SSH Git deploy keys with Linux servers and BitbucketFebruary 17, 2018
There’s a couple of ways to push code to production. Most larger projects have their own release flow, some of which includes automation, tests, etc. In this case I’m talking about a lot smaller projects.
So this is how to simply set up your server so you can pull code from bitbucket without using your own personal bitbucket account password via https, but instead pull the code with a server specific deploy key over ssh.
First you need to generate your server specific SSH-key, you can use the same key for multiple servers, but from a security perspective it’s better to have unique keys for each server.
Setting up the server with SSH keys
To generate the key we use the command
ssh-keygen -t rsa, you’ll be asked a couple of questions, like where to store the key (just go with the default if you’re unsure) and if you want to protect your key with an additional password.
bha@prod-01:~# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/bha/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/bha/.ssh/id_rsa. Your public key has been saved in /home/bha/.ssh/id_rsa.pub. The key fingerprint is: SHA256:HgrzdwgjYefhZAF0auqVXBZ7HSNLzZ+6fXjmR5nL09A bha@prod-01 The key's randomart image is: +---[RSA 2048]----+ | .o.+ ooo | | o = +oo | | = O o .. . | | = @ o o | | . B = S . .o| | . . = = o. .oE| | . o + .o ..oo| | . .. o ++o| | =...| +----[SHA256]-----+
If you went with the default location, your keys will be save in the
.ssh directory in your home folder. Inside of this folder you’ll find at least two files, the
id_rsa is your private key, do not under any circumstance share this key to anyone.
id_rsa.pub is your public key, you can share this to your heart’s content, it doesn’t matter.
bha@prod-01:~# ls -la ~/.ssh total 20 drwx------ 2 bha bha 4096 feb 17 18:09 . drwx------ 3 bha bha 4096 feb 17 18:06 .. -rw------- 1 bha bha 400 feb 17 18:06 authorized_keys -rw------- 1 bha bha 1675 feb 17 18:09 id_rsa -rw-r--r-- 1 bha bha 394 feb 17 18:09 id_rsa.pub
That’s it! You’ve now created you SSH key pair!
Setting up Bitbucket to use SSH access keys
Log on to bitbucket and navigate to your project. Go to Settings -> Access keys (not to be confused with SSH keys under pipeline!).
In this view you’ll see all access keys that have been added to this specific project.
In order to add your newly created key from your server, you’ll need to copy the contents of
id_rsa.pub (your public key). SSH keys are not binary, so you’ll be able to just output the contents and copy it to your clipboard.
bha@prod-01:~# cat ~/.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvEzvmLseLTHYFWUeMMrwatA2c913lEXOKBWIjPwZxb8A2jEWkzREoCOAxgSF2ZkV5AJaY/QQ68WuUtkSegIfQF9LSDq51BhrFyi65eBPpNneLpI5bs70eSFN2KyKaSdDW79flyj28g4U94JA+pIRw2XPDwKrPr6NmvaPcGIIL5MWxgNKX40bGX3NpnyyJSG4LRkdoj4tF5Z6ZuglALXVTjrjopeBX0SRPlnHmtcJhYFIpzgPgXenFtzdLTNsXnhssGtNgajRW8D2oDUiO+MIaWeH+AZjhCqk+rbQSOz1QKvBsPN5WNcf0fso/82V1b2ymgjLzj/Ci1HTJ4rAQHaGN bha@prod-01
Now back in the browser, click the button “Add key”. A dialog window will appear, this is where you should paste in the contents from the public key.
And finally click the “Add key” button in the dialog to save the key.
Adding a new project over SSH
You should now be able to clone your project with nothing but the ssh url to the repository.
(If it’s the first time you ssh to bitbucket it might ask you to check the authenticity of the host for bitbucket; if it looks correct continue with yes)
bha@prod-01:~/my-repo# git clone firstname.lastname@example.org:yourusername/your-repository.git . Cloning into '.'... The authenticity of host 'bitbucket.org (220.127.116.11)' can't be established. RSA key fingerprint is SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'bitbucket.org,18.104.22.168' (RSA) to the list of known hosts. remote: Counting objects: 3, done. remote: Compressing objects: 100% (2/2), done. remote: Total 3 (delta 0), reused 0 (delta 0) Receiving objects: 100% (3/3), done.
Updating an old project from https to SSH
If you’ve already got a project checked out via https, you can easily update the remote url.
First check that your project uses the https endpoint with
git remote -v
bha@prod-01:~/my-repo# git remote -v origin https://email@example.com/yourusername/your-repository.git (fetch) origin https://firstname.lastname@example.org/yourusername/your-repository.git (push)
As in our example, both the push and fetch urls are over https. To update them we can change the origin with
git remote set-url.
bha@prod-01:~/my-repo# git remote set-url origin email@example.com:yourusername/your-repository.git
And now we can double check that origin was updated correctly via the
git remote -v command.
bha@prod-01:~/my-repo# git remote -v origin firstname.lastname@example.org:yourusername/your-repository.git (fetch) origin email@example.com:yourusername/your-repository.git (push)
Congratulations! You should now be able to
git pull without giving you personal bitbucket account password.