How to manage deploy user SSH keys for multiple developers and tools
Our article How to SSH to your deploy user describes how to connect using the default SSH keys that we provide for the
deploy user on each of your instances.
If additional developers/users will be connecting to the system, or if you will be deploying using automated tooling such as Continuous Deployment, we recommend that each of them connect using their own SSH keys. This article describes how to set that up.
Note: If you are connecting a Continuous Deployment (CD) tool to the deploy account, then substitute the public key for the CI tool instead of the "additional developer"'s public key.
Get the SSH public key from each of your additional developers
For each of your developers that needs access to the
deploy user, have them provide you with a copy of their public SSH key.
They can use an existing public SSH key or create a new one. They will commonly have an existing one on their development system under the path
~/.ssh/id_rsa.pub. GitHub has a good set of documents that describe how to find a developer's public SSH key. The developers can also generate a new SSH key if they want to, for example by following GitHub's documentation.
Note: The additional developer should provide you with only their public key, not their private key.
Add an additional developer's public SSH key to the deploy user
Now that you have an additional SSH public key, you will add it to one or more deploy accounts. You will do this once for each deploy account on each server that you want the additional developer to have access to. There are a variety of ways to do this, this is a simple way to manually copy it in:
- SSH to the server /
deployaccount that you want to add the additional developer to.
- Copy the new SSH public key into the authorized_keys file:
cat >> ~/.ssh/authorized_keys
- Paste the additional SSH public key
Any number of additional public SSH keys can be added to the authorized_keys file to enable any number of additional developers. All of those keys are permitted to connect as the
Note: Don't erase the default deploy SSH key or you may lose SSH access.
Now test in a new terminal window that you can still connect using the default deploy key, and then ask the developer to test that they can connect. They will connect using the username
deploy but will authenticate using their additional key rather than the default key.
Remove an additional developer's public SSH key
If you need to remove the ability for an additional developer to connect to a deploy account, edit the file
~/.ssh/authorized_keys and remove the line that contains their public SSH key. Once you save the file, they will no longer be able to connect. Note that if they are already connected, they will not be automatically disconnected.