I set up SSH login for github using the following instructions, and although it works, I can't figure out why it works: https://help.github.com/articles/generating-ssh-keys/
My understanding of SSH is as follows: client creates a key pair, client gives public key to server, and when client wants to log in, he encrypts a message of server's choice using his private key to prove that he is really the client.
Now: I upload my public key XXX to Github. When I do "ssh -T git#github.com", Github has to know I am trying to log in as me, so that he can decrypt my message using XXX, right? So ssh has to send that information...but how does ssh know anything about Github, or what my username is? And what if I have multiple key pairs - which key would ssh use?
When you add your SSH public key to your GitHub account, you associate that key with your GitHub account.
By default, the command ssh -T git#github.com searches for id_dsa and id_rsa files. To confirm this, try ssh -T git#github.com -v.
If you have keys associated to different github accounts, you would have to specify with -i to use different accounts. ssh -T git#github.com -i /path/to/mykey
In short:
SSH client send public key to server
Server finds your name according to public key (unique), but needs to verify that you have also the private key, therefore he sends you a some message
Your client signs that message using your private key
Server verifies the signature and if it is valid, you are allowed access
This is based on public key cryptography, specially digital signature technique (google for more details).
In a shared-account scenario, authentication/authorization is handled by the application.
I'm not sure Github is using it, but one solution for non-shell account authorization is Gitosis, and it used for precisely the purpose you describe. There are separate key pairs for each user. This much is similar to how Github does things.
The basic notion of how Gitosis works (deferring the authentication and authorization to gitosis) is explained on the app readme page, but the mechanics may require a review of the source code. Based on a cursory examination, it looks like the mechanics of this method are mostly via git hooks on the server.
Related
A while ago, when learning about the existence of ECDSA-SK keys, I have created such a key and added it to my github account.
Now I am trying to remove it, but it simply does not show up in the list of keys. The list only shows my "regular" SSH key, but not the SK key.
However, the SK key works just fine. I can push/pull with it (even to/from private repos), and when trying to authenticate with it it shows as connected to my github account:
$ ssh -T -ai ~/.ssh/id_rsa.sk git#github.com
Hi bogd! You've successfully authenticated, but GitHub does not provide shell access.
Also, if I try to add it to my account, github tells me "the key is already in use".
So my question is - where do I need to go to remove this key??
From GitHub announcement in May 2021, this is what you should see:
If no "skey" entry is listed:
check if it would be listed when you have your YubiKey in place
check if you can list that key through GitHub API (you would need a token with read:public_key scope)
contact GitHub support to investigate.
The OP Bogd reports in the comments the SK (Security Key) was listed as a Deploy Key
The "-i" argument to SSH only adds the specified key to the list of keys the client will try.
Since I normally always have my RSA key loaded in the agent, it is likely that key was tried first, and that was why the command output did not list the repository.
The command should have been:
ssh -v -o "IdentitiesOnly=yes" -i ~/.ssh/id_rsa.sk git#github.com'
what is the benefit of github''public key''. I created and added it to the setting in my account. However, when I try to authenticate it in my editor, I get the error below ? Please help. I created my Repo for the heck of learning github, so maybe I still did not get the point of setting a such a key in my account. Inside of my terminal showing error message
Public key cryptography acts like a lock and key. You give Github the public key (the lock) which only you can open with your secret private key. It's a simple way for Github to authenticate you.
Your computer has to be told which private keys to use. This involves adding it to your ssh-agent which manages your private keys. See Generating a new SSH key and adding it to the ssh-agent on Github for how to do this. And read the whole Connecting to GitHub with SSH documentation.
Once this is all set up, you won't have to keep typing in your password.
I have an existing capistrano 3 deployment script which I run on my local machine (MacBook). I use agent forwarding and connect with my public SSH key. This all works fine, I have my SSH key added to GitHub and deployments works like a treat with no password. So, now I have a new developer that needs to also be able to deploy from his own machine. Firstly I have added his public SSH key to the server and added to known hosts so he has SSH access.
What do I need to do now so that agent forwarding works for him too?
I tried to copy his public key to the SSH keys in my GitHub account, but showed an error saying the key was already added. I don't understand how why I get this error as only my own SSH key has been added. Should I give him access to the GitHub repository and then he adds his SSH key to his own account?
Does the public key named in the deploy script need to be the same as it is named on the server or as it is on his machine?
Thanks for any help with this, I can't find anything online for this scenario.
Should I give him access to the GitHub repository and then he adds his SSH key to his own account?
Yes. The preferred way to do this is to give the new developer access to the GitHub project via his account.
You also add his public key to .ssh/authorized_keys on the server so that he can deploy. At this point, deployment should work for both of you using your own keys.
I need to access (clone) a private repository on GitHub that belongs to a developer whom I am unable to communicate with. I have been provided with both a public and a private key (I'm guessing they might be deploy keys for the specific repository?)
After running the following terminal command:
git clone git#github.com:theirusername/reponame.git
I receive the following error:
Cloning into 'reponame'...
ERROR: Repository not found.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
The developer also included the following notes in a README with the keys:
Developer notes (replaced sensitive info with 'x's)
===============
"This SSH public/private keypair allows full access to the server.
DO NOT GIVE THESE FILES TO ANYONE THAT YOU DON'T WANT ACCESSING YOUR ENTIRE SERVER AND ASSOCIATED SERVICES.
- The SSH port is XXXXX.
- There is no passphrase on the keys.
- The keys allow access to two users: `xxx` (standard privs) and `xxx` (for sudo and su-ing to root)
- These keys also allow access to the GitHub repository: github.com/theirusername/reponame.git"
I have already tried adding the public key to my Github account (under settings --> SSH and GPG keys). This did not seem to help the issue.
I'm sure there is something fundamental I'm not grasping here. Do I need BOTH the public and private keys to access the repo? If so, where do I have to register each of them? Any help would be greatly appreciated.
You need to store the public and private key in your HOME (~/.ssh)
You can then test the connection with ssh -T git#github.com: if those keys are from another developer, it should display a welcome message with the other developer name (since the public key should be registered under his/her GitHub account)
If you have multiple keys, you will need an ~/.ssh/config file, as I describe here.
In GitHub I am supposed to go to Account Setting, then click on SSH keys, and there I should have some way to add an SSH Key. The instructions at http://help.github.com/win-set-up-git/ say: "click "Add SSH Key". But that link does not exist. Instead I get the following:
On Sunday March 4, 2012 a security vulnerability related to SSH keys
(public keys) was discovered. For your protection and to prevent
unauthorized access we have disabled your public keys until you
approve them.
Need help verifying fingerprints?
along with Accept and Reject buttons next to ssh keys I have uploaded but not verified since the exploit was found. I do not want to accept or reject any of these other ssh keys at this point. All I want is to add a new SSH Key. How do I do it?
Many thanks!
After accepting/rejecting all the existing ssh keys the link was visible again in my account.