Setting up per site read-only deploy keys using github

I'm going to forget this again if I don't write it down this time. Here's the scenario I was trying to overcome:

Single server, multiple sites backed by independent repos using ssh.
Each site should have it's own private ssh key added to the remote repository as a deploy keys. These deploy keys can not be the user's private key to get on the server.

The solution is this:


Each user can use a custom file in their .ssh folder that can override the SSH hostname and key for any given host. Here's an example:

  1. Host
  2. HostName
  3. PreferredAuthentications publickey
  4. IdentityFile ~/.ssh/example-org-id_rsa

From there, any given ssh clone to the server simply has to include a custom hostname, which you've modified to match the .ssh/config files:


would become

After that the git pull and push are seamless, and the other developers may never even need to know if you symlink the .ssh config file itself.


Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.