14

I have a private repo on Github that houses 3 submodules, all 3 of which are also private.

I have generated 4 SSH keys on my EC2 server and applied them as Github deploy keys to all 4 private repositories.

I am able to clone the primary repository as it recognizes the SSH key. When I run "git submodule update" it fails on the private repos with the following error:

ERROR: Repository not found. fatal: The remote end hung up unexpectedly

If I manually check out those private repos it works, but not when using the git submodule command. Any idea? Is this not fully supported?

Miles Johnson
  • 496
  • 1
  • 6
  • 16

1 Answers1

11

github's authentication is a bit odd. They don't use usernames; they just infer based on the public key you presented which user you are. Since you generated four deploy keys, it's anyone's guess which one will be used by your server when it connects to github - github will accept any of them, then reject any access to repositories that don't have that key registered.

As such, the simplest solution is to just use a single deploy key for all of the repositories.

If you can't, however, you can hack around this using ssh host aliases. Add to your server's ~/.ssh/config stanzas like the following:

Host repo-foo
  HostName  ssh.github.com
  Port 443
  User git
  IdentityFile /path/to/my-ssh-key-file-for-foo
  IdentitiesOnly yes

Host repo-bar
  HostName ssh.github.com
  Port 443
  User git
  IdentityFile /path/to/my-ssh-key-file-for-bar
  IdentitiesOnly yes

Then point your submodules at repo-bar:username/bar.git and repo-foo:username/foo.git rather than using the git@github.com:... form.

This will effectively cause git and ssh to treat each repository as living on a different server, and pass in an explicit identity file, so there is no confusion over what key to use.

zsalzbank
  • 9,685
  • 1
  • 26
  • 39
bdonlan
  • 224,562
  • 31
  • 268
  • 324
  • 1
    Yeah I figured as much, however, deploy keys are unique and I can't place them across multiple projects. I'll see what else I can do, but I mainly just want passwordless deploys. – Miles Johnson May 17 '12 at 22:40
  • 1
    This isn't odd; it's pretty standard! And the standard solution is precisely as you've suggested. – Asherah May 18 '12 at 02:44
  • @Len, standard as it may be, it's quite odd. github ought to fix their stuff to allow the same deploy key to be used on multiple repos :) – bdonlan May 18 '12 at 03:13
  • @bdonlan: I still think it's not that odd ;-). I guess the "philosophy" behind the deploy key is that you can revoke one and know exactly which repo is being revoked. (Btw, OT, but are you bdonlan.livejournal.com?) – Asherah May 18 '12 at 05:19
  • @Len, it's odd because it means I need to configure something (`~/.ssh/config`) before downloading my configuration. Revocation should really be two ways - deny host X access to repo Y, or revoke key Z from host X. Revoking key Z from repo Y gets clunky. And bdonlan.livejournal.com hasn't been updated for six years :) – bdonlan May 18 '12 at 06:12
  • @bdonlan: yes, I know what you mean; it's a bit clunky. At any rate, I thought I recognised your name! You and I were [mutual friends](http://ayashiijanai.livejournal.com/profile) back in the day when I used LJ. – Asherah May 18 '12 at 06:27