Enterprise bug fix hour for week of June 24, 2024 (#51409)
This commit is contained in:
Vanessa
@@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: About SSH certificate authorities
|
title: About SSH certificate authorities
|
||||||
intro: 'With an SSH certificate authority, your organization or enterprise account can provide SSH certificates that members can use to access your resources with Git.'
|
intro: 'With an SSH certificate authority, your organization or enterprise account can provide SSH certificates that members and outside collaborators can use to access your resources with Git.'
|
||||||
redirect_from:
|
redirect_from:
|
||||||
- /articles/about-ssh-certificate-authorities
|
- /articles/about-ssh-certificate-authorities
|
||||||
- /github/setting-up-and-managing-organizations-and-teams/about-ssh-certificate-authorities
|
- /github/setting-up-and-managing-organizations-and-teams/about-ssh-certificate-authorities
|
||||||
@@ -15,35 +15,35 @@ shortTitle: SSH certificate authorities
|
|||||||
|
|
||||||
## About SSH certificate authorities
|
## About SSH certificate authorities
|
||||||
|
|
||||||
An SSH certificate is a mechanism for one SSH key to sign another SSH key. If you use an SSH certificate authority (CA) to provide your organization members with signed SSH certificates, you can add the CA to your enterprise account or organization to allow organization members to use their certificates to access organization resources.
|
An SSH certificate is a mechanism for one SSH key to sign another SSH key. If you use an SSH certificate authority (CA) to provide your organization members and outside collaborators with signed SSH certificates, you can add the CA to your enterprise account or organization to allow these organization contributors to use their certificates to access organization resources.
|
||||||
|
|
||||||
{% data reusables.organizations.ssh-ca-ghec-only %}
|
{% data reusables.organizations.ssh-ca-ghec-only %}
|
||||||
|
|
||||||
After you add an SSH CA to your organization or enterprise account, you can use the CA to sign client SSH certificates for organization members. Organization members can use the signed certificates to access that organization's repositories.
|
After you add an SSH CA to your organization or enterprise account, you can use the CA to sign client SSH certificates for organization members and outside collaborators. These organization contributors can use the signed certificates to access that organization's repositories.
|
||||||
|
|
||||||
Certificates added to your enterprise grant access to all organizations owned by your enterprise account. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise)."
|
Certificates added to your enterprise grant access to all organizations owned by your enterprise account. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise)."
|
||||||
|
|
||||||
{% data reusables.organizations.can-require-ssh-cert %}
|
{% data reusables.organizations.can-require-ssh-cert %}
|
||||||
|
|
||||||
Optionally, you can require that members use SSH certificates to access organization resources. For more information, see "[AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities)" and "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise)."
|
Optionally, you can require that members and outside collaborators use SSH certificates to access organization resources. For more information, see "[AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities)" and "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise)."
|
||||||
|
|
||||||
For example, you can build an internal system that issues a new certificate to your developers every morning. Each developer can use their daily certificate to work on your organization's repositories on {% data variables.product.product_name %}. At the end of the day, the certificate can automatically expire, protecting your repositories if the certificate is later compromised.
|
For example, you can build an internal system that issues a new certificate to your developers every morning. Each developer can use their daily certificate to work on your organization's repositories on {% data variables.product.product_name %}. At the end of the day, the certificate can automatically expire, protecting your repositories if the certificate is later compromised.
|
||||||
|
|
||||||
{% ifversion ghec %}
|
{% ifversion ghec %}
|
||||||
Organization members can use their signed certificates for authentication even if you've enforced SAML single sign-on (SSO), without the need to authorize the signed certificates.
|
Organization contributors can use their signed certificates for authentication even if you've enforced SAML single sign-on (SSO), without the need to authorize the signed certificates.
|
||||||
|
|
||||||
Unless you make SSH certificates a requirement, organization members can continue to use other means of authentication to access your organization's resources with Git, including their username and password, {% data variables.product.pat_generic %}s, and their own SSH keys.
|
Unless you make SSH certificates a requirement, organization members and outside collaborators can continue to use other means of authentication to access your organization's resources with Git, including their username and password, {% data variables.product.pat_generic %}s, and their own SSH keys.
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% data reusables.emus.ssh-ca-support-for-emu %}
|
{% data reusables.emus.ssh-ca-support-for-emu %}
|
||||||
|
|
||||||
## About SSH URLs with SSH certificates
|
## About SSH URLs with SSH certificates
|
||||||
|
|
||||||
If your organization requires SSH certificates, to prevent authentication errors, organization members should use a special URL that includes the organization ID when performing Git operations over SSH. This special URL allows the client and server to more easily negotiate which key on the member's computer should be used for authentication. If a member uses the normal URL, which starts with `git@github.com`, the SSH client might offer the wrong key, causing the operation to fail.
|
If your organization requires SSH certificates, to prevent authentication errors, organization members and outside collaborators should use a special URL that includes the organization ID when performing Git operations over SSH. This special URL allows the client and server to more easily negotiate which key on the member's computer should be used for authentication. If a member uses the normal URL, which starts with `git@github.com`, the SSH client might offer the wrong key, causing the operation to fail.
|
||||||
|
|
||||||
Anyone with read access to the repository can find this URL by selecting the **Code** dropdown menu on the main page of the repository, then clicking **Use SSH**.
|
Anyone with read access to the repository can find this URL by selecting the **Code** dropdown menu on the main page of the repository, then clicking **Use SSH**.
|
||||||
|
|
||||||
If your organization doesn't require SSH certificates, members can continue to use their own SSH keys, or other means of authentication. In that case, either the special URL or the normal URL, which starts with `git@github.com`, will work.
|
If your organization doesn't require SSH certificates, contributors can continue to use their own SSH keys, or other means of authentication. In that case, either the special URL or the normal URL, which starts with `git@github.com`, will work.
|
||||||
|
|
||||||
## Issuing certificates
|
## Issuing certificates
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user