Using Github Deploy Key

Using Github Deploy Key.md

What / Why

Deploy key is a SSH key set in your repo to grant client read-only (as well as r/w, if you want) access to your repo.

As the name says, its primary function is to be used in the deploy process in replace of username/password, where only read access is needed. Therefore keep the repo safe from the attack, in case the server side is fallen.

How to

1. Generate a ssh key

   run ssh-keygen -t rsa -b 4096 -C "{email}", leave the password empty as you want the deploy process keyboard-less.

   after the generation, file id_rsa and id_rsa.pub can be found under .ssh folder.

2. add ssh key to repo's "Deploy keys" setting

   cat .ssh/id_rsa.pub

   URL: https://github.com/{user}/{repo}/settings/keys

3. Setup the git ssh key on the client machine

   Git normally use the ssh key found in .ssh/id_rsa under user's home folder, so first you need to find out the home directory of the user.

   for example, on Ubuntu/Debian, in default, user www-data's home directory is /var/www, so the ssh key file is /var/www/.ssh/id_rsa).

   Then copy the id_rsa file from Step 1 to the right directory.

   You can test the connection by:

   sudo -u {user} ssh -T git@github.com

   *You might need to grant Github's key to known hosts.

   If everything went well, you can see:

   Hi {user}! You've successfully authenticated, but GitHub does not provide shell access.
   

   Then you are all set!

   Attention: make sure your repo url use git protocol not http, which means use

   git@github.com:{user}/{repo}.git
   

   not

   https://github.com/{user}/{repo}.git
   

*Using multiple deploy key with different repo on the same machine

You can use /.ssh/config file to config different ssh key for different repo. For detail, please follow the instruction in Ref.3 below.

Reference

1. Read-only deploy keys

2. Generating SSH keys

3. Using Multiple Github Deploy Keys for a Single User on a Single Linux Server

You might wanna use this for www-data

sudo  mkdir /var/www           
sudo chown -R www-data:www-data /var/www/
sudo -u www-data ssh-keygen -t rsa -b 4096 -C "{hostname}"

Typo: id_rsa ( not id_ras )

2. add ssh key to repo's "Deploy keys" setting
   cat .ssh/id_ras.pub

should be

cat .ssh/id_rsa.pub

Hi - I needed to use multiple SSH deploy keys on a single server with Jenkins and used the link in #3 as a reference. Unfortunately it does contain some errors as well as broken formatting that make it a bit hard to follow, so I wrote a blog post as a reference for myself. If it's useful to anyone else you can see it here: https://www.justinsilver.com/technology/github-multiple-repository-ssh-deploy-keys/

If you are using multiple Github Deploy Keys and SSH seems to be offering the wrong key, you may need to add the identity first.

ssh-add ~/.ssh/id_name_of_my_rsa_key

source: https://serverfault.com/a/825853

You should consider changing cat .ssh/id_ras.pub to cat ~/.ssh/id_rsa.pub because the "rsa" typo and if someone is in a different directory when running these commands.

If during a single ssh session you add two deploy keys using ssh-add, then git clone and presumably other commands only read the first one – meaning you can get the weird repository not found errors, even though keys were correctly added to the agent.

Thank you for the tip on using git@github.com instead of https:// the directions I was following didn't mention that and I couldn't get it to work until I found this

Thank you for the tip on using git@github.com instead of https:// the directions I was following didn't mention that and I couldn't get it to work until I found this

Happy to help : )

Typo: id_rsa ( not id_ras )

1. add ssh key to repo's "Deploy keys" setting
   cat .ssh/id_ras.pub

should be

cat .ssh/id_rsa.pub

Just saw, fixed, thanks

This works for me, but I dont put in the owner for the git command.

Can you provide the commands for windows also ?

Can you provide the commands for windows also ?

On Windows it's a little bit complicate, which environment do you use? Git from git-scm (which uses mingw as shell environment), git from GitHub (don't know, not using it, but I assume it should be easy to do so as it should be some official docs about this), or wsl(which is almost the same as Linux one)?

Typo fix:

-protocl
+protocol

Typo fix:

-protocl
+protocol

Done

This doesn't work for me on linux. Firstly the link in point 3 goes to a pretty broken looking page.
The error I get is:

Bad owner or permissions on /home/user/.ssh/config
fatal: Could not read from remote repository.

It's not clear to me what linux user the git clone command is running as but it doesn't seem to be the user that is running the git clone command.

This doesn't work for me on linux. Firstly the link in point 3 goes to a pretty broken looking page. The error I get is:

Bad owner or permissions on /home/user/.ssh/config
fatal: Could not read from remote repository.

It's not clear to me what linux user the git clone command is running as but it doesn't seem to be the user that is running the git clone command.

Url in point 2? The user and repo in there should be replaced with your real user name and repo name.

/home/user/.ssh/config 's owner should be 'user' (if your username is 'user' and permission should be 600 as I remember. Which makes the file only accessable to 'user' only

Url in point 2? The user and repo in there should be replaced with your real user name and repo name.

No. Reference point 3.

Url in point 2? The user and repo in there should be replaced with your real user name and repo name.

No. Reference point 3.

Thanks. The link has been updated.

What is the process to sync repo from external Bitbucket to Github?

What is the process to sync repo from external Bitbucket to Github?

I think that this question is not related to the topic. And I don't quite understand what kind of sync are you referring to. If you wanna do it once, you can set up a github repo as a mirror in the original git folder and push.

So, to use a deploy key I have to:

• create an ssh key
• add it to a repo
• delete the repo you had cloned and to which you wanted to push stuff
• clone it again

And this when the repo is public. Correct?

Or is there a way to use a deploy key when you already have a github repo?
And what do you do with the SSH key that you use with your user? You can't use that as deploy key, so basically, the owner of the repo cannot push... Or do I understand it wrongly?

So, to use a deploy key I have to:

• create an ssh key
• add it to a repo
• delete the repo you had cloned and to which you wanted to push stuff
• clone it again

And this when the repo is public. Correct?

Or is there a way to use a deploy key when you already have a github repo? And what do you do with the SSH key that you use with your user? You can't use that as deploy key, so basically, the owner of the repo cannot push... Or do I understand it wrongly?

I don't quite understand what you want to ask here.

deploy keys are just ssh keys. and git can be authenticated through ssh keys. That's the basic idea.

It's called deploy key because it is used, by design, if I understand it correctly, to pull code only, for machines that are in like production environments. Therefore, even if the key is leaked, your repo should be still safe from tempering.

So, if the repo is public, you don't need this kind of authentication to pull code, just, git pull xxx.

If you already have a private github repo, and want to use deploy key, add pub-key to the repo by Step 2 written above.

---

Linux user ssh keys are the same, but in login into linux, your linux server has the pub-key, your client has the pri-key. after login, if you need to login into github through ssh protocol, your server should have the pri-key and github have the pub-key. and it is a bad practice that both pri-key and pub-key are on the same machine and used in different scenarios.

I don't know if I answered your question