why does ssh to github require the git user?

Question

I'm trying to run the following command:

ssh -vT [email protected]

I first realize it did not work (permission denied), because I don't have a public key saved on my personal github account. After saving my public key on my personal github, the ssh command works. However, I noticed that this ssh involved the git user, and that github requires using the git user even though it's using my public key to authenticate me.

https://help.github.com/articles/error-permission-denied-publickey/

All connections, including those for remote URLs, must be made as the "git" user. If you try to connect with your GitHub username, it will fail.

What's going on here? Am I logging in as git or as myself?

Answer 1

Short answer -- you are logging-in (or accessing Github) as yourself.
Mild detail: you are accessing as the identity authenticated by the SSH key-pair you used.

To access Github over the web (browser) you use a username/password combination. Whereas, when accessing over SSH you have not used your password or for that matter your username. How is your identity authenticated then(?) you ask.

That is where the SSH key pair comes in. I am going to explain how the key-pair replaces username/password here without going into details of how it works (there is ample documentation on that).

To keep this answer simple, we can think of your SSH public-key as the username which will be authenticated with the matching SSH private-key that acts like the password. While the way SSH works is different from how username/password work, the outcome is similar (you are identified and authenticated by Github).

Github uses the generic git username to accomplish this SSH based authentication.

You configured that public-key in your Github account after logging in with your username/password based access. This is an action restricted to that secured access. Only someone with that access could have setup the public-key.

The private-key matching that public key (your password in this discussion) is safely on the password protected login from where you are firing the git clone command.

So, when you invoke git over SSH from your login, the SSH protocol works to let Github confirm that this access is being made by the owner of the public-key setup in your account there. Transitively, the owner of that Github account.

Answer 2

As far as SSH is concerned, you're logging in as the git user. The sshd daemon of Github will log the local identifier of the public key that was used in authentication, but beyond that, you don't have any personal account at the operating system level on the Github servers.

The Github SSH service application itself is a different story. It sees the public key identifier reported by sshd, and uses that to get your Github user details from the database that is also used by the Github web interface. As a result, the service will grant you appropriate access to your Github account, and no more.

SSH deals with user accounts at the operating system level: it does not know about accounts set up within the context of specific applications.

Your Github account is similar to e.g. a MySQL database account: it exists in the context of that application (or database engine) only.