title:Managing deploy keys | GitHub API

* TOC

{:toc}

There are four ways to manage SSH keys on your servers when automating deployment scripts:

* SSH agent forwarding

* HTTPS with OAuth tokens

* Deploy keys

* Machine users

This guide will help you decide what strategy is best for you.

In many cases, especially in the beginning of a project, SSH agent forwarding is the quickest and simplest method to use. Agent forwarding uses the same SSH keys that your local development computer uses.

* You do not have to generate or keep track of any new keys.

* There is no key management; users have the same permissions on the server that they do locally.

* No keys are stored on the server, so in case the server is compromised, you don't need to hunt down and remove the compromised keys.

* Users**must** SSH in to deploy; automated deploy processes can't be used.

* SSH agent forwarding can be troublesome to run for Windows users.

1. Turn on agent forwarding locally. See[our guide on SSH agent forwarding][ssh-agent-forwarding] for more information.

2. Set your deploy scripts to use agent forwarding. For example, on a bash script, enabling agent forwarding would look something like this:`ssh -A serverA 'bash -s' < deploy.sh`

If you don't want to use SSH keys, you can use[HTTPS with OAuth tokens][git-automation].

* Anyone with access to the server can deploy the repository.

* Users don't have to change their local SSH settings.

* Multiple tokens (one for each user) are not needed; one token per server is enough.

* A token can be revoked at any time, turning it essentially into a one-use password.

* Generating new tokens can be easily scripted using[the OAuth API](https://developer.github.com/v3/oauth_authorizations/#create-a-new-authorization)

* You must make sure that you configure your token with the correct access scopes.

* Tokens are essentially passwords, and must be protected the same way.

See[our guide on Git automation with tokens][git-automation].

A deploy key is an SSH key that is stored on your server and grants access to a single GitHub repository. This key is attached directly to the repository instead of to a personal user account.

* Anyone with access to the repository and server has the ability to deploy the project.

* Users don't have to change their local SSH settings.

* Deploy keys only grant access to a single repository. More complex projects may have many repositories to pull to the same server.

* The key has full read/write access to the repository.

* Deploy keys are usually not protected by a passphrase, making the key easily accessible if the server is compromised.

1.[Run the`ssh-keygen` procedure][generating-ssh-keys] on your server.

2. In the top right corner of any GitHub page, click your profile photo.


3. On your profile page, click the**Repositories** tab, then click the name of your repository.


4. In your repository's right sidebar, click**Settings**.


3. In the sidebar, click**Deploy Keys**.


3. Click**Add deploy key**. Paste your public key in and submit.


If your server needs to access multiple repositories, you can choose to attach an SSH key to an automated user account. Since this account won't be used by a human, it's called a machine user. You can then[add the machine account as collaborator][collaborator] or[add the machine user to a team][team] with access to the repositories it needs to manipulate.

<divclass="alert">

<p>

<strong>Tip</strong>: Our <ahref="https://help.github.com/articles/github-terms-of-service">terms of service</a> do mention that <em>'Accounts registered by "bots" or other automated methods are not permitted.'</em> and that <em>'One person or legal entity may not maintain more than one free account.'</em> But don't fear, we won't send rabid lawyers out to hunt you down if you make machine users for your server deploy scripts. Machine users are completely kosher.

</p>

</div>

* Anyone with access to the repository and server has the ability to deploy the project.

* No (human) users need to change their local SSH settings.

* Multiple keys are not needed; one per server is adequate.

* Organizations can give read-only access to their machine users.

* By default, the key has full read/write access to the repository if the repository belongs to a user account. You can add the machine user to a read-only team if it's accessing repositories in an organization.

* Machine user keys, like deploy keys, are usually not protected by a passphrase.

1.[Run the`ssh-keygen` procedure][generating-ssh-keys] on your server and attach the public key to the machine user account.

2. Give that account access to the repositories it will need to access. You can do this by[adding the account as collaborator][collaborator] or[adding it to a team][team] in an organization.

[ssh-agent-forwarding]:/guides/using-ssh-agent-forwarding/

[generating-ssh-keys]:https://help.github.com/articles/generating-ssh-keys

[tos]:https://help.github.com/articles/github-terms-of-service

[git-automation]:https://help.github.com/articles/git-automation-with-oauth-tokens

[collaborator]:https://help.github.com/articles/how-do-i-add-a-collaborator

[team]:https://help.github.com/articles/adding-organization-members-to-a-team

title:Using SSH Agent Forwarding | GitHub API

* TOC

{:toc}

SSH agent forwarding can be used to make deploying to a server simple. It allows you to use your local SSH keys instead of leaving keys (without passphrases!) sitting on your server.

If you've already set up an SSH key to interact with GitHub, you're probably familiar with`ssh-agent`. It's a program that runs in the background and keeps your key loaded into memory, so that you don't need to enter your passphrase every time you need to use the key. The nifty thing is, you can choose to let servers access your local`ssh-agent` as if they were already running on the server. This is sort of like asking a friend to enter their password so that you can use their computer.

Check out[Steve Friedl's Tech Tips guide][tech-tips] for a more detailed explanation of SSH agent forwarding.

Ensure that your own SSH key is set up and working. You can use[our guide on generating SSH keys][generating-keys] if you've not done this yet.

You can test that your local key works by entering`ssh -T git@github.com` in the terminal:

<preclass="terminal">

$ ssh -T git@github.com

<spanclass="comment"># Attempt to SSH in to github</span>

<spanclass="output">Hi <em>username</em>! You've successfully authenticated, but GitHub does not provide</span>

<spanclass="output">shell access.</span>

</pre>

We're off to a great start. Let's set up SSH to allow agent forwarding to your server.

1. Using your favorite text editor, open up the file at`~/.ssh/config`. If this file doesn't exist, you can create it by entering`touch ~/.ssh/config` in the terminal.

2. Enter the following text into the file, replacing`example.com` with your server's domain name or IP:

<divclass="warning">

<p>

<strong>Warning</strong>: You may be tempted to use a wildcard like <code>Host*</code> to just apply this setting to all SSH connections. That's not really a good idea, as you'd be sharing your local SSH keys with <em>every</em> server you SSH into. They won't have direct access to the keys, but they will be able to use them <em>as you</em> while the connection is established. <strong>You should only add servers you trust and that you intend to use with agent forwarding.</strong>

</p>

</div>

To test that agent forwarding is working with your server, you can SSH into your server and run`ssh -T git@github.com` once more. If all is well, you'll get back the same prompt as you did locally.

If you're unsure if your local key is being used, you can also inspect the`SSH_AUTH_SOCK` variable on your server:

<preclass="terminal">

$ echo "$SSH_AUTH_SOCK"

<spanclass="comment"># Print out the SSH_AUTH_SOCK variable</span>

<spanclass="output">/tmp/ssh-4hNGMk8AZX/agent.79453</span>

</pre>

If the variable is not set, it means that agent forwarding is not working:

<preclass="terminal">

$ echo "$SSH_AUTH_SOCK"

<spanclass="comment"># Print out the SSH_AUTH_SOCK variable</span>

<spanclass="output"><em>[No output]</em></span>

$ ssh -T git@github.com

<spanclass="comment"># Try to SSH to github</span>

<spanclass="output">Permission denied (publickey).</span>

</pre>

Here are some things to look out for when troubleshooting SSH agent forwarding.

Before you can make your keys work through agent forwarding, they must work locally first.[Our guide on generating SSH keys][generating-keys] can help you set up your SSH keys locally.

Sometimes, system configurations disallow SSH agent forwarding. You can check if a system configuration file is being used by entering the following command in the terminal:

<preclass="terminal">

$ ssh -v <em>example.com</em>

<spanclass="comment"># Connect to example.com with verbose debug output</span>

<spanclass="output">OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011</span>

<spanclass="output">debug1: Reading configuration data /Users/<em>you</em>/.ssh/config</span>

<spanclass="output">debug1: Applying options for example.com</span>

<spanclass="output">debug1: Reading configuration data /etc/ssh_config</span>

<spanclass="output">debug1: Applying options for *</span>

$ exit

<spanclass="comment"># Returns to your local command prompt</span>

</pre>

In the example above, the file*~/.ssh/config* is loaded first, then*/etc/ssh_config* is read. We can inspect that file to see if it's overriding our options by running the following commands:

<preclass="terminal">

$ cat /etc/ssh_config

<spanclass="comment"># Print out the /etc/ssh_config file</span>

<spanclass="output"> Host *</span>

<spanclass="output"> SendEnv LANG LC_*</span>

<spanclass="output"> ForwardAgent no</span>

</pre>

In this example, our*/etc/ssh_config* file specifically says`ForwardAgent no`, which is a way to block agent forwarding. Deleting this line from the file should get agent forwarding working once more.

Agent forwarding may also be blocked on your server. You can check that agent forwarding is permitted by SSHing into the server and running`sshd_config`. The output from this command should indicate that`AllowAgentForwarding` is set.

On most computers, the operating system automatically launches`ssh-agent` for you. On Windows, however, you need to do this manually. We have[a guide on how to start`ssh-agent` whenever you open Git Bash][autolaunch-ssh-agent].

To verify that`ssh-agent` is running on your computer, type the following command in the terminal:

<preclass="terminal">

$ echo "$SSH_AUTH_SOCK"

<spanclass="comment"># Print out the SSH_AUTH_SOCK variable</span>

<spanclass="output">/tmp/launch-kNSlgU/Listeners</span>

</pre>

You can check that your key is visible to`ssh-agent` by running the following command:

<preclass="terminal">

ssh-add -L

</pre>

If the command says that no identity is available, you'll need to add your key:

<preclass="terminal">

ssh-add <em>yourkey</em>

</pre>

[tech-tips]:http://www.unixwiz.net/techtips/ssh-agent-forwarding.html

[generating-keys]:https://help.github.com/articles/generating-ssh-keys

[ssh-passphrases]:https://help.github.com/ssh-key-passphrases/

[autolaunch-ssh-agent]:https://help.github.com/articles/working-with-ssh-key-passphrases#auto-launching-ssh-agent-on-msysgit

<li><h3><ahref="/guides/traversing-with-pagination/">Traversing with pagination</a></h3></li>

<li><h3><ahref="/guides/building-a-ci-server/">Building a CI server</a></h3></li>

<li><h3><ahref="/guides/delivering-deployments/">Delivering deployments</a></h3></li>

<li><h3><ahref="/guides/managing-deploy-keys/">Managing deploy keys</a></h3></li>

<li><h3><ahref="/guides/using-ssh-agent-forwarding/">Using SSH agent forwarding</a></h3></li>

}

h4 {

margin:1em0;

position: relative;

}

margin:12px0;

}

ol {

counter-reset: li;

list-style: none;

position: relative;

padding-bottom:10px;

}

ol>li {

padding:5px05px55px;

position: relative;

margin-bottom:5px;

}

ol>li:before {

content:counter(li);

counter-increment: li;

position: absolute;

top:0;

left:0;

height:100%;

width:30px;

padding:010px00;

color:#999;

font-size:22px;

font-weight: bold;

line-height:35px;

text-align: right;

border-right:1px solid#ddd;

}

ol>li>p:first-child {

margin-top:0;

}

ol>li:after {

content:".";

display: block;

clear: both;

visibility: hidden;

line-height:0;

height:0;

}

.contentol>liimg {

max-width:100px;

margin:00010px;

float: right;

border:1px solid#ddd;

cursor: pointer;

}

.contentol>liimg.expanded {

max-width:400px;

}

.content .full-image {

position: absolute;

top:5px;

right:-20px;

z-index:100;

}

.content .full-imageimg {

position: absolute;

top:0;

right:20px;

margin:0;

max-width:600px;

box-shadow:003pxrgba(0,0,0,0.2);

}

.content .full-image:hover .octicon, .full-image:hover .mini-icon {

color:#666;

}

.content .full-image .octicon, .full-image .octicon-remove-close {

position: absolute;

top:0px;

right:0px;

color:#999;

cursor: pointer;

}

.content .description {

margin-left:20px;

color:#f9fe64;

}

.terminalspan.comment {

color:#ccc;

}

.terminalspan.output {

color:#63E463;

}

.alert {

position:relative;

padding:015px;

color:#264c72;

color:#264c72;

border:1px solid#97c1da;

border-radius:3px;

background-color:#d8ebf8;

}

.warning {

position:relative;

padding:015px;

color:#613A00;

border:1px solid#dca874;

border-radius:3px;

background-color:#ffe3c8;

}