Author
Publishing date
Language
Networking in a corporate environment can be an adventure. You never know which ports are blocked and what exactly the proxy does to your packets. Recently, I wanted to set up my „git environment“ on an on-premise cluster. In my department, we use the nodes as development machines (they have Nvidia GPUs and a big chunk of our codebase has hardcoded cuda dependencies, which our laptops do not satisfy). As such, I want to be able to interact with git repositories hosted on github. At the same time, there are two constraints for my authentication method:
- I do not want to store any credentials in plain text on the server.
- Whatever method I use has to cope with corporate networking quirks.
This blog post will tell you a bit about my approach towards the first point. In this companion blog post, you can find my thoughts regarding the second point.
One account to rule them all
- I use my private github account
- Sometimes it is useful to have your home readable…
- Admins…
- No keychain
- tokens stored in plain text (by e.g., gh-cli)
- Possible solution: ssh agent forwarding
Added complexity: Commit signing
- Sometimes required for accountability
- Also kind of good practice (cite)
- Originally, using gpg keys
- However, ssh keys are also supported
- So should work with key forwarding
Assumptions
- ssh keys on your laptop are safe (enough)
- You can password safe them or put them in a keychain
- Or use a password manager like 1password (look up)
How to setup
Agent forwarding to operate on private repositories
- On your laptop create an ssh key and add it to github
- Make sure to start an ssh agent
- OMZ has an ssh agent plugin
- Lookup bash and pure zsh solutions
- Check the ssh agent is running, e.g. via
ssh-add -L
# Output:
# ...- Forward the ssh agent via ssh
Host my_node
...
ForwardAgent yes- For temporary testing
ssh -o "ForwardAgent=yes" ...- On the cluster, check that an ssh agent is running with the right key, again with
ssh-add -L. - If you use the zsh plugin, you need to specify settings to allow port forwarding
- At this point, you should be able to operate on private github repositories.
- This might be a good time to clone a private repository.
Agent forwarding for commit signing
- We need to tell git that we want to use ssh for signing
- Then we need to tell it about which key to use
- We can activate that globally or on a per project basis
- The commands to add this to your git config are
git config
git config- If you run these commands with the
—-globalflag, your~/.gitconfigshould contain (among others) the following entires
- Check if everything works by signing a commit, e.g., via
git commit -S - You can always sign commits by configuring
git config