GIT_SSH_COMMAND + Deploy Key = Permission Denied?

I am experimenting a little to familiarise myself with Deploy Keys and am not able to figure out why the following is not working:

root@host:~# GIT_SSH_COMMAND='ssh -i key -o IdentitiesOnly=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
root@host:~# git clone git+ssh@github.com:*github-user*/*github-repo*.git
Cloning into '*github-repo*'...
git+ssh@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
  • I have added the public key as a Deploy Key read-only) to the github-repo.
  • The key file contains the matching private key.
  • github-user is the maintainer of github-repo and has ssh keys as well.
  • the host is a completely freshly installed Ubuntu 20.04. with no git or ssh operations done before this example.
  • git version 2.25.1

Why does this not work? Why the permission error?

Grateful for any thoughts and ideas what the issue is here. Thanks.

git+ssh is not a valid SSH user. To access GitHub over SSH you have to use the git user.

1 Like

Ok, changed it to git clone git@github.com:*github-user*/*github-repo*.git . but the error is still exactly the same :slightly_frowning_face:

Additional detail about this test:

  • the repo is a private one
  • the GitHub account used is on a FREE plan
1 Like

I notice you don’t export the GIT_SSH_COMMAND variable, so it’s not actually available to the subsequent git command. That’s probably the issue.

However, before you continue, I see a number of things there that practically yell really bad idea. :warning:

  • You’re running Git as root. Git doesn’t do anything that needs root access, and running anything as root unnecessarily is an unnecessary security risk.
  • You disable the SSH known hosts file and host key checking. This means that anyone who can mess with your network traffic can make you connect to anywhere they want, and have your Git command download whatever they want.
  • I assume that if you clone in root, you intend to use the repository as root. In combination with not checking the identity of the remote host that makes it really easy for an attacker to get remote code execution.

Get GitHub's SSH key fingerprints - GitHub Docs, retrieve the keys, verify, and add them to the right user’s known hosts file, and use that file when connecting.

Don’t clone as root, clone as a regular user. If your tool really needs to run (or install) as root you can still do that after. Good luck! :slightly_smiling_face:

1 Like

Thanks for your help @airtower-luna

It was indeed the missing export for GIT_SSH_COMMAND :persevere:

Regarding root, that is just because this was originally a quick test in VPS instance using the default wb console login (quick & dirty)…I 100% subscribe to your advice.

For what it’s worth, here is the “working” shell snippet (w/o the bad parts :slight_smile:

user@host:~# export GIT_SSH_COMMAND='ssh -i key -o IdentitiesOnly=yes'
user@host:~# git clone git@github.com:*github-user*/*github-repo*.git .
Cloning into '.'....

1 Like