimum.
* The domain part is optional but if present needs to be separated from the user part by “@”.

Those rules have been hard coded into gitosis and cannot be changed via configuration. It is unclear why the first character is only allowed to be a letter but not a digit. Most likely this is a historical limitation. In the past, user names were not allowed to start with digits but this limitation is long gone. As well, the limitation of having to start a domain with a character from a-z seems to be obsolete in times of IDNs (Internationalised Domain Names) which allows even special characters from different languages. Also, RFC1123 Section 2.1 Host Names and Numbers describes the allowed use of letters and digits as first character for host and domain names.

With those restrictions in mind, the user name in the gitosis configuration can be changed to match the regex pattern. Alternatively the regex in the gitosis source file can be changed. The latter option involves the risk of getting reverted when an update for gitosis is installed – I would not suggest this if you do not have a good reason to do it.


Read more of my posts on my blog at http://blog.tinned-software.net/.

This entry was posted in Linux Administration, Version control system and tagged , , . Bookmark the permalink.