When we introduced GitLab, you had to type username and password each time you wanted to push any modification to the remote repository. This is because we used the HTTPS protocol to establish the communication with the GitLab server. This might be annoying, especially during the Coding Weeks, when you'll use GitLab everyday.
An alternative that avoids the use of username and password is to establish a SSH connection with the server with public key cryptography authentication. It is based on the following idea:
- We generate a pair of SSH keys, one public and the other private.
- We copy the public key to our account on GitLab, while we keep the private key securely stored on our computer. Private keys must not be shared with anyone .
When we type the command git push
, the SSH client running on our computer tries to establish a SSH connection with the SSH server running on GitLab. The following procedure is executed to authenticate us (i.e., to make sure we are who we claim to be):
- The SSH server generates some random data, known as a challenge, and encrypts it by using our public key.
- The SSH server sends the encrypted challenge back to the SSH client.
- The SSH client uses the corresponding private key to decrypt the challenge and sends it back to the SSH server.
- The SSH server compares the decrypted message received by the client with the challenge: if they match, we are successfully authenticated without the need of typing username and password.
We explain now how to:
1. Generate a public/private SSH key pair.
2. Add the public key to a GitLab account.
3. Verify that you can connect.
Generate a public/private SSH key pair
You can generate a pair of SSH keys as follows:
- Type command
ssh-keygen -t rsa -C "<comment>"
. Replace"<comment>"
with some annotation of yours (e.g., GitLab keys).rsa
is the name of a cryptographic algorithm that is used to generate the keys.
- Press the Return key; you'll be prompted to specify a file in which to save the key. Press the Return key to accept the proposed filename.
- If a message informs you that the filename exists, you already have a SSH key pair. Choose not to overwrite the file and interrupt the procedure.
- If you didn't interrupt the procedure at the previous step, you'll be prompted to enter a passphrase.
- The passphrase is used to protect the private key from unauthorized uses. When you open a terminal and establish a first SSH connection to the GitLab server, you'll be asked to enter the passphrase. As long as you don't close your terminal, the passphrase won't be needed for future SSH connections.
If you followed the above procedure, your keys should be located in folder ~/.ssh
(remember, ~
is the symbolic name of your home directory). File ~/.ssh/id_rsa
contains the private key; file ~/.ssh/id_rsa.pub
contains the corresponding public key.
Add the public key to a GitLab account
You first need to copy the content of file id_rsa.pub
, which contains the public key.
How to do it on Windows
Type the following command in the terminal (the shell must be GitBash):
cat ~/.ssh/id_rsa.pub | clip
How to do it on macOS
Type the following command in the terminal:
tr -d '\n' < ~/.ssh/id_rsa.pub | pbcopy
How to do it on Linux
Type the following command in the terminal (you need to install the xclip
package):
xclip -sel clip < ~/.ssh/id_rsa.pub
Now you need to paste the public key into your GitLab account, as follows:
- Sign in to GitLab.
- On the left sidebar, select your avatar. If the left sidebar is not visible, click on the icon at the left of the phrase "Your work" (in the top left-hand corner).
- Select Edit profile.
- On the left sidebar, select SSH Keys.
- Select Add new key.
- In the Key box, paste the contents of your public key.
- In the Title box, type a description (e.g., keys on my laptop).
- Optionally, you can update the expiration date.
- Select Add key.
Verify that you can connect
- Type command
ssh -T git@gitlab-student.centralesupelec.fr
- If you connect for the first time, you're prompted to verify the identity of the server with a given fingerprint. Check whether the given fingerprint matches one of those listed in this page. For this verification, remember that you used RSA to generate your SSH keys.
- If you successfully verified the identity of the server, type
yes
in the terminal and press the Return key. - Type command
ssh -T git@gitlab-student.centralesupelec.fr
again. You should receive a welcome message.
In case of problems, you can also run the SSH command in verbose mode to get clues into what went wrong:
ssh -Tvvv git@gitlab-student.centralesupelec.fr