Using Github Deploy Key

Using Github Deploy Key.md

What / Why

Deploy key is a SSH key set in your repo to grant client read-only (as well as r/w, if you want) access to your repo.

As the name says, its primary function is to be used in the deploy process in replace of username/password, where only read access is needed. Therefore keep the repo safe from the attack, in case the server side is fallen.

How to

1. Generate a ssh key

   run ssh-keygen -t rsa -b 4096 -C "{email}", leave the password empty as you want the deploy process keyboard-less.

   after the generation, file id_rsa and id_rsa.pub can be found under .ssh folder.

2. add ssh key to repo's "Deploy keys" setting

   cat .ssh/id_rsa.pub

   URL: https://github.com/{user}/{repo}/settings/keys

3. Setup the git ssh key on the client machine

   Git normally use the ssh key found in .ssh/id_rsa under user's home folder, so first you need to find out the home directory of the user.

   for example, on Ubuntu/Debian, in default, user www-data's home directory is /var/www, so the ssh key file is /var/www/.ssh/id_rsa).

   Then copy the id_rsa file from Step 1 to the right directory.

   You can test the connection by:

   sudo -u {user} ssh -T [email protected]

   *You might need to grant Github's key to known hosts.

   If everything went well, you can see:

   Hi {user}! You've successfully authenticated, but GitHub does not provide shell access.
   

   Then you are all set!

   Attention: make sure your repo url use git protocl not http, which means use

   [email protected]:{user}/{repo}.git
   

   not

   https://github.com/{user}/{repo}.git
   

*Using multiple deploy key with different repo on the same machine

You can use /.ssh/config file to config different ssh key for different repo. For detail, please follow the instruction in Ref.3 below.

Reference

1. Read-only deploy keys

2. Generating SSH keys

3. Using Multiple Github Deploy Keys for a Single User on a Single Linux Server