Different keys to push and pull to git repository

I was getting fed up of typing in the password for my home server when pulling changes from a git repository up to the live server. But I'm not comfortable with putting my private key on the remote since other people have root. What to do?

I made two new SSH key pairs. One with a passphrase and one without. I told gitosis, which handles permissions for the git repositories on my home server, to accept my main passphraseless key with read/write access, the passphrased one also with read/write access, and the new passphraseless one with read-only access. I then uploaded the private keys for the passphrased key and the new passphraseless key to the remote host.

So even though they have one of my passphraseless private keys, it's only good for read access to the repositories -- data which they already have anyway.

To tell SSH it has multiple keys you edit the config file and add an IdentityFile line for each key. But when connecting to the remote SSH server only the first acceptable key is tried. So if the passphraseless key is first everything will be fine when doing a read operation but gitosis will give a no permission error message when doing a write operation, and the other key won't be tried. If the key with the passphrase is first, the passphrase is asked for no matter whether it's a read or write operation.

So here's the solution: pretend to git using the pushurl option that we're pulling from and pushing to different hosts, then set up SSH to use different keys for these different hosts, but in fact then point them to the same host. Here's the configuration to illustrate.

Configuration in repository/.git/config:

[remote "origin"]
    fetch = +refs/heads/*:refs/remotes/origin/*
    url = gitosis@example.com:repository.git
    pushurl = gitosis@rw.example.com:repository.git

Configuration in ~/.ssh/config:

Host example.com
IdentityFile ~/.ssh/id_rsa.ro

Host rw.example.com
IdentityFile ~/.ssh/id_rsa.rw
HostName example.com

So the dummy hostname rw.example.com triggers SSH to use the passphrased private key at the correct hostname. A passphrase prompt appears when pushing but not when pulling.

No comments:

Post a comment