Recently I had a need to pull a github repo onto a remote
server. When faced with this I would
usually just pull using https for example run a clone command like this…|
> git clone https://github.com/patmandenver/slack-webhook.git
|
Which works just fine for an open repo, but if it’s a private
repo you are forced to put in my username password not only when I clone, but
every time I pull or push.
Not much fun. I would
rather pull via ssh and not have to worry about this.
I could copy my private ssh key to the remote box and clone
it via ssh protocols, but then my private key is a remote box that I may share
with other developers… Bad idea.
Or I could create a new public/private key on the remote box
for my user and add the public key to my account on github. A little better, but still other developers
on the box could possibly access my new private key on the box, which would
allow them to push/pull as me in github… Again not ideal.
There is another option I ran across, and I am now using, to
use ssh-agent tool to forward your keys when you ssh to the box https://www.ssh.com/ssh/agent
[1]
Dangers
You may want to read this article on some of the dangers of
using this command https://security.stackexchange.com/questions/101783/are-there-any-risks-associated-with-ssh-agent-forwarding
[2]
Long story short while you are logged into the remote box
other admins on the box, think root access, could utilize your ssh key and
pretend to be you. But I like this
reduced risk vs keeping my key or creating a new key on the box.
Using it
Start the ssh-agent
|
> eval $(ssh-agent)
|
Now add your private keys
using the ssh-add tool
|
> ssh-add ~/.ssh/id_rsa
|
As a double check run this to list your keys
|
> ssh-add -l
|
There she be J
Now ssh to a box and use the -A option to enable forwarding
of the authentication agent connection to the machine you are ssh’n to.
Here is my example
(Of course replace haproxy with your hostname J )
(Of course replace haproxy with your hostname J )
|
> ssh -A haproxy
|
As another double check you can run this command on the
machine you just logged into via ssh to confirm the key was sent along
|
> ssh-add -l
|
Wahoo it worked… Now if I try to run a git clone via ssh…
|
> git clone git@github.com:EXAMPLE/some-private-repo.git
|
Done deal J
That fulfills my needs J
Now there are lots of other useful things you can do with
this such as use it to ssh to yet another box which contained your public key.
References
[1] ssh-agent
Accessed 06/2018
[2] Are there any risks associated with SSH agent forwarding?
Accessed 06/2018
No comments:
Post a Comment