Use hub pull-request with SSH

[tybenz]

I am trying to use hub with GitHub Enterprise. My company's enterprise account is set up to only use SSH keys when pulling/pushing. I think they've disabled basic auth altogether. When using hub pull-request, hub prompts me for my username/password for GitHub Enterprise, which I do not have. Our web portal requires a username + 2FA token. Tried to use that to no avail.

Is there a way for hub to use the GitHub API and use an SSH key to authenticate itself?

Or am I out of luck?

[nightpool]

You can't auth to the API over an ssh key, but you can get a oauth token and put that into hub manually.

[nightpool]

see https://help.github.com/articles/creating-an-access-token-for-command-line-use/

[mislav]

Hub accesses GitHub API via HTTPS, so it needs some kind of authentication such as Basic Auth or OAuth. SSH keys won't help because they're only used by git when pushing/pulling.

Because you don't have a password you can authenticate with, only 2FA token, that means you will probably need to generate a Personal access token manually. You can do that from your settings in the web interface. Then, add that token to ~/.config/hub like so:

---
myenterprise.com:
- protocol: https
  user: tybenz
  oauth_token: YOURTOKEN

[rayrrr]

This is a very old Issue thread with incredible search engine placement. I searched just for "hub ssh," ended up here, tried this and it didn't work. Looking at the docs here it seems the proper way to do this nowadays is to simply set an environment variable with the name GITHUB_TOKEN containing the value of your GitHub Personal Access Token. That worked for me!

[youcandanch]

whoa @rayrrr what are you doing here

[miohtama]

I have two-factor authentication enabled. hub ends up asking password even if I put manually generated token to ~/.hub/config or GITHUB_TOKEN environment variable.

• Why is this? (I guess no one knows)

• Is there a way to get debug information from hub to know why it fails to authenticate?

[mislav]

1. When ~/.config/hub (mind the actual file name) already contains the user and oauth_token keys (perhaps you've pasted in a manually generated token; that's ok), you will never be prompted for password. Hub will try to use that oauth token and fail with an error message if the token is invalid.

2. You can set HUB_VERBOSE=1 to have hub output extra debugging information.

[levithomason]

Can this get added to the docs or README?

[holdenk]

It also checks for an env variable called GITHUB_TOKEN which was surprising for me since all of the docs pointed to deleting the config value -- just incase anyone else gets stuck on this like I do.

[chrowe]

The documentations on https://hub.github.com/hub.1.html seems to still indicate that git is the default
with git config --global hub.protocol https being an override. Unfortunately git and ssh options do not seem to work.

In the short term, using the full git@github.com/... url works for some things

[christopher-francisco]

Can we get some more explicit documentation? Specifically on these topics

1. I intend to use only SSH key for Git operations, NO OAuth2. Do I still need to set GITHUB_TOKEN? If yes, a brief explanation would help people understand
2. What's the difference of git config --global hub.protocol vs HUB_PROTOCOL? In what use cases I would pick one over the other?
3. Is this required git config --global --add hub.host MY.GIT.ORG? I'm pretty sure I set mine up without this line, but only the GITHUB_HOST and it worked

[mislav]

Until there is better documentation:

1. I intend to use only SSH key for Git operations, NO OAuth2. Do I still need to set GITHUB_TOKEN?

Yes, because hub needs access to the GitHub API, which can only be accessed via HTTP(S) Oauth2 and not SSH.

2. What's the difference of git config --global hub.protocol vs HUB_PROTOCOL?

There is no difference. Use the one you're more comforable with.

3. Is this required git config --global --add hub.host MY.GIT.ORG?

It's required in case GITHUB_HOST isn't set.

[mislav]

Reopening until there are better docs.

More about the SSH vs. HTTPS communication during hub operations: #1644 (comment)

[azec-pdx]

In my ~/.zshrc, I have added:

GITHUB_TOKEN=<***REDACTED***>

and inside ~/.config/hub , I have only:

---
github.com
    - protocol: https
      user: azec-pdx
      oauth_token: <***REDACTED***>

If I try to do hub pr list in local dir of my repo, I am still asked for username and password.
What am I missing ?

[azec-pdx]

I added also

export HUB_CONFIG=~/.config/hub

to my ~/.zshrc and started new session and it is still asking for uname/password when I run git pr list

[azec-pdx]

Finally this worked for me....

• Using regular SSH key added to the SSH agent in ZSH, and all my repos are checked out locally with remote pointing to git@github.com:<ORG>/<REPO_NAME>.git
• Inside ~/.zshrc , I have:

  ...
  # GitHub token for HUB: https://hub.github.com/hub.1.html
  export GITHUB_TOKEN="<***REDACTED***>"
  #export HUB_VERBOSE=1
  export HUB_CONFIG=~/.config/hub
  

• Inside ~/.config/hub, I have:

  github.com
   -
       protocol: git
       user: azec-pdx
       oauth_token: <***REDACTED***>
  

• In global git config ....

  > git config --list
   ...
   hub.protocol=git
   ...
  

I am sure that there is some minimal version of this config that I could just keep , but there seems to be biggest confusion caused by hub.protocol parameter for which any of https|ssh|git are valid options.

I believe that hub.protocol setting is used to select flavor of authentication against regular git operations, and I prefer SSH for this, because as I said, all my repos are checked out with SSH. But the counter-intuitive part is that if you have git configured to work with your GitHub via SSH (before introducing hub in your workflow) , then the right setting is hub.protocol=git and not hub.protocol=ssh or hub.protocol.git . I absolutely don't want https even though it is recommended by GitHub, because it forces me to store username/pass in MacOS keychain in the org laptop and in the case of leaving org, it would be much easier to revoke SSH key as well as OAuth token from my GitHub profile.

The second part of the auth is GITHUB_TOKEN that is a must-have if you want hub to talk to GitHub APIs , that are not git - protocol operations.

[mislav]

I'm confused: protocol: git is literally unsupported in ~/.config/hub. The only possible values are https and http because these are the only protocols that GitHub API is accessible over. (Note that this configuration option is NOT for git clone/push/pull protocol!)

When it comes to git config, why did hub.protocol=ssh not work out for you? What were the particular problems you've encountered with that setting?

[jtakalai]

For me, just the ~/.config/hub file was enough (using https and access token).