How does github SSH works?

Question

I am curious about cloning projects using git. In order to clone a project we are calling:

git clone git@github.com:MY_GIT_USERNAME/PROJECT.git

So what we are doing here, is we are accessing github.com, as a user git. I suppose that when there is a MY_GIT_USERNAME/PROJECT is some kind of directory which has some accesses and keys added, which are then validated to the real github server with the repositories, so the one that we are accessing via git clone is some kind of proxy one, used only for authenticating and authorizing requests, am I right?

Is github using some kind of tool to store all of the ssh keys? Is there any kind of tool like this?

Also if git clone doesnt work as this one, how does it work? How does which is similar to the typical ssh command works?

Answer 1

I also had some questions about how it worked, so I decided to complement the answers given earlier.

When we connect via SSH, the SSH server validates our credentials and then executes the command that is in the authorized_keys file. This file is located in the user's home directory, in the .ssh directory.

For example, in GitLab, the home directory for the git user is /var/opt/gitlab. In this directory, we have the .ssh/authorized_keys file. This file contains the mapped keys along with the shell command that will be executed and received. With this, Git can correctly validate the authentication and access to the repository.

When we add a key in the interface, it likely updates this file.

Answer 2

Git uses SSH to establish a secure connection through which it can execute commands. You're passing it in your ssh username, git, and the host to connect to, github.com. So far this is normal SSH.

You also pass it the path to look for your Git repository, MY_GIT_USERNAME/PROJECT.git. With normal Git this would be a literal path.

To avoid having to make an ssh user for every Github user, Github is ignoring the git user and identifying you using the private ssh key(s) linked to your account. This is not an uncommon way to do ssh authentication.

A simple implementation would store all the repositories on a filesystem like /git/MY_GIT_USERNAME/PROJECT.git/, but Github has long, long, long scaled past simple solutions like that.

I don't know how Github works internally, but they are definitely sharing objects across multiple repositories. For example, if multiple repositories commit the same content, it's very likely it will only be stored once. Similarly, forking a repository on Github probably does not actually copy the whole repository, but instead has a shared repository. Since Git repositories are already based on checkums, this is relatively easy; though at Github's scale I'm sure it isn't.

To understand more, read up on the Git Internals. Particularly Git Objects and Transfer Protocols.

Answer 3

This is just general SSH authentication. In general, URLs contain information about the transport protocol, the address of the remote server, and the path to the repository. The SSH key in which you will give the id_rsa.pub(.pub file is your public key) to Github. Then, when you connect to Github you have the private key id_rsa in your ~/.ssh folder which is then used to validate your information with Github. You put the lock (public key) on whatever servers you want easy access to,and you keep the (private) key on your machine, and use it to log into those servers; they see you have a key fitting the lock, and let you in.