GIT_SSH_COMMAND + Deploy Key = Permission Denied? #26692

andreas-github · 2022-05-02T13:32:35Z

andreas-github
May 2, 2022

I am experimenting a little to familiarise myself with Deploy Keys and am not able to figure out why the following is not working:

root@host:~# GIT_SSH_COMMAND='ssh -i key -o IdentitiesOnly=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' root@host:~# git clone git+ssh@github.com:*github-user*/*github-repo*.git Cloning into '*github-repo*'... git+ssh@github.com: Permission denied (publickey). fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists.

I have added the public key as a Deploy Key read-only) to the github-repo.
The key file contains the matching private key.
github-user is the maintainer of github-repo and has ssh keys as well.
the host is a completely freshly installed Ubuntu 20.04. with no git or ssh operations done before this example.
git version 2.25.1

Why does this not work? Why the permission error?

Grateful for any thoughts and ideas what the issue is here. Thanks.

Answered by airtower-luna

May 2, 2022

I notice you don’t export the GIT_SSH_COMMAND variable, so it’s not actually available to the subsequent git command. That’s probably the issue.

However, before you continue, I see a number of things there that practically yell really bad idea. ⚠️

You’re running Git as root. Git doesn’t do anything that needs root access, and running anything as root unnecessarily is an unnecessary security risk.
You disable the SSH known hosts file and host key checking. This means that anyone who can mess with your network traffic can make you connect to anywhere they want, and have your Git command download whatever they want.
I assume that if you clone in root, you intend to use the repository as roo…

View full answer

airtower-luna · 2022-05-02T15:09:58Z

airtower-luna
May 2, 2022

andreas-github:

git+ssh@github.com

git+ssh is not a valid SSH user. To access GitHub over SSH you have to use the git user.

0 replies

andreas-github · 2022-05-02T20:43:02Z

andreas-github
May 2, 2022
Author

airtower-luna:

git+ssh is not a valid SSH user. To access GitHub over SSH you have to use the git user.

Ok, changed it to git clone git@github.com:*github-user*/*github-repo*.git . but the error is still exactly the same 🙁

Additional detail about this test:

the repo is a private one
the GitHub account used is on a FREE plan

0 replies

airtower-luna · 2022-05-02T21:05:36Z

airtower-luna
May 2, 2022

I notice you don’t export the GIT_SSH_COMMAND variable, so it’s not actually available to the subsequent git command. That’s probably the issue.

However, before you continue, I see a number of things there that practically yell really bad idea. ⚠️

You’re running Git as root. Git doesn’t do anything that needs root access, and running anything as root unnecessarily is an unnecessary security risk.
You disable the SSH known hosts file and host key checking. This means that anyone who can mess with your network traffic can make you connect to anywhere they want, and have your Git command download whatever they want.
I assume that if you clone in root, you intend to use the repository as root. In combination with not checking the identity of the remote host that makes it really easy for an attacker to get remote code execution.

Get GitHub's SSH key fingerprints - GitHub Docs, retrieve the keys, verify, and add them to the right user’s known hosts file, and use that file when connecting.

Don’t clone as root, clone as a regular user. If your tool really needs to run (or install) as root you can still do that after. Good luck! 🙂

0 replies

andreas-github · 2022-05-02T21:47:57Z

andreas-github
May 2, 2022
Author

Thanks for your help @airtower-luna

It was indeed the missing export for GIT_SSH_COMMAND 😣

Regarding root, that is just because this was originally a quick test in VPS instance using the default wb console login (quick & dirty)…I 100% subscribe to your advice.

For what it’s worth, here is the “working” shell snippet (w/o the bad parts :slight_smile:

user@host:~# export GIT_SSH_COMMAND='ssh -i key -o IdentitiesOnly=yes' user@host:~# git clone git@github.com:*github-user*/*github-repo*.git . Cloning into '.'....

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

GIT_SSH_COMMAND + Deploy Key = Permission Denied? #26692

{{title}}

Replies: 4 comments

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

GitHub Community

GIT_SSH_COMMAND + Deploy Key = Permission Denied? #26692

andreas-github May 2, 2022

Replies: 4 comments

airtower-luna May 2, 2022

andreas-github May 2, 2022 Author

airtower-luna May 2, 2022

andreas-github May 2, 2022 Author

andreas-github
May 2, 2022

airtower-luna
May 2, 2022

andreas-github
May 2, 2022
Author

airtower-luna
May 2, 2022

andreas-github
May 2, 2022
Author