1

  1. I generated my ssh key on my local machine.

  2. I then used the following command to copy my public key onto my server: ssh-copy-id username@remote_host. That went smoothly.

  3. I have confirmed that my local machine's ~/.ssh/id_rsa.pub has been copied onto my server at my_user's_home_directory/.ssh/authorized_keys. There are no other files in there.

  4. I've also copied that same public key into Gitlab.

  5. When I try to git clone a repo onto the server, I'm told:

git@gitlab.com: Permission denied (publickey,keyboard-interactive).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
  1. I can ssh easily enough into my server. But since my server doesn't hold my private key, it sort of makes sense to me that I wouldn't be able to ssh git clone. What's the normal procedure here? I can do a regular https download, is that the standard route?
Karoh
  • 155
  • 2
  • 7

2 Answers2

3

You can use ssh -A to forward your ssh-agent to the remote host which will use your local keys from the remote server without sending the keys themselves.

While this seems like a secure option, only do this if you absolutely trust the remote server (ie. don't enable this by default). The forwarded ssh-agent can be used by anyone with the same remote user as yours or with root privileges.

If you decide to go that way, I'd recommend adding keys to the agent with ssh-add -c so you're prompted for confirmation when a key is used.

Ginnungagap
  • 2,595
  • 10
  • 13
  • Using 'ssh -A' to get into my server doesn't work for me, unfortunately. I'm getting the same prompt. I tried this on two different servers both of which I can access normally with ssh. What do you think could be going wrong here? – Karoh Dec 11 '20 at 15:27
  • `-A` forwards your local `ssh-agent` to the remote server so you need to `ssh -A remote` and from there `git clone` or whatever. That also means you need a local `ssh-agent` with your key(s) loaded – Ginnungagap Dec 11 '20 at 15:43
  • That makes sense. I'm having a hard time finding out how to do that. I've created a .ssh/config file, given it chmod 600 privileges, and added "AddKeysToAgent yes". Now do you add something to your .bashrc to run the ssh agent automatically. Is that all that's required? – Karoh Dec 11 '20 at 17:04
  • To start SSH agent: `eval $(ssh-agent)`. – Tero Kilkanen Dec 12 '20 at 10:54
0

git is decentralized. Could fetch from Gitlab to your PC, then push from your PC to the server. ssh client is your PC for both, so your private key or forwarded agent doesn't touch the server.

Or, could have multiple ssh keys. A personal one for your PC, and a different one for the server. More keys to manage, but possible to monitor and control separately, service account style.

Or, don't use git as a deployment tool. Generate a package or some other archive, and install that like you do other software.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34