The recommended installation instructions add a regular git user that the sysadmin may switch to, to make use of the bypass ssh key.

This is convenient as it provides an easy way to use the bypass key and gitano-setup can deduce common config options. However this can be awkward to use if after setup you no longer have log-in access, and it may feel wrong on an instinctual level to have git be a regular user, when system users are traditionally used for services.

First we need to create the user.

$ sudo useradd --system --home-dir /var/lib/gitano git
$ sudo install -d -o git /var/lib/gitano

Then we need to create the keys and put them somewhere the git user is permitted to read.

$ ssh-keygen -t rsa -N '' -f ~/.ssh/gitano-admin
$ ssh-keygen -t rsa -N '' -f ~/.ssh/gitano-bypass
$ sudo install -o git ~/.ssh/gitano-admin.pub /var/lib/gitano/admin.pub
$ sudo install -o git ~/.ssh/gitano-bypass.pub /var/lib/gitano/bypass.pub

Then we run gitano-admin and let it know where the keys are. It can infer the

$ sudo -u git -H gitano-setup
[gitano-setup] Welcome to the Gitano setup process
[gitano-setup] Performing system checks
[gitano-setup] ... Checking supple sandboxing
[gitano-setup] System checks out
[gitano-setup] Step 1: Determine everything
Home directory for new Gitano user [/var/lib/gitano]: 
SSH directory for new Gitano user [/var/lib/gitano/.ssh]: 
Public key file for bypass user: /var/lib/gitano/bypass.pub
Public key file for admin user [/var/lib/gitano/admin.pub]: 
Repository path for new Gitano instance [/var/lib/gitano/repos]: 
User name for admin user [admin]: 
Real name for admin user [Administrator]: 
Email address for admin user [admin@administrator.local]: 
Key name for administrator [default]: 
Site name [a random Gitano instance]: 
Site log prefix [gitano]: 
Store passwords with htpasswd? (needed for http authentication) [no]: 
Path to skeleton gitano-admin content [/usr/share/gitano/skel/gitano-admin]: 

To use these keys invoke ssh differently:

$ ssh -i ~/.ssh/gitano-bypass.pub git@localhost whoami
[gitano] **** ALERT **** ALERT ****  PAY CAREFUL ATTENTION  **** ALERT **** ALERT ****
[gitano] **** You are acting as the bypass user.  Rules and hooks WILL NOT APPLY  ****
[gitano] **** ALERT **** ALERT **** DO NOT DO THIS NORMALLY **** ALERT **** ALERT ****
[gitano] **** DANGER **** SOMETHING RISKY HAPPENING **** DANGER ****
[gitano] **** An ACL check was bypassed thanks to gitano-bypass ****
[gitano] **** DANGER **** ACL BYPASS IS VERY RISKY  **** DANGER ****
    User name: gitano-bypass
    Real name: Special site-wide rule/hook bypass user
Email address: admin@administrator.local
      SSH key: initial => user@localhost [*]
$ ssh -i ~/.ssh/gitano-admin.pub git@localhost whoami
    User name: admin
    Real name: Administrator
Email address: admin@administrator.local
      SSH key: default => user@localhost [*]
    In groups: gitano-admin: Gitano Instance Administrators

Git operations can be instructed to use different keys by setting GIT_SSH_COMMAND.

$ GIT_SSH_COMMAND="ssh -i ~/.ssh/gitano-admin.pub" git clone ssh://git@localhost/gitano-admin.git
Cloning into 'gitano-admin'...
remote: Counting objects: 24, done.
remote: Compressing objects: 100% (23/23), done.
remote: Total 24 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (24/24), 5.07 KiB | 0 bytes/s, done.
Checking connectivity... done.

This is awkward because it requires GIT_SSH_COMMAND to be set before every fetch and push. This can be improved by using the ext:: remote helper.

$ git clone "ext::ssh -i ~/.ssh/gitano-admin.pub git@localhost %S gitano-admin.git" gitano-admin

However it's often best to modify your ssh configuration to pick the key. Consult ssh's documentation for details.