Setting up per site read-only deploy keys using github

I'm going to forget this again if I don't write it down this time. Here's the scenario I was trying to overcome:

Single server, multiple sites backed by independent repos using ssh.
Each site should have it's own private ssh key added to the remote repository as a deploy keys. These deploy keys can not be the user's private key to get on the server.

The solution is this:

.ssh/config

Each user can use a custom file in their .ssh folder that can override the SSH hostname and key for any given host. Here's an example:

  1. Host example.github.com
  2. HostName github.com
  3. PreferredAuthentications publickey
  4. IdentityFile ~/.ssh/example-org-id_rsa

From there, any given ssh clone to the server simply has to include a custom hostname, which you've modified to match the .ssh/config files:

  1. git@github.com:some_cool_repo/example.com.git

would become
  1. git@example.github.com:some_cool_repo/example.com.git

After that the git pull and push are seamless, and the other developers may never even need to know if you symlink the .ssh config file itself.

Tags: 

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.