{"id":1652,"date":"2021-05-27T10:59:03","date_gmt":"2021-05-27T17:59:03","guid":{"rendered":"http:\/\/blog.nillsf.com\/?p=1652"},"modified":"2021-05-27T10:59:10","modified_gmt":"2021-05-27T17:59:10","slug":"github-sso-using-password-protected-ssh-keys","status":"publish","type":"post","link":"https:\/\/nillsf.com\/index.php\/2021\/05\/27\/github-sso-using-password-protected-ssh-keys\/","title":{"rendered":"GitHub SSO using password-protected SSH keys"},"content":{"rendered":"\n

There are two ways to pull\/push from\/to GitHub, when connecting from a remote system: either you use HTTPS or you use SSH. When connecting to a GitHub organization, the organization might have special requirements for the connection. For example, if I want to push updates to the github.com\/azure organization, I need to use a password-protected SSH key.<\/p>\n\n\n\n

The goal of this post is to explain three things:<\/p>\n\n\n\n

  1. How to use an SSH key with GitHub<\/li>
  2. How to use multiple SSH keys with GitHub<\/li>
  3. How to enable an SSH key for SSO on GitHub<\/li><\/ol>\n\n\n\n

    To explain everything, I’m using a new virtual machine, with nothing but git installed.<\/p>\n\n\n\n

    Let’s start with the first topic:<\/p>\n\n\n\n

    How to use an SSH key with GitHub<\/h2>\n\n\n\n

    To use an SSH key with GitHub, you need to do three things:<\/p>\n\n\n\n

    1. Create a new SSH key<\/li>
    2. Share the public key with GitHub<\/li>
    3. Clone the repo with the SSH URL<\/li><\/ol>\n\n\n\n

      To create a new SSH-key, you can use the command-line tool ssh-keygen<\/code>, as shown in the screenshot below. For the first key, I’ll use all the default values and won’t use a password:<\/p>\n\n\n\n

      \"\"
      Using ssh-keygen to generate an SSH key<\/figcaption><\/figure>\n\n\n\n

      The second step is to share the public key with GitHub. To do this, you first need the public key. To get is, you can use the following command:<\/p>\n\n\n\n

      cat ~\/.ssh\/id_rsa.pub<\/code><\/pre>\n\n\n\n
      Now copy the output and head over to github.com. In the GitHub menu, select settings:<\/p>\n\n\n\n
      \"\"
      Navigating to GitHub settings<\/figcaption><\/figure>\n\n\n\n
      In setting, head over to “SSH and GPG keys” in the left-hand menu, and click on “New SSH key”. GitHub allows you to use multiple SSH keys for a single account:<\/p>\n\n\n\n
      \"\"
      Adding a new SSH key to your GitHub account<\/figcaption><\/figure>\n\n\n\n
      Here you can enter the new SSH key and give it a descriptive title. As you save the key, GitHub might ask you to input your password for additional security. <\/p>\n\n\n\n
      \"\"
      Adding a new key with a descriptive title<\/figcaption><\/figure>\n\n\n\n
      You can now use this key to clone git repos. To clone a repo using SSH, you need to select that option when you clone a repo as shown in the screenshot below:<\/p>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      In the command line, you can now enter the git clone<\/code> command and watch the repo get cloned:<\/p>\n\n\n\n
      git clone git@github.com:Azure\/bellhop.git<\/code><\/pre>\n\n\n\n
      If this is the first time cloning from GitHub on that machine, you might get a question asking to confirm the authenticity of the remote host, which you can do by typing “yes” to that question. <\/p>\n\n\n\n
      \"\"
      Cloning a git repo using SSH, and confirming the authenticity of the remote host.<\/figcaption><\/figure>\n\n\n\n
      The problem with a non-password protected SSH-key<\/h2>\n\n\n\n
      This setup works fine to pull a repo, but it doesn’t allow pushing to that repo. This is for two reasons:<\/p>\n\n\n\n
      1. The key isn’t authorized for SSO<\/li>
      2. The key isn’t password protected.<\/li><\/ol>\n\n\n\n
        To show this to you, I made a quick change in the cloned repo and tried pushing that change. That fails due to the key not being password protected and not being authorized for SSO. <\/p>\n\n\n\n
        git checkout dockerfile-updates\necho \"test\" > test.txt\ngit add .\ngit commit -m \"test\"\ngit push<\/code><\/pre>\n\n\n\n
        \"\"
        Git push failing due to key not being SSO authorized<\/figcaption><\/figure>\n\n\n\n
        Let’s solve this issue! We’ll do two things here:<\/p>\n\n\n\n
        1. Create a new SSH-key, and configure this git repo to use that new key<\/li>
        2. Authorize the new SSH for SSO in GitHub.<\/li><\/ol>\n\n\n\n
          How to use multiple SSH keys with GitHub<\/h2>\n\n\n\n
          Let’s start by creating a new key, now password-protected, using the same ssh-keygen<\/code> command:<\/p>\n\n\n\n
          \"\"
          Generating a new password-protected SSH key<\/figcaption><\/figure>\n\n\n\n
          I called the key protected_key<\/code>, and gave it a password (which you don’t see in the screenshot). Make sure to save the key in the .ssh<\/code> <\/em>folder.<\/p>\n\n\n\n
          Now, we’re going to configure SSH to use different keys based on the hostname. You could also use the protected key as the only key if you so please, but in my case, I want to keep using both keys. To do so, create a new file in the ~\/.ssh<\/code> folder called config<\/code>. Input the following – or similar – to configure SSH to use different keys based on host:<\/p>\n\n\n\n
          # Personal repositories\nHost github.com\nHostName github.com\n User git\n IdentityFile ~\/.ssh\/id_rsa\n\n# SSO repository\nHost github.com-SSO\n HostName github.com\n User git\n IdentityFile ~\/.ssh\/protected_key<\/code><\/pre>\n\n\n\n
          Next, in the repo you cloned you’ll have to replace the remote hostname. You can do that using the following command:<\/p>\n\n\n\n
          git remote set-url origin git@github.com-SSO:Azure\/bellhop.git<\/code><\/pre>\n\n\n\n
          Notice how you replaced github.com<\/code> by github.com-sso<\/code>.<\/p>\n\n\n\n
          One final step remains: authorizing this key for SSO:<\/p>\n\n\n\n
          How to enable an SSH key for SSO on GitHub<\/h2>\n\n\n\n
          Now we need to authorize this key for SSO on GitHub. Follow the same steps as earlier to add the key to GitHub, meaning getting the public key and entering it in Github:<\/p>\n\n\n\n
          \"\"
          Adding a new key to GitHub<\/figcaption><\/figure>\n\n\n\n
          After you saved the key, you’ll see the option next to it to enable SSO for that key. In my case, I’ll enable SSO for the Azure org:<\/p>\n\n\n\n
          \"\"
          Enabling SSO for the key<\/figcaption><\/figure>\n\n\n\n
          Now that the key is password-protected and it’s enabled for SSO, we should be able to push to the repo:<\/p>\n\n\n\n
          \"\"
          Being able to push to the remote repo using the new key<\/figcaption><\/figure>\n\n\n\n
          As you can see, this prompted for the password of the SSH key and then successfully allowed the push to complete.<\/p>\n\n\n\n
          Summary<\/h2>\n\n\n\n
          In this post, you learned how to use multiple SSH keys with github.com. You also learned how to use a password-protected key to push to an organization with SSO enabled. <\/p>\n","protected":false},"excerpt":{"rendered":"
          There are two ways to pull\/push from\/to GitHub, when connecting from a remote system: either you use HTTPS or you use SSH. When connecting to a GitHub organization, the organization might have special requirements for the connection. For example, if I want to push updates to the github.com\/azure organization, I need to use a password-protected […]<\/p>\n","protected":false},"author":1,"featured_media":1666,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3,5],"tags":[52,184,53],"class_list":["post-1652","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops","category-open-source","tag-devops","tag-git","tag-github"],"jetpack_featured_media_url":"https:\/\/nillsfblog.blob.core.windows.net\/media\/2021\/05\/2021-05-27-10_56_58-PowerPoint-Slide-Show-Customize-core-dumps-in-Azure-Kubernetes.pptx.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/posts\/1652","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/comments?post=1652"}],"version-history":[{"count":2,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/posts\/1652\/revisions"}],"predecessor-version":[{"id":1667,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/posts\/1652\/revisions\/1667"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/media\/1666"}],"wp:attachment":[{"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/media?parent=1652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/categories?post=1652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/tags?post=1652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}