3.7 KiB
Introduction
Accessing remote git repositories using HTTPS quickly becomes inconvenient: depending on the configuration of a git repository, a single git pull
might require to input the username/password three or more times.
Usually, generating a SSH keypair and adding the public half to the remote user profile would be easy and preferred, but working on a shared VM which erases its contents at every reboot creates some challenges: the goal of this document is to illustrate a potential workflow to securely use SSH git remotes in this environment.
Table of Contents
- Workflow to generate a semipermanent git profile
- Workflow to restore your profile after VM reboot
- Update existing
git
remotes to use an SSH URL - Alternatives
Workflow to generate a semipermanent git profile
These instructions should be followed only once, when generating for the first time your profile and keys. The newly generated private key and the profile archive will be encrypted using (different) passphrases to minimize security risks associated with the shared environment.
Generate SSH public keypair
ssh-keygen -t ed25519
- default location is recommended
- NOTICE: Set a (strong) passphrase on the SSH private key (the
ssh-agent
will automatically ensure you will not have to enter this passphrase several times in a session) - add the new public key to your Gitlab profile
cat $HOME/.ssh/id_ed25519.pub
to show the public key- on Gitlab web UI:
User > Settings > SSH Keys
Add the new public key to your Gitlab profile
Create a global git
configuration
git config --global user.name "Mario Super"
git config --global user.email "the.mario@student.tut.fi"
Create an encrypted tarball containing the profile
cd $HOME
tar cpvz .ssh .gitconfig | gpg --symmetric --output gitprofile.tar.gz.gpg
- Use a strong passphrase
- Avoid reusing the same passphrase protecting the SSH private key
- Don't forget your passphrases!!
- Save the encrypted archive either to an external USB drive (connecting it to the VM) or to your TUT profile folder (enabling and setting a Shared Folder from
VM > Settings > Options
)
Workflow to restore your profile after VM reboot
- recover the encrypted tarball from the storage you selected (external USB drive or TUT profile folder)
- decrypt and restore the archive:
gpg --decrypt /path/to/gitprofile.tar.gz.gpg | tar xpvz -C $HOME
Update existing git
remotes to use an SSH URL
If you used HTTPS URLs to define the remotes in your local git
repository and wish to switch to SSH to avoid repeated user/password accesses, you can use the following commands:
cd /path/to/your/local/repository
git remote set-url <remote_name> <remote_SSH_URL>
Examples:
course_upstream
:git remote set-url course_upstream git@course-gitlab.tuni.fi:comp.ce.460-real-time-systems_2023-2024/course_upstream.git
origin
(student project, where${GROUP_ID}
is your group number):GROUP_ID="<NN>" git remote set-url origin git@course-gitlab.tuni.fi:comp.ce.460-real-time-systems_2023-2024/${GROUP_ID}.git unset GROUP_ID
Alternatives
The described workflow is by no mean the only one.
It would be perfectly fine, for example, to generate a new keypair for every session and add the ephemeral public key to Gitlab every time (and remove old ephemeral keys). In this case you would also need to set the user.name
and user.email
properties in the git
configuration at every reboot.