I try to clone a private organization github repo onto a server instance, running debian. I try to avoid putting in my private SSH keys, because if they would get leaked, someone would have access to all of my repositories.
Hence I found the way of using deploy keys for private github repos. The way I imagine them to work is the following
create ssh keys on your server
add private key to github repo (under "deploy keys" area)
add config file in ~/.ssh folder on your server
you can git clone the github repository.
Unfortunately, with this setup I am receiving an error that I do not have the correct permissions set.
My config file:
Host github
Hostname github.com
User git
IdentityFile ~/.ssh/MY-REPONAME-gh
When trying to clone via SSH: git clone git#github.com:ORGNAME/MY-REPONAME.git
I receive this error:
Cloning into 'MY-REPONAME'...
git#github.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I'm setting up a laravel website with a Digital Ocean droplet.
This process is so difficult and frustrating, I'm losing logic sense...
I'm connected with an ssh key that is connected with github, because I tried this code to test my connection:
ssh -T git#github.com
with this as response:
> Hi (My name)! You've successfully authenticated, but GitHub does not
> provide shell access.
So it is connected.
However, when I want to clone my repository into my online droplet. I get the error:
git#github.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
So I have no idea how to fix this..
My ssh key inside my digital ocean settings is the same as in my github ssh settings.
Any ideas how to fix this?
I've found the solution myself!
So what was the problem?
I was using the ssh key from my localhost as an access key for cloning private github repositories. That is why I couldn't clone into an online service because that online service has it's own specific ssh key. So inside my server, I generated an ssh-key and registered that one on github. When I tried cloning me repo inside my droplet
everything worked as it should do.
I configured the SSH based authentication as below
Created a public key on my UNIX server
Added the public key on my Bitbucket repository with reading and write privileges (also tried it at account level)
changed the URL from https to SSH at bitbucket and Unix server
verified the URL using and it is displaying SSH URL only
Then Tried to push, but I am getting the below error:
Permission denied (public key). fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.
I have read and write access to the repository
push command
git push -u origin master
Any idea?
You should try:
GIT_SSH_COMMAND="ssh -Tv" git push
You will see what Git is using as an SSH key, and if there are any error messages.
If the error persists, it is possible there is something preventing SSH to operate properly (as in here, when not connected to a VPN)
Using HTTPS, of course, is a workaround:
git remote set-url origin https://git#bitbucket.XXX.com/XXX.com/XXX.git
After discussion, the missing step was to add the private key to the ssh-agent
ssh-add OEDQ_BIT added the private key
As discussed here and here, it seems that connecting to github repo via SSH protocol requires a newly generated key.
I just tried today on my EC2 instance and failed to git pull my github repo; i.e. reusing a key pair generated on another EC2 instance is not working.
So I want to raise the issue here so that we all can confirm this - Is it required to regenerate ssh key for new EC2 instance when git clone a github repo?
p.s.
What I have done and failed on Ubuntu Server 14.04 are as below.
ssh key files
cloned key in ~/.ssh
public key registered in github
calling git
run ssh -vT git#github.com
run git clone git#github.com:MY_USER/MY_PROJECT.git MY_FOLDER get Public key denied error
So I want to raise the issue here so that we all can confirm this - Is it required to regenerate ssh key for new EC2 instance when git clone a github repo?
in brief
No need for re-generated key.
details
Reusing the key from different instance SHOULD WORK too, but you need to place it to the proper location with the correct permissions.
You may try
Restart your SSH connection to the EC2.
Specify the private key via GIT_SSH_COMMAND prefix
sudo GIT_SSH_COMMAND="ssh -i ~/.ssh/YOUR_PRIVATE_KEY" git clone git#github.com:USER/PROJECT.git YOUR_LOCAL_DIR
p.s.
You can clone over HTTPS without any SSH key.
Here is my setup:
Jenkins is running on my linux machine as 'jenkins' user.
I have generated a ssh key-pair as described in Linux - Setup Git, for the 'jenkins' user.
When I sudo su jenkins and try ssh -vT git#github.com, I am always asked my passphrase, but I am always eventually authenicated. (the verbose option shows which key is used, among others).
I could clone my repo from GitHub using jenkins:
Thusly:
jenkins#alpm:~/jobs/test git/workspace$ git pull
Enter passphrase for key '/var/lib/jenkins/.ssh/id*_rsa':
Already up-to-date.
Up to this point I have followed the instructions to the letter. The problem is that the Jenkins job fails with the following error:
status code 128:
stdout:
stderr: Permission denied (publickey).
fatal: The remote end hung up unexpectedly
This is same error as I get when I typo the passphrase (but of course, Jenkins does not ask me for the passphrase). The following pages:
GitHub - SSH Issues
Using SSH Agent Forwarding
indicate to me that ssh-agent could help remember the passphrase, which it does when I am using my own user, but not the jenkins id. Note that while running as my normal user yields:
echo "$SSH_AUTH_SOCK"
/tmp/keyring-nQlwf9/ssh
While running the same command as my 'jenkins' yields nothing (not even permission denied)
My understanding of the problem is that the passphrase is not remembered.
Do you have any idea?
Shall I start a ssh-agent or key ring manager for the jenkins user? How?
Or is ssh forwarding suitable when forwarding to the same machine?
Any brighter idea?
ps: I never sudo gitted, I always used jenkins or my user account (as mentioned in this SO post - Ubuntu/GitHub SSH Key Issue)
Since nobody wrote the answer from the comments for several months, I will quickly do so.
There are 2 possible problems/solutions:
id_rsa created with wrong user
Create id_rsa as the jenkins user (see hudson cannot fetch from git repository)
Leave passphrase empty
To summarise what must be done on the Jenkins server:
# 1. Create the folder containing the SSH keys if necessary
if [ ! -e ~jenkins/.ssh ]; then mkdir ~jenkins/.ssh; fi
cd ~jenkins/.ssh/
# 2. Create the SSH pair of keys
# The comment will help to identify the SSH key on target systems
ssh-keygen -C "jenkins" -f ~jenkins/.ssh/id_rsa -P ""
# 3. Assign the proper access rights
chown -R jenkins ~jenkins/.ssh/
chmod 700 ~jenkins/.ssh
chmod 600 ~jenkins/.ssh/*
Remember:
Please keep the default "id_rsa" name when generating the keys, as other such as "id_rsa_jenkins" won't work, even if correctly set up.
Do not use a passphrase for your key
Check that the public key (id_rsa.pub) has been uploaded on the git server (GitHub, Bitbucket, etc). Once done, test your SSH key by running: ssh -vvv git#github.com (change address according to your git server)
I got around this problem by simply leaving the passphrase empty when creating the keys.
I would add that if you created the keys by hand, they might still be owned by you and not readable by jenkins, try:
sudo chown jenkins -R /var/lib/jenkins/.ssh/*
To check are the following:
if the right public key (id_rsa.pub) is uploaded to the git-server.
jenkins user will access to github -> to CHECK if the right private key (id_rsa) is copied to /var/lib/jenkins/.ssh/
if the known_hosts file is created inside ~/.ssh folder. Try ssh -vvv git#github.com to see debug logs. If thing goes well, github.com will be added to known_hosts.
if the permission of id_rsa is set to 755 (chmod 755 id_rsa)
After all checks -> try ssh -vvv git#github.com
Dont try to do config in jenkins until ssh works!
If you are running jenkins as a service in windows, you need to verify the user running the service. If you created the keys using the user "MACHINENAME\user", change the service so the user running it can match
For Mac users, the issue can be solved by removing the existing keys and creating new Private and Public Keys by following these steps:
1.Remove all Public and Private keys located at /Users/Username/.ssh
2.Remove all the credentials saved under the Credentials tab in Jenkins.
3.Remove the existing Public SSH keys defined in the Github Repository Settings.
4.Create new SSH keys (private and public: id_rsa and id_rsa.pub) by following the steps from https://confluence.atlassian.com/bitbucketserver/creating-ssh-keys-776639788.html#CreatingSSHkeys-CreatinganSSHkeyonLinux&MacOSX
5.Set the newly created public SSH key (id_rsa.pub) in Github or an equivalent Repository Settings.
6.In Jenkins,create new credentials by adding the private SSH key(id_rsa) for your Github username.
7.The Error should be removed now.
keys need to generated from jenkins user.
sudo su jenkins
ssh-keygen
once the key is generated, it should be added as ssh key in bitbucket or github.