New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change the ssh key default scope to github.com #20512
Conversation
Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines. |
Automatically generated comment ℹ️This comment is automatically generated and will be overwritten every time changes are committed to this branch. The table contains an overview of files in the Content directory changesYou may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.
fpt: Free, Pro, Team |
@alexmighty Thanks for opening this PR! I noticed it's still a draft. Are you still working on it or is it ready for review? 👀 |
Hey @cmwilson21 thanks for checking in! I've rebased the PR and transitioned it to the review state. I believe it is now ready for consideration, please let me know if there is anything missing like a ticket or anything else. cheers |
@alexmighty Thanks for letting me know! I'll get this triaged for review ⚡ |
Thanks for opening a pull request! We've triaged this issue for technical review by a subject matter expert 👀 |
👋 hi from the product manager of Git Systems at GitHub. Thanks for making this contribution! I've been asked to do a quick tech review. I could go either way here. On one hand, using a wildcard "pushes you into the pit of success", so to speak, if you're a novice to the world of SSH config. It's not our intent to document all aspects of SSH configuration, and I think most individual users should be using a single key everywhere (for ease of management). On the other hand, fully specifying My instinct is that this isn't common enough to warrant a change: you have to be both in a complex SSH environment and be unaware of how scopes in SSH config work. But I have no real data to back that up. |
+1 for narrowing the scope. In my case, the recommended wildcard broke the ssh config on a managed work computer and locked me out of some important resources. I was previously unaware of how ssh config scopes work, as all prior config was provided by the company. Incidentally, this PR probably closes #21333, which I opened after solving this problem for myself. |
Thanks for the additional perspective! I'm convinced, it's worth making a change. We will need to fixup the wording for GHES customers, as |
With the current host wildcard default configuration, the new key applies to all ssh connection attempts regardless of host. This can become an issue on older systems that leverage existing keys in the ssh config and don't have knowledge of the "newer" recommended ed25519 algorithm. While this key can be reused for multiple purposes outside of github, I still propose to scope the default host to github.com to avoid a default that can pollute the global key namespace in the ssh config.
Rebased. @vtbassmatt, I certainly appreciate how on the fence this one can be! |
@cmwilson21 are you the right person to advise on how we handle this for GHES? |
@vtbassmatt, not me but I know some folks 😄 Thanks for the ping. I'll dig around and find out! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @alexmighty ! I am going to apply a few small changes, then I'll double check on preview and merge if all looks good! ⚡
...ion/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent.md
Outdated
Show resolved
Hide resolved
...ion/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent.md
Outdated
Show resolved
Hide resolved
...ion/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good on preview! 🎉
Thanks very much for contributing! Your pull request has been merged 🎉 You should see your changes appear on the site in approximately 24 hours. If you're looking for your next contribution, check out our help wanted issues ⚡ |
Edit: nevermind. Since this is for Git over SSH, it should only be one hostname anyhow. |
Why:
Closes #21333
With the current host wildcard suggested snippet configuration, the new key is scoped to all ssh-agent connection attempts regardless of host. This can become an issue when introducing this snippet to a (large) existing ssh-agent configuration in use by older systems which do not have knowledge of the recommended ed25519 algorithm. While the key created by following the instructions in this page could be reused for multiple purposes outside of github, I am proposing here to change the default scope of the snippet to the github.com host in order to avoid polluting the global namespace of the ssh-agent config.
What's being changed (if available, include any code snippets, screenshots, or gifs):
Change the recommended ssh-agent config snippet from:
to
Check off the following:
Writer impact (This section is for GitHub staff members only):