Why Does GitHub only need my public key in order to push?
I recently set up a project on cloud9 (c9.io). When you set up a project on cloud9, there is a .ssh directory with both public keys and private keys. I assume these are generated when you set up your account.
After creating a git repository, I set the origin to an empty repository on GitHub and attempted to push it upstream. As expected I didn’t have the permissions.
- SSH the authenticity of can't be established
- How to work with multiple ssh keys
- New pair of ssh keys cannot connet to gitlab
- Multiple github accounts: what values for Host in .ssh/config?
- SSH Key asks for password
- Why does git sign with GPG keys rather than using SSH keys?
I copied the contents of my public key and added it to GitHub. At that point I was able to push to GitHub.
I’m curious as to why GitHub only needs the public key. What happens behind the scenes when I attempted to push? What is the role of the private key?
4 Solutions collect form web for “Why Does GitHub only need my public key in order to push?”
A private key, as its name indicates, is private. It’s yours and yours only. You should never give a private key to anyone.
Your private key allows you to sign a message. You then send the message with its signature, and anyone having your public key can verify that the signature matches with the message. That’s the principle of public key cryptography. So Github only needs your public key to check that you’re the one you claim to be.
SSH public-key authentication is challenge-response.
Your public and private keys are mathematically related, but computing the private key from the public key is in theory impossible. The key values are chosen such that only someone who possesses the private key can decrypt a message that has been encrypted using the associated public key.
Continuing with the simplified explanation, the authentication sequence goes along the lines of
ek_ny: Hi, I’m ek_ny, and my public key is
c9.io: Oh yeah? Well, if you really are ek_ny, then you know what I mean when I send you [encrypts secret message “The magic words are squeamish ossifrage”]
ek_ny: As a matter of fact, you sent me [decrypts] “The magic words are squeamish ossifrage.”
c9.io: ek_ny, my old buddy! Good to see ya! C’mon in!
With SSH, both users and hosts have keys. This is why SSH asks you to confirm the host’s key the first time you connect. The intent is to detect man-in-the-middle attacks. The entire conversation is encrypted, thanks to Diffie-Hellman that bootstraps the process.
At no point did you actually exchange sensitive information. This is the idea of challenge-response. Say you have a physical key that you claim unlocks a door. To demonstrate this for me, you could give me the key, but I might not give it back. Maybe you don’t even want me to see what is behind the door. Sufficient to prove your claim is being able to crack the door open only slightly, and you never lose possession of your key to do so.
See also: How is using a public-key for logging in to SSH any better than using a password? on Unix & Linux SE.
The general idea in a public key system such as the one ssh uses is that the public key is used to check a digital signature to authenticate that you are who you claim to be. The private key is used to create the signature.
When you try to authenticate against github, it doesn’t need your private key. It only needs your public key to check that you are who you claim to be. There’s more information on wikipedia.
Essentially, you only need to give github the public key as you use the private key to “sign” data and the public key to validate that it’s actually you. So that why github need the public key.It’s asymmetric cryptography.