SSH Keys Configuration for Git

SSH keys enable LabID to import workflows from private and institutional Git repositories using an instance-wide SSH key.

Repository Access Limitations

LabID uses a single SSH key for the entire instance. This key can only access organizational repositories where it's configured as a deploy key. It cannot access individual users' private repositories. Personal private repos like git@github.com:john-doe/my-repo.git will fail with "Permission denied".

Quick Setup

1. Get Your SSH Key

Retrieve the auto-generated public key:

cat ~/.ssh/id_rsa_labid.pub

2. Add Key as Deploy Key

Add the public key as a deploy key to your organizational repository:

GitHub → Settings → Deploy Keys → Add deploy key

• Paste key, title: "LabID Instance"
• Leave "Allow write access" unchecked

Gitlab → Settings → Repository → Deploy Keys → Add key

• Paste key, title: "LabID Instance"

Bitbucket → Settings → Access Keys → Add key

• Paste key, label: "LabID Instance"

3. Test Connection

# Test connection
ssh -T git@github.com
ssh -T git@gitlab.example.com

# Test with specific key if needed
ssh -T git@github.com -i ~/.ssh/id_rsa_labid

✅ Done! Users can now import repositories using SSH URLs like git@github.com:your-org/repo.git

Repository Access Types

Repository Type	Access Method	Example
Public repositories	Direct access (HTTPS or SSH)	https://github.com/public/repo.git
Organizational/team repositories	SSH with deploy key	git@github.com:company/workflows.git
Service account repositories	SSH key added to service account	git@github.com:labid-bot/templates.git
Individual private repositories	❌ Not supported	Transfer to organization

Advanced Configuration

Custom SSH Key Locations

# Option 1: Symbolic links
ln -s /opt/labid/keys/custom_key ~/.ssh/id_rsa_labid
ln -s /opt/labid/keys/custom_key.pub ~/.ssh/id_rsa_labid.pub

# Option 2: Environment variables
export DJANGO_SSH_PRIVATE_KEY_PATH=/opt/labid/keys/custom_key
export DJANGO_SSH_PUBLIC_KEY_PATH=/opt/labid/keys/custom_key.pub

Multiple Git Hosts

Edit SSH config (path from DJANGO_GIT_SSH_CONFIG_FILE):

Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_rsa_labid
    StrictHostKeyChecking no

Host gitlab.example.com
    HostName gitlab.example.com
    User git
    IdentityFile ~/.ssh/id_rsa_labid
    StrictHostKeyChecking no

Deploy Keys vs Service Accounts

Deploy Keys: Repository-specific access (recommended for few repositories)

• More secure, read-only by default
• Must configure per repository

Service Accounts: Organization-wide access (better for many repositories)

• Single setup across multiple repositories
• Requires dedicated user account (e.g., labid-service)

Troubleshooting

Common Issues

Permission denied

# Fix key permissions
chmod 600 ~/.ssh/id_rsa_labid
chmod 644 ~/.ssh/id_rsa_labid.pub

Key not found

# Regenerate if missing
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_labid -N ""

Connection test fails

# Debug connection
ssh -vvv -T git@github.com -i ~/.ssh/id_rsa_labid

HTTPS URL doesn't work

• Use SSH format: git@github.com:org/repo.git instead of https://github.com/org/repo.git

Individual private repository access denied

• Transfer repository to organization, or
• Create service account (e.g., labid-bot) and add SSH key to it

Security Best Practices

• Rotate keys regularly
• Prefer deploy keys over service accounts when possible
• Include SSH keys in backup strategy

Related Documentation

• Workflow Administration - Workflow system setup
• Settings Configuration - General configuration
• Installation Guide - Initial deployment