Capistrano 3 deployment with multiple developers from GitHub using forward agent - github

I have an existing capistrano 3 deployment script which I run on my local machine (MacBook). I use agent forwarding and connect with my public SSH key. This all works fine, I have my SSH key added to GitHub and deployments works like a treat with no password. So, now I have a new developer that needs to also be able to deploy from his own machine. Firstly I have added his public SSH key to the server and added to known hosts so he has SSH access.
What do I need to do now so that agent forwarding works for him too?
I tried to copy his public key to the SSH keys in my GitHub account, but showed an error saying the key was already added. I don't understand how why I get this error as only my own SSH key has been added. Should I give him access to the GitHub repository and then he adds his SSH key to his own account?
Does the public key named in the deploy script need to be the same as it is named on the server or as it is on his machine?
Thanks for any help with this, I can't find anything online for this scenario.

Should I give him access to the GitHub repository and then he adds his SSH key to his own account?
Yes. The preferred way to do this is to give the new developer access to the GitHub project via his account.
You also add his public key to .ssh/authorized_keys on the server so that he can deploy. At this point, deployment should work for both of you using your own keys.

Related

Deploying with Different SSH Keys via Github

I'm trying to deploy my app to vultr.
I have two different repository for front and back app.
I created ssh key on server and added it to deploy keys section of my backend repository on GitHub.
I can pull backend app it's ok.
But When I try to add same ssh key into my deploy keys section of frontend app, it says "key is already in use".
Then I created another ssh key on server and added it into deploy keys of front end repository..
But that time when I try to clone app it tries to read ssh key that I first created...
I think I need some think like "clone by using a specific ssh key". How can I fix this?
Or is there an easier way to deploy different apps via using ssh?
To use your second key, you need to reference it in a ~/.ssh/config file with:
Host deploy
Hostname github.com
User git
IdentityFile ~/.ssh/yourSecondSSHKey
The git clone deploy:YourGithubName/YourAppRepository
That would force Git/SSH to use your second key.

Create new SSH keys w/ new server, or use existing key?

In the myhome/.ssh/ directory are local SSH keys for my personal GitHub account, the directory has the id_rsa and id_rsa.pub files that allow me to authenticate with GitHub.
I am setting up a server (compute engine on GCP), and this server needs these keys because it needs to authenticate to my GitHub to pull a repo. Should I either:
transfer over / SCP the currently-existing id_rsa, `id_rsa.pub that I have locally onto the server, and use those on the server.
create a brand new SSH key from on the server, and use this key. Add it to my GitHub profile.
it doesn't matter, either (1) or (2) is fine.
or something else?
(2) seems like the right approach, but we are not certain.
Indeed option 2. As a best practice, you should not share the same private key.
Go ahead and generate a new SSH key following the docs: https://docs.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh

SSH access to GitHub repository

I have followed the process described in Multiple GitHub Accounts & SSH Config (stefano's answer) and have set up SSH access to multiple repositories using deploy keys. I've tried that on repositories of a specific GitHub organization and it works fine - I can pull and push changes. I've also tried this on my user area and it still works great.
However, when trying this on repositories in another GitHub organization (e.g. when doing a git push) it fails with the following error
ERROR: Permission to XXXX/YYYY.git denied to deploy key
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
When checking SSH access through ssh -T I get
"Hi XXX/YYYY! You've successfully authenticated, but GitHub does not provide shell access."
which suggests that SSH should be working.
I have gone through the organization settings (main page for GitHub organization > Settings) and they have pretty much identical settings, except from what you would expect to be different e.g. contact email etc.
I was wondering if anyone has any ideas about what could be causing this. Are there any more organization settings somewhere by any chance?
ERROR: Permission to XXXX/YYYY.git denied to deploy key
This looks like you are trying to push using a deploy key. This key is used for deployment and therefore only to read-only access of your repository. Make sure you have the key which is enrolled in your github account, make sure it is used (IdentityFile in ~/.ssh/config) and get rid of the deploy key from the standard location which is picked by default (~/.ssh/id_{rsa,dsa,ecdsa,ed25519}). Note, that if there are more "valid" keys, only the firs succeeds.

How to gain SSH access from an AWS instance to another without private key?

I have an SSH keypair: private lives on my local Mac, public lives on several AWS cloud machines.
From my Mac, I can SSH to a cloud instance, call it "deploy server". From there, I need to deploy my application to several instances (I cannot deploy locally).
I authenticate to the other instances with my private key. I can do this by either leaving my private key on the deploy server (insecure), or SSH Agent Forwarding (probably not much better).
Moreover, the deploy takes a while, so I do it in a gnu screen or tmux session; then I just detach and end the SSH session with the deploy server meaning I cannot use SSH Agent Forwarding (as I believe it requires the SSH connection to remain open).
What other options are available to me?
You can use a deploy key. That is a server specific key that has read only access to the repository.
To use this, you need to:
Generate a private key for the server (ssh-keygen on the server)
Set it at the github repo as a deploy key (https://github.com/<user>/<repo>/settings/keys). That will grant read only permissions to the repo. You have a checkbox if you also need write access to it.
Read more on this github help guide. There you can see more methods for deploying from a server accessing a repository.

Git pulling onto a vm without an ssh key

I'm trying to pull an existing github repo made on my local machine onto a vm running on EC2 that will be used by multiple people. I have some concerns with using an ssh key without a password, so I was wondering if there was any way to pull directly onto the VM either anonymously, or by providing the username and password of the account that originally pushed the repo, so that my personal information won't have to be stored on the vm, and there's no security risk in having someone get ahold of a password-less ssh key for the vm. Is this possible?
Currently running Ubuntu 12.04
I recommend generating a new key and adding it as deployment key to your specific repo.
These keys are linked to a specific repo, not your account.
Alot of options are also available here.
https://help.github.com/articles/managing-deploy-keys