We already had a secured VPN using OpenVPN, so we don't want to use Git with SSH to avoid double encryption.
I successfully set up Bonobo Git Server on IIS 7 on Windows 2008 RC2 and created an repository. But when I tried to clone that repository from my laptop using Git GUI, it kept asking me username and password repetitively although I gave it the correct username and password created on Bonobo Server.
When I intentionally gave it incorrect credentials, it threw an expected authentication error.
Do you have any advice for me so I can connect to Git Server? Is it due to the lack of SSH keys?
As far as I can see, Bonobo offers three different authentication mechanisms: Forms, Basic, and Windows authentication. None of these involve SSH, so no, you are not using SSH and you don’t need SSH keys to make this work. SSH is just one mechanism that is commonly used for Git servers (simply because they run on Linux machines, and SSH access is very common there).
Bonobo uses the forms authentication by default. I believe you cannot preset the login information anywhere so you don’t have to enter it over and over again. You can do that with basic authentication though by changing the remote URL to include the credentials (e.g. http://user:password#bonobo-server/project.git). Of course, this will put the credentials in clear text into the repository’s configuration file, and also send the password in clear text over the network. The VPN connection will prevent someone outside of the VPN connection reading out that password, but inside of the VPN connection it is sent as clear text, so keep that in mind.
The more secure way would be Windows authentication. It uses your Windows login to authenticate at the server, and you won’t need to store your password somewhere. To Windows, it’s the “natural” authentication system, just like SSH is to Linux.
I was successful with poke's suggestion in his comment, which is utilizing a shared folder pointing to a remote bare repository.
Related
I am able to perform all git operations via git command line (Terminal),But via Xcode causes an authentication error "Enter your credentials for the repository"
Since this work with Xcode 6.4 but not in Xcode8.3. This may happens cause XCode 7 doesn't support Windows Authentication. It seems to be a common problem amongst users because there are many posts about it in google.
To make it all work you should enable Basic Authentication in your IIS TFS website on "tfs" virtual folder.
Be careful though because basic authentication sends your credentials over network as plain text. Highly recommend you use SSL in this case.
The steps to setup SSL are described in details in the
docs.
Here
you can find what is required to configure Basic Authentication.
A couple of caveats:
username should be entered in domain\user format
do not enable Basic Authentication on the default non-SSL site
Source Link
Also suggest you use Git Credential Manager for Mac and Linux to store credentials for Git version control.
I'm trying to get a CI setup going and have got Mavericks server downloaded and linked with Xcode all on one machine.
Here's the set up:
Two git repos, hosted on OS X server, named CI and CISubmodule.
CISubmodule added as a submodule to CI
Every time I add bot I get a Host key verification failed error on integration. It's clear from the logs that the server is unable to clone CISubmodule due to an authentication error (I've tried SSH, HTTP, HTTPS) but I don't know why it's failing authentication.
I've set up the server so that logged in users can read and write.
I've tried everything mentioned here.
I'm guessing it's because the server is running as teamsserver and the repo is probably under my username, but I can't figure out how to give it permission to clone. Could it be that the SSH key requires a password? If so, how do I set it up so that it doesn't need a password any more?
Any guidance would be greatly appreciated.
Thanks,
Simon
I had the same case and I am not sure what happend exactly, I think the reason was I had more remote repository accesses and ssh keys pointing git-server side pointing to the same repository.
Deleting the remote repository accesses and cleaning up authorized_keys file helped.
I can confirm the CI server works with submodules, but make sure the .gitmodules file and xccheckout file point to the same repos
you may need to use passphrase-LESS keys for os x server to properly connect to 3rd party hosted git repos. it cannot connect with there is a passphrase needed.
ssh-keygen -p
it worked for us
One thing that helped me was to change my submodule URLs to use HTTPS instead of SSH.
When doing this, make sure that Xcode is actually using the new URLs. Even though I made the changes and pushed them, Xcode was caching the SSH URLs and using them. Remove all your SSH URLS from your server, then also remove them from your client under Preferences->Accounts. Then restart the server and restart Xcode, confirming that the new HTTPS URLs are being used when you create your bot.
Due to some serious problems with a Git repo on Windows over HTTP, we're moving our Git 'server' to Linux.
Assuming I have already the msysgit for Windows installed and Putty, how will I authenticate the SSH connection when I clone, pull and push?
In case of SSH:
on the server, you'll need to allow authentication with public and private keys, you can google how to do it, for example http://shapeshed.com/setting_up_git_for_multiple_developers/
on the client, just put your private key into .ssh folder in your windows home, for example C:\Users\Name\.ssh, much like on unixes.
You can still use HTTP, it will either (1) always ask for username and password or (2) you can also put username and password into the URL: https://username:password#git.mydomain.com/...
This page has everything covered about using PuTTy for Git public key authentication.
In short:
Generate keypair with puttygen
Put the public key in server
In your local computer, set GIT_SSH environment variable to point to plink.exe
Run putty pageant and load your private key there
I recommend working through this tutorial.
The caveat is that it talks about github, so the story of telling the server about your SSH key is different.
What's also different is how do you intend to manage your developers.
The "problem" is that SSH operates with real remote (server-side, I mean) users, which have to have regular Unix system accounts.
This is okay if you have just a handful of developers. You then just need to add all of them to a special group (say, devel) and make sure you initialize your server-side bare repos using git init --bare --shared=group and make them group-writable and belonging to that group devel (this might also be helped out by creating all the repos under a directory which has its "group sticky bit" set and belongs to that group devel).
To distribute the public part of a developer's key to the server in such a setup you have to literally copy and paste that key part (from the developer's id_rsa.pub file, it's ASCII) to the file /home/developer/.ssh/authorized_keys file. If that file does not exist, create it.
If the key was generated on a machine with OpenSSH client installed, you can transfer the key using the ssh-copy-id program, in one step.
This might become messy, so you might consider implementing a solution which virtualizes Git users (like github does). There are plenty to choose from:
gitolite — supposedly the most popular solution. No frills, is administered using a specialized admin Git repo holding the developers' public keys and a configuration file describing the repos and permissions on them. Plain Perl, installable as a package on most sensible distros.
gitlab — a turn-key all-in-one solution. Written in Ruby, so you might face maintenance nightmares.
gitblit — another all-in-one solution, written in pure Java (note that it does not call out to vanilla Git and uses a pure Java Git layer — JGit).
Since version 5.50 the Bitvise SSH Server allows connected client to authenticate to Windows user account without providing this user's Windows password. See here: https://www.bitvise.com/ssh-server-version-history
I've checked it myself - it does indeed.
My question is of pure curiosity: what kind of sorcery is this? Is there any WinAPI that allows such thing or is this some kind of clever hack? I always thought it is impossible to impersonate as other user without a password (as even when configuring Windows service or scheduled task to "run as user" it is neccessary to provide one).
IIRC, the SSH server in Cygwin does the same thing.
If you have the appropriate privileges you can create an access token with ZwCreateToken, no password required. Such a token has some limitations. For example, you can't access network resources without a password and some encrypted material isn't accessible.
There's an explanation and some sample code here.
Since version 5.50, Bitvise SSH Server comes with a Windows authentication package. An authentication package can enhance the Windows logon process in custom ways. When the SSH server needs to log you in, but does not have a password (e.g. because you logged in with a public key), it calls the authentication package to construct a logon token which closely resembles the logon token that would have been created by Windows. As arx has noted, a session created this way does not contain your authentication credentials, so side effects are that you can't access things like network resources and EFS.
For some reason, no matter how I go about it, I cannot get TortoiseSVN to add an Author to Log Messages.
Currently we connect to a PC running svnserve, so it's not a file:// Address.
We have tried using svn://Username#svnAddress, svn://svnAddress
Even setting svn:keywords $Author: AuthorName$
I was under the impression that TortoiseSVN would use the windows login name, prior to upgrading from a file based repo, these did show.
Note: We are also connecting to a domain, if this would affect anything.
also, no hook scripts are in play and the svnserve.conf is default.
SVN Server is using SVN Version 1.5.1 (x86), Windows Server 2003.
Clients are using latest version of Tortoise, both x86 and x64.
Any help would be much appreciated.
Ohh and the SVN is used for source code, so it is programming related :) (well semi related anyway)
The svn: protocol, by default, does not do any authentication, and consequently, no identification of the remote user. As TortoiseSVN does not need to authenticate, no user gets logged.
The SVN keywords don't have to do much with this: If you put $Author$ in a file, it will expand to the author of the commit, rather than setting the user. In the keyword syntax, there is no support for colons.
So if you want to authenticate with svnserve, you should first set anon-access to none or read, to force an authentication prompt. You then need to setup a password database; svnserve has only support for CRAM-MD5 builtin. I recommend you try to get this working first, handing out new passwords to all users. Alternatively, you can try to setup SASL, which would then allow for NTLM authentication - provided you can get SASL to work on your system.
Yet alternatively, you can switch to a different protocol. If, by "PC", you mean "Windows", then I guess the ssh-based protocol is ruled out. That leaves http(s); it should be possible to set up Apache on Windows with NTLM authentication, so that the NTLM user appears as the svn author.