Setting up a Git server with Windows Server 2008 ? Shannon Cornish

Setting up a Git server with Windows Server 2008
I’m in the middle of setting up aGitserver at work and needed to document the process that I used forinstallation, setup and administration. I figured the best place to putthe documentation was to blog about it so that others might benefit andimprove it.
The server operating system we’re running is Windows Server 2008.
What is Git?
Git is a distributed version control system originally developed byLinus Torvalds to manage the Linux kernel.
Git is available on Windows usingCygwinormsysGit.
For the server installation, I’ve chosen to use the Cygwin version ofGit. We will be using a SSH server for our server to authenticate usersand allow access to the repositories. Using Cygwin will allow us to usethe Cygwin version OpenSSH for our server.
Installing Cygwin
Create the C:\Cygwin directory.
Create the C:\Cygwin\packages directory.
Modify the permissions on the C:\Cygwin directory to grant the USERS group modify permissions.
Download the Cygwin setup package into the C:\Cygwin directory and run the setup.
Use the following options for the Cygwin setup package: Choose Installation Type Leave default Install from Internet
Choose Installation Directory Leave default root directory C:\Cygwin
Leave default install for All Users
Leave default text file type Unix/binary
Select Local Packages Directory Change local packages directory to C:\Cygwin\packages
Select Connection Type Leave default direct connection
Choose Download Site(s) Add a localmirror
Select Packages Select Devel > git
Select Devel > git-completion
Select Devel > git-gui
Select Devel > gitk
Select Net > openssh
Select Python > python
Installation Status and Create Icons Leave default create icon on Desktop
Leave default Add icon to Start Menu
Modify the C:\Cygwin\cygwin.bat file to set the CYGWIN environment variable. The whole file should appear as follows: @echo off set CYGWIN=binmode tty ntsec c: chdir c:\cygwin\bin bash --login -i
Run Cygwin from the desktop. It should display: Copying skeleton files. These files are for the user to personalise their cygwin experience. These will never be overwritten. './.bashrc' -> '/home/Administrator//.bashrc' './.bash_profile' -> '/home/Administrator//.bash_profile' './.inputrc' -> '/home/Administrator//.inputrc'
Execute mount -s --change-cygdrive-prefix /
Execute mkdir -p /home
Execute chmod +r //etc//passwd chmod +r //etc//group chmod 755 //var
Note: The above statements should use a single slash rather than a double slash. The double slash is required to work around the filter from my blogging software.
Close the Cygwin bash prompt
Installing OpenSSH
Open the Cygwin bash prompt as an Administrator via right clicking and selecting Run as administrator.
Execute ssh-host-config
You should see *** Info: Generating /etc/ssh_host_key *** Info: Generating /etc/ssh_host_rsa_key *** Info: Generating /etc/ssh_host_dsa_key *** Info: Creating default /etc/ssh_config file *** Info: Creating default /etc/sshd_config file *** Info: Privilege separation is set to yes by default since OpenSSH 3.3. *** Info: However, this requires a non-privileged account called 'sshd'. *** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep. *** Query: Should privilege separation be used? (yes/no)
Type yes
You should see *** Info: Note that creating a new user requires that the current account have *** Info: Administrator privileges. Should this script attempt to create a *** Query: new local account 'sshd'? (yes/no)
Type yes
You should see *** Info: Updating /etc/sshd_config file *** Warning: The following functions require administrator privileges! *** Query: Do you want to install sshd as a service? *** Query: (Say "no" if it is already installed as a service) (yes/no)
Type yes
You should see *** Info: Note that the CYGWIN variable must contain at least "ntsec" *** Info: for sshd to be able to change user context without password. *** Query: Enter the value of CYGWIN for the daemon: [ntsec]
Type binmode tty ntsec
You should see *** Info: On Windows Server 2003, Windows Vista, and above, the *** Info: SYSTEM account cannot setuid to other users -- a capability *** Info: sshd requires. You need to have or to create a privileged *** Info: account. This script will help you do so. *** Info: You appear to be running Windows 2003 Server or later. On 2003 *** Info: and later systems, it's not possible to use the LocalSystem *** Info: account for services that can change the user id without an *** Info: explicit password (such as passwordless logins [e.g. public key *** Info: authentication] via sshd). *** Info: If you want to enable that functionality, it's required to create *** Info: a new account with special privileges (unless a similar account *** Info: already exists). This account is then used to run these special *** Info: servers. *** Info: Note that creating a new user requires that the current account *** Info: have Administrator privileges itself. *** Info: No privileged account could be found. *** Info: This script plans to use 'cyg_server'. *** Info: 'cyg_server' will only be used by registered services. *** Query: Do you want to use a different name? (yes/no)
Type no
You should see *** Query: Create new privileged user account 'cyg_server'? (yes/no)
Type yes
You should see *** Info: Please enter a password for new user cyg_server. Please be sure *** Info: that this password matches the password rules given on your system. *** Info: Entering no password will exit the configuration. *** Query: Please enter the password:
Type and confirm a password for the new ‘cyg_server’ account.
After confirming the password, you should see *** Info: User 'cyg_server' has been created with password 'azxggsri7#35z'. *** Info: If you change the password, please remember also to change the *** Info: password for the installed services which use (or will soon use) *** Info: the 'cyg_server' account. *** Info: Also keep in mind that the user 'cyg_server' needs read permissions *** Info: on all users' relevant files for the services running as 'cyg_server'. *** Info: In particular, for the sshd server all users' .ssh/authorized_keys *** Info: files must have appropriate permissions to allow public key *** Info: authentication. (Re-)running ssh-user-config for each user will set *** Info: these permissions corrently. [Similary restrictions apply, for *** Info: instance, for .rhosts files if the rshd server is running, etc]. *** Info: The sshd service has been installed under the 'cyg_server' *** Info: account. To start the service now, call `net start sshd' or *** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically *** Info: after the next reboot. *** Info: Host configuration finished. Have fun!
Execute net start sshd
Open the Windows Firewall Editor and create an exception to allow TCP traffic on port 22.
Creating a Git user account for SSH access
Single SSH account will run under.
Create a ‘git’ account via the standard windows tools and make sure to disable password expiry.
The account should be a member of the USERS group.
Open the Cygwin bash prompt and type mkpasswd -l -u git -p //home >> //etc//passwd
Note: The above statements should use a single slash rather than a double slash. The double slash is required to work around the filter from my blogging software.
Log out of the Administrator account and login as the git account.
Run Cygwin from the desktop. It should display: Copying skeleton files. These files are for the user to personalise their cygwin experience. These will never be overwritten. './.bashrc' -> '/home/git//.bashrc' './.bash_profile' -> '/home/git//.bash_profile' './.inputrc' -> '/home/git//.inputrc'
Execute ssh-user-config
You should see *** Warning: group and other have been revoked write permission to your home *** Warning: directory /home/git. *** Warning: This is required by OpenSSH to allow public key authentication using *** Warning: the key files stored in your .ssh subdirectory. *** Warning: Revert this change ONLY if you know what you are doing! *** Query: Shall I create an SSH1 RSA identity file for you? (yes/no)
Type no
You should see *** Query: Shall I create an SSH2 RSA identity file for you? (yes/no)
Type yes
You should see *** Info: Generating /home/git/.ssh/id_rsa Enter passphrase (empty for no passphrase):
Press enter to create with an empty passphrase and press enter again to confirm.
You should see *** Query: Do you want to use this identity to login to this machine? (yes/no)
Type yes
You should see *** Info: Adding to /home/git/.ssh/authorized_keys *** Query: Shall I create an SSH2 DSA identity file for you? (yes/no)
Type no
You should see *** Info: Configuration finished. Have fun!
We have now configured our Windows Server 2008 machine with Git andan account to use with SSH access. In the next blog post, I’ll coverinstallation and configuration ofGitosis to secureaccess and authentication of repositories.