Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH key pair #4

Closed
rarkins opened this issue Dec 18, 2016 · 5 comments
Closed

SSH key pair #4

rarkins opened this issue Dec 18, 2016 · 5 comments

Comments

@rarkins
Copy link
Collaborator

rarkins commented Dec 18, 2016

We use an SSH key pair to support git operations. Here are some ways this can be done:

  1. Manually add public key (where script will run) to GitHub account (e.g. id_rsa.pub)
  2. Generate dedicated keypair for this script and add that manually to GitHub
  3. Script generates SSH keypair and adds it to GitHub using API - if not already present due to previous run
@rarkins
Copy link
Collaborator Author

rarkins commented Dec 18, 2016

I quite like option 3 because it means one less manual step using the GitHub web interface. i.e. user only needs to generate access token for designated bot account and not also mess with SSH keys if they're not familiar with them.

This would work well for most environments, e.g. the script could look for ~/.ssh/id_rsa.pub` and upload that via GitHub API the first run.

We could perhaps make it fail gracefully or with non-error warning message if the user doesn't want to grant key read/write permissions for the API. In a way then option 1 would be backwards compatible with option 3.

AWS lambda doesn't have the concept of a full user directory with .ssh directory, but it could pull the key pair from a secure S3 prior to run.

@rarkins
Copy link
Collaborator Author

rarkins commented Dec 18, 2016

Conclusion:

  1. Assume we will use ~/.ssh/id_rsa for now and users will manually add that public key to GitHub
  2. Add functionality later to attempt adding public key automatically using API

Leaving this issue open for part 2

@rarkins
Copy link
Collaborator Author

rarkins commented Dec 18, 2016

I realised a problem just now. I was attempting to add my public key (id_rsa.pub) to a bot account I'd set up, but GitHub gives me this error message:
image

i.e. public keys are used to identify GitHub users, so you can't add it to more than one GitHub account.

This makes me more inclined to generate a custom key pair just for this tool/bot, to avoid any such conflict.

@rarkins
Copy link
Collaborator Author

rarkins commented Dec 18, 2016

In theory it would be possible to generate a temporary key pair every run, then add it to the GitHub account, then remove it at the end.

One problem of course would be if the program crashes and doesn't remove the key, but GitHub's API lets you give a "title" to each key so we could name it renovate for example and have a first step that deletes it if found.

A second problem might be latency - e.g. does it work instantly once you add it via API, or is there a delay until it's active? This needs to be tested as it would be a problem for the first run of the script regardless.

@rarkins
Copy link
Collaborator Author

rarkins commented Dec 18, 2016

In that case, the logic would be approximately:

  1. Delete "renovate" key if exists
  2. Generate temporary key pair
  3. Add temporary public key via GitHub API, with title "renovate"
  4. [Rest of script]
  5. Delete renovate key

@rarkins rarkins closed this as completed Dec 20, 2016
@robertying robertying mentioned this issue Sep 10, 2019
Closed
@Jnosh Jnosh mentioned this issue May 4, 2020
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 16, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rarkins