Git Notes
Set up SSH keys for secure, passwordless authentication with GitHub. Generate keys, add to ssh-agent, configure GitHub, and troubleshoot connections.
If you are tired of entering your username and password (or token) every time you push, pull, or clone, SSH keys are the solution. Once configured, SSH authentication works silently in the background — no prompts, no credential management headaches, and significantly better security than password-based approaches.
SSH (Secure Shell) uses public-key cryptography. You generate a key pair: a private key that stays on your machine and a public key that you upload to GitHub. When you connect, GitHub challenges your machine to prove it has the private key without actually transmitting it. If the math checks out, you are authenticated. No secrets travel over the network.
How SSH Authentication Works
| 1. Connect | ||
|---|---|---|
| Private Key | ──────────────► | Public Key |
| (~/.ssh/id_ed25519) | (stored in account) | |
| 2. Challenge | ||
| ◄────────────── | Sends random data | |
| Signs with | 3. Response | |
| private key | ──────────────► | Verifies with |
| public key | ||
| 4. Granted | ||
| ◄────────────── | Authentication OK |
The private key never leaves your machine. Even if the network is compromised, your credentials are safe.
Generating SSH Keys
Ed25519 (Recommended)
ssh-keygen -t ed25519 -C "jane.doe@company.com"Generating public/private ed25519 key pair. Enter file in which to save the key (/home/jane/.ssh/id_ed25519): [Press Enter] Enter passphrase (empty for no passphrase): [Type passphrase] Enter same passphrase again: [Repeat passphrase] Your identification has been saved in /home/jane/.ssh/id_ed25519 Your public key has been saved in /home/jane/.ssh/id_ed25519.pub The key fingerprint is: SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx jane.doe@company.com
RSA (For Legacy Systems)
# Only use RSA if Ed25519 is not supported
ssh-keygen -t rsa -b 4096 -C "jane.doe@company.com"Why Ed25519 over RSA? Ed25519 keys are smaller (68 characters vs 544 for RSA-4096), faster to generate and verify, and considered equally or more secure. Use RSA only if connecting to systems that do not support Ed25519.
Adding Your Key to the SSH Agent
The SSH agent keeps your key loaded in memory so you do not have to type your passphrase for every Git operation:
# Start the SSH agent in the background
eval "$(ssh-agent -s)"Agent pid 59566
# Add your private key to the agent
ssh-add ~/.ssh/id_ed25519Identity added: /home/jane/.ssh/id_ed25519 (jane.doe@company.com)
macOS: Persist Across Reboots
# Add to ~/.ssh/config to auto-load key
Host github.com
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_ed25519Linux: Auto-Start Agent
Add to your ~/.bashrc or ~/.zshrc:
Adding Your Public Key to GitHub
# Display your public key (copy this entire output)
cat ~/.ssh/id_ed25519.pubssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx jane.doe@company.com
Navigate to: GitHub → Settings → SSH and GPG keys → New SSH key
- Title: "Work Laptop" (descriptive name)
- Key type: Authentication
- Key: Paste the public key
Testing Your Connection
ssh -T git@github.comHi janedoe! You've successfully authenticated, but GitHub does not provide shell access.
If you see this message, your SSH setup is working correctly.
Using SSH URLs with Git
# Clone using SSH (notice git@ instead of https://)
git clone git@github.com:organization/project.git
# Switch an existing repo from HTTPS to SSH
git remote set-url origin git@github.com:organization/project.git
# Verify the URL changed
git remote -vorigin git@github.com:organization/project.git (fetch) origin git@github.com:organization/project.git (push)
Managing Multiple GitHub Accounts
Many developers have personal and work GitHub accounts. SSH config makes this manageable:
# ~/.ssh/config
# Personal GitHub account
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/id_ed25519_personal
# Work GitHub account
Host github-work
HostName github.com
User git
IdentityFile ~/.ssh/id_ed25519_workNow use the custom host alias when cloning work repos:
# Personal (uses default github.com host)
git clone git@github.com:janedoe/personal-project.git
# Work (uses github-work alias → different key)
git clone git@github-work:company/work-project.gitTroubleshooting Common Issues
Permission Denied (publickey)
# Verbose mode reveals what is happening
ssh -vT git@github.com
# Check which keys are loaded
ssh-add -l# If empty: The agent has no identities. # Solution: ssh-add ~/.ssh/id_ed25519
Wrong Key Being Used
# List loaded keys
ssh-add -l
# Remove all and add the correct one
ssh-add -D
ssh-add ~/.ssh/id_ed25519File Permission Issues
SSH is strict about file permissions. If permissions are too open, it refuses to use the key:
# Fix permissions (required on Linux/macOS)
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519 # Private key: owner read/write only
chmod 644 ~/.ssh/id_ed25519.pub # Public key: readable by others is fine
chmod 600 ~/.ssh/config # Config: owner onlyCommon Mistakes
Mistake 1: Sharing your private key or committing it to a repository. The private key must never leave your machine. Only the .pub file is shared.
Mistake 2: Generating keys without a passphrase. If someone gains access to your machine, an unprotected key gives them immediate access to all your repositories. Always use a passphrase.
Mistake 3: Using the same SSH key across personal and work accounts. GitHub does not allow the same public key on multiple accounts. Generate separate keys for each.
Mistake 4: Not adding the SSH key to the agent. Without the agent, you will be prompted for your passphrase on every Git operation.
Interview Questions
Q1: Why use SSH keys instead of HTTPS with tokens?
SSH keys are more convenient (no token management or expiration concerns), more secure (private key never transmitted over network), and persistent. Once configured, authentication is automatic. HTTPS tokens must be stored somewhere and rotated periodically.
Q2: What is the difference between Ed25519 and RSA keys?
Ed25519 is a modern elliptic curve algorithm that produces smaller keys, is faster to verify, and is considered equally or more secure than RSA-4096. RSA is the older standard still supported everywhere. Ed25519 is recommended for new key generation.
Q3: What should you do if your private key is compromised?
Immediately remove the corresponding public key from GitHub, generate a new key pair, add the new public key to your account, and audit your repositories for any unauthorized access that occurred while the key was exposed.
Q4: How do you manage multiple GitHub accounts with SSH?
Create separate key pairs for each account and use the ~/.ssh/config file with different Host aliases pointing to the same HostName but different IdentityFiles. Clone work repos using the custom alias.
Q5: Why should SSH keys have a passphrase?
A passphrase encrypts the private key file on disk. Without it, anyone who gains file access to your machine can immediately use your SSH key. With a passphrase, the key is useless without knowledge of the passphrase. Use ssh-agent to avoid retyping it.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for SSH Keys - Secure Git Authentication Without Passwords.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Git & GitHub topic.
Search Terms
git-github, git & github, git, github, security, ssh, keys, ssh keys - secure git authentication without passwords
Related Git & GitHub Topics