Git & SSH Key Authentication

Source control is all about cloning, branching and committing code and developers do this multiple times a day. Why stop to type a user name and password over and over with each commit? It's redundant and goes against the idea that "machines work, people think." Pretty quickly the repetitive typing becomes tiresome and it's time to move on to some sort of key authentication. But which type of key?

Briefly... SSH Key Types

RSA Keys

RSA (names for the inventors last names: Rivest/Shamir/Adleman) was invented in 1977. To anyone using SSH keys, the term RSA is an old friend. The RSA algorithm is widely supported and the large key size adds a performance cost. Further, TLS 1.3 is diminishing the preeminence of RSA in favor of other approached to public/private key pairs.

ECDSA Keys

ECDSA, for Elliptic Curve Digital Signature Algorithm, arose to address some of the concerns from RSA and provide better performance. ECDSA features a shorter key length for about the same level of security. However, there are concerns that the NSA inserted a backdoor to be able to crack ECDSA keys which ads a concern over using the NIST curves.

ED25519

This is the newest kid on the block, yet has existed for years. This type of key keeps the length short, offers performance and (as of this writing) does not have the controversy of having an NSA backdoor. In 2020, github suggests using ED25519 for SSH keys.

What Keys are You Using?

If you have existing keys, it may be interesting to know what kind of keys are in use. On a Linux box, a simple script can provide that answer:

for key in ~/.ssh/id_*; do ssh-keygen -l -f "${key}"; done | uniq

The output is a line for each key found in the form of:

256 SHA256:11BlahBlahBunchOfRamdomishCharacters your.name@somewhere.com (ED25519)

Generating a Key Pair

On a Linux system, the ssh-keygen program generates SSH keys. From the command line:

ssh-keygen -t ed25519 -C "your.name@somewhere.com"

Breaking down that command, ssh-keygen is the program, -t is the type of key to generate and -C is your email to appear in the public key.

Once the ssh-keygen program is complete, two files will be created in the .ssh directory. The files will be named id_ed25519 and id_ed25519.pub. The file without the extension is the private key, keep this secure, while the .pub file is the pubic key to provide for access.

Getting the Public Key into Git

Now that a SSH key pair has been generated, the public key must be added to github. Note that enterprise git installations may be a different version so the procedure may vary slightly. The goal is to get the new public key added to git to allow ssh authentication and remove the need to enter a user name and password with each check-in.

Navigate to github (or the enterprise git in use) and look for a button to allow the editing of settings which may be in a the drop down menu where a profile may be updated. Once the settings are located, find the link that has been labeled "SSH and GPG keys". Once on the "SSH and GPG keys" page, find a button to add a new ssh key. Typically, entering a new ssh key should allow setting a name (useful to use one key for personal use and another for work which can be revoked independently) and pasting the new public key. Once the form is filled, add the key.

If multiple machines are in use, either distribute the private key to each workstation or (and better) repeat the process for each workstation.