DEV Community

Cover image for How to set up an SSH key and use it for GitLab

How to set up an SSH key and use it for GitLab

sndrx on October 15, 2018

Hello, everybody! I got into another project about 3 months ago and almost everything was new to me (GrapheneDB, NodeJS, React and Redux...
Collapse
 
christianprogrammertaylor profile image
ChristianProgrammerTaylor • Edited

This is all well and good until GitLab has your email listed as XYZ but it really is ABC and the SSH key you generate is based upon your listed email address of ABC. Despite whatever email routing internally is happening the absence of a LocalHost file being mentioned in this how to disturbs me. I am in the middle of a fiasco with this scenario and in theory it is a simple task but because of the strange things happening with my domain credentials versus the multiple email addresses various applications are using this is making me look really bad

Collapse
 
bgadrian profile image
Adrian B.G.

Nice but in the UI where you add the keys you have a link to a tutorial for doing exactly this, what were your difficulties that you encountered?

Collapse
 
sndrx profile image
sndrx

At first, it didn't work out. I don't understand why, but I kept on getting the access denied error. So I took a step back and started to look somewhere else for different approaches to that error. I took notes while I searched and finally, I had to delete every key that I ever added on my GitLab account and delete the entire ssh folder. Also, the complication that occured was that I changed three laptops in two weeks. One key was working on two machines, and then no key would work at all. This is why I decided to delete everything and follow other instructions.

Collapse
 
bgadrian profile image
Adrian B.G.

I see, just a few regards I could add

  • do not share a key between devices. Beside being a security risk, a bad practice, this is the most like reason you had issues. You moved the key but you did not setup the proper file permissions, or did a proper setup of the ssh-agent. If you just generate a new key the gen will take care of that.

  • when you generate is good to have at least a size of 2k, 4k if you want to access more secure environments (some services require minimum 4k)

  • you can keep a public (or not) list of public keys, so if you want to give access to one of them, you do not have to go to that device, here is mine

  • if the public file was not generated (or you forgot to copy it) the command cat ~/.ssh/id_rsa.pub will fail with file not found, you can generate it from the private key again, something like ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

  • you can have multiple private keys, and force git to use different ones depending on the domains or specific machines, see here superuser.com/a/232406/950235

Thread Thread
 
sndrx profile image
sndrx

This is great. Thanks a lot!

Thread Thread
 
ferricoxide profile image
Thomas H Jones II
  • do not share a key between devices. Beside being a security risk, a bad practice, this is the most like reason you had issues. You moved the key but you did not setup the proper file permissions, or did a proper setup of the ssh-agent. If you just generate a new key the gen will take care of that.

Though, if you put your (password-protected) key on something like a (encrypted) thumbdirive you can gain mobility without having to host the key on multiple systems.

If you want to host the key directly on multiple systems, encrypting the filesystem(s) where you're store the key-copies can greatly reduce the cited security-risk.

If you opt to use GPG keys for everything (git-over-SSH, commit-signing, etc.), you can also sub in something like a Yubi-key or other "smart card" type of device. Can probably store and use other types of keys, as well, GPG's just the one I'm most familiar with.

Collapse
 
kejtenoviot_sin profile image
Кејтеновиот син ♦

If you sign your commits with a GPG key instead of SSH you will get the [verified] tag.

GPG signing

Collapse
 
bgadrian profile image
Adrian B.G.

Do not sign each commit, all sort of problems will appear later. Also it beats the purpose, if someone has write access to your repository, you have bigger problems. The commits can be signed with tag and they are immutable.

Collapse
 
ferricoxide profile image
Thomas H Jones II

Do not sign each commit, all sort of problems will appear later

Really good idea to not make assertions without qualifying them (be that qualifier directly explaining your assertion or, since we've got markdown, here, providing a link to explain why you've made such an assertion).

Collapse
 
olayodepossible profile image
Olayodepossible

Sincerely, this is great and helpful...Thank you!

Collapse
 
ats1999 profile image
Rahul kumar

a big thanks