0

I have an SSH keypair: private lives on my local Mac, public lives on several AWS cloud machines.

From my Mac, I can SSH to a cloud instance, call it "deploy server". From there, I need to deploy my application to several instances (I cannot deploy locally).

I authenticate to the other instances with my private key. I can do this by either leaving my private key on the deploy server (insecure), or SSH Agent Forwarding (probably not much better).

Moreover, the deploy takes a while, so I do it in a gnu screen or tmux session; then I just detach and end the SSH session with the deploy server meaning I cannot use SSH Agent Forwarding (as I believe it requires the SSH connection to remain open).

What other options are available to me?

G. Joe
  • 9
  • 2
  • If you must deploy by git, why not push to the server directly from you Mac instead pull from github? – Victory Oct 20 '15 at 22:53
  • Several reasons: 1) The script builds binaries locally (on the Linux server), some of which are platform-specific; so I can't do that on my Mac. 2) Connectivity between my local machine to my server is not reliable enough. 3) I want to be able to close my laptop, move locations, etc. while deploying – G. Joe Oct 20 '15 at 23:09

1 Answers1

0

You can use a deploy key. That is a server specific key that has read only access to the repository.

To use this, you need to:

  • Generate a private key for the server (ssh-keygen on the server)
  • Set it at the github repo as a deploy key (https://github.com/<user>/<repo>/settings/keys). That will grant read only permissions to the repo. You have a checkbox if you also need write access to it.

Read more on this github help guide. There you can see more methods for deploying from a server accessing a repository.

Alvaro Gutierrez Perez
  • 3,669
  • 1
  • 16
  • 24
  • I have clarified my question. I cannot leave any private keys on the server, lest it be compromised. – G. Joe Oct 21 '15 at 16:10
  • The deploy key only has read access to the repo. If it is compromised, one can only see your source code with it. And, if they managed to access the key, surely they can also access the local directory where the source is stored. – Alvaro Gutierrez Perez Oct 21 '15 at 18:18