Setting up a Git server with Windows Server 2008 ? Shannon Cornish

Setting up a Git server with Windows Server 2008

I’m in the middle of setting up a Git server at work and needed to document the process that I used for installation, setup and administration. I figured the best place to put the documentation was to blog about it so that others might benefit and improve it.

The server operating system we’re running is Windows Server 2008.

What is Git?

Git is a distributed version control system originally developed by Linus Torvalds to manage the Linux kernel.

Git is available on Windows using Cygwin or msysGit.

For the server installation, I’ve chosen to use the Cygwin version of Git. We will be using a SSH server for our server to authenticate users and allow access to the repositories. Using Cygwin will allow us to use the Cygwin version OpenSSH for our server.

Installing Cygwin

• Create the C:\Cygwin directory.
• Create the C:\Cygwin\packages directory.
• Modify the permissions on the C:\Cygwin directory to grant the USERS group modify permissions.
• Download the Cygwin setup package into the C:\Cygwin directory and run the setup.
• Use the following options for the Cygwin setup package:
  • Choose Installation Type
    • Leave default Install from Internet
  • Choose Installation Directory
    • Leave default root directory C:\Cygwin
    • Leave default install for All Users
    • Leave default text file type Unix/binary
  • Select Local Packages Directory
    • Change local packages directory to C:\Cygwin\packages
  • Select Connection Type
    • Leave default direct connection
  • Choose Download Site(s)
    • Add a local mirror
  • Select Packages
    • Select Devel > git
    • Select Devel > git-completion
    • Select Devel > git-gui
    • Select Devel > gitk
    • Select Net > openssh
    • Select Python > python
  • Installation Status and Create Icons
    • Leave default create icon on Desktop
    • Leave default Add icon to Start Menu
• Modify the C:\Cygwin\cygwin.bat file to set the CYGWIN environment variable. The whole file should appear as follows:

  @echo off
      set CYGWIN=binmode tty ntsec
      c:
      chdir c:\cygwin\bin
      bash --login -i

• Run Cygwin from the desktop. It should display:

  Copying skeleton files.
      These files are for the user to personalise
      their cygwin experience.
      These will never be overwritten.
      './.bashrc' -> '/home/Administrator//.bashrc'
      './.bash_profile' -> '/home/Administrator//.bash_profile'
      './.inputrc' -> '/home/Administrator//.inputrc'

• Execute

  mount -s --change-cygdrive-prefix /
      

• Execute

  mkdir -p /home
      

• Execute

  chmod +r //etc//passwd
      chmod +r //etc//group
      chmod 755 //var
      

  Note: The above statements should use a single slash rather than a double slash. The double slash is required to work around the filter from my blogging software.

• Close the Cygwin bash prompt

Installing OpenSSH

• Open the Cygwin bash prompt as an Administrator via right clicking and selecting Run as administrator.
• Execute

  ssh-host-config

• You should see

  *** Info: Generating /etc/ssh_host_key
      *** Info: Generating /etc/ssh_host_rsa_key
      *** Info: Generating /etc/ssh_host_dsa_key
      *** Info: Creating default /etc/ssh_config file
      *** Info: Creating default /etc/sshd_config file
      *** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
      *** Info: However, this requires a non-privileged account called 'sshd'.
      *** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
      *** Query: Should privilege separation be used? (yes/no)
      

• Type

  yes
      

• You should see

  *** Info: Note that creating a new user requires that the current account have
      *** Info: Administrator privileges.  Should this script attempt to create a
      *** Query: new local account 'sshd'? (yes/no)
      

• Type

  yes
      

• You should see

  *** Info: Updating /etc/sshd_config file
      *** Warning: The following functions require administrator privileges!
      *** Query: Do you want to install sshd as a service?
      *** Query: (Say "no" if it is already installed as a service) (yes/no)
      

• Type

  yes
      

• You should see

  *** Info: Note that the CYGWIN variable must contain at least "ntsec"
      *** Info: for sshd to be able to change user context without password.
      *** Query: Enter the value of CYGWIN for the daemon: [ntsec]
      

• Type

  binmode tty ntsec
      

• You should see

  *** Info: On Windows Server 2003, Windows Vista, and above, the
      *** Info: SYSTEM account cannot setuid to other users -- a capability
      *** Info: sshd requires.  You need to have or to create a privileged
      *** Info: account.  This script will help you do so.
      *** Info: You appear to be running Windows 2003 Server or later.  On 2003
      *** Info: and later systems, it's not possible to use the LocalSystem
      *** Info: account for services that can change the user id without an
      *** Info: explicit password (such as passwordless logins [e.g. public key
      *** Info: authentication] via sshd).
      *** Info: If you want to enable that functionality, it's required to create
      *** Info: a new account with special privileges (unless a similar account
      *** Info: already exists). This account is then used to run these special
      *** Info: servers.
      *** Info: Note that creating a new user requires that the current account
      *** Info: have Administrator privileges itself.
      *** Info: No privileged account could be found.
      *** Info: This script plans to use 'cyg_server'.
      *** Info: 'cyg_server' will only be used by registered services.
      *** Query: Do you want to use a different name? (yes/no)
      

• Type

  no
      

• You should see

  *** Query: Create new privileged user account 'cyg_server'? (yes/no)
      

• Type

  yes
      

• You should see

  *** Info: Please enter a password for new user cyg_server.  Please be sure
      *** Info: that this password matches the password rules given on your system.
      *** Info: Entering no password will exit the configuration.
      *** Query: Please enter the password:
      

• Type and confirm a password for the new ‘cyg_server’ account.
• After confirming the password, you should see

  *** Info: User 'cyg_server' has been created with password 'azxggsri7#35z'.
      *** Info: If you change the password, please remember also to change the
      *** Info: password for the installed services which use (or will soon use)
      *** Info: the 'cyg_server' account.
      *** Info: Also keep in mind that the user 'cyg_server' needs read permissions
      *** Info: on all users' relevant files for the services running as 'cyg_server'.
      *** Info: In particular, for the sshd server all users' .ssh/authorized_keys
      *** Info: files must have appropriate permissions to allow public key
      *** Info: authentication. (Re-)running ssh-user-config for each user will set
      *** Info: these permissions corrently. [Similary restrictions apply, for
      *** Info: instance, for .rhosts files if the rshd server is running, etc].
      *** Info: The sshd service has been installed under the 'cyg_server'
      *** Info: account.  To start the service now, call `net start sshd' or
      *** Info: `cygrunsrv -S sshd'.  Otherwise, it will start automatically
      *** Info: after the next reboot.
      *** Info: Host configuration finished. Have fun!
      

• Execute

  net start sshd

• Open the Windows Firewall Editor and create an exception to allow TCP traffic on port 22.

Creating a Git user account for SSH access

Single SSH account will run under.

• Create a ‘git’ account via the standard windows tools and make sure to disable password expiry.
  The account should be a member of the USERS group.
• Open the Cygwin bash prompt and type

  mkpasswd -l -u git -p //home >> //etc//passwd

  Note: The above statements should use a single slash rather than a double slash. The double slash is required to work around the filter from my blogging software.

• Log out of the Administrator account and login as the git account.
• Run Cygwin from the desktop. It should display:

  Copying skeleton files.
      These files are for the user to personalise
      their cygwin experience.
      These will never be overwritten.
      './.bashrc' -> '/home/git//.bashrc'
      './.bash_profile' -> '/home/git//.bash_profile'
      './.inputrc' -> '/home/git//.inputrc'

• Execute

  ssh-user-config

• You should see

  *** Warning: group and other have been revoked write permission to your home
      *** Warning: directory /home/git.
      *** Warning: This is required by OpenSSH to allow public key authentication using
      *** Warning: the key files stored in your .ssh subdirectory.
      *** Warning: Revert this change ONLY if you know what you are doing!
      *** Query: Shall I create an SSH1 RSA identity file for you? (yes/no)
      

• Type

  no

• You should see

  *** Query: Shall I create an SSH2 RSA identity file for you? (yes/no)

• Type

  yes

• You should see

  *** Info: Generating /home/git/.ssh/id_rsa
      Enter passphrase (empty for no passphrase):
      

• Press enter to create with an empty passphrase and press enter again to confirm.
• You should see

  *** Query: Do you want to use this identity to login to this machine? (yes/no)
      

• Type

  yes

• You should see

  *** Info: Adding to /home/git/.ssh/authorized_keys
      *** Query: Shall I create an SSH2 DSA identity file for you? (yes/no)
      

• Type

  no

• You should see

  *** Info: Configuration finished. Have fun!

We have now configured our Windows Server 2008 machine with Git and an account to use with SSH access. In the next blog post, I’ll cover installation and configuration of Gitosis to secure access and authentication of repositories.