Mix.install doesn't honour `GIT_SSH_COMMAND`

When I use Mix.install with a git dependency, using git@github.com:... how do I change the SSH identity used?

I’ve got two Github accounts – work and personal, and usually I’d specify GIT_SSH_COMMAND=ssh -i path/to/private_key -o IdentitiesOnly=yes.

This works fine when running, say, iex and Mix.install in my terminal. When I try the same in Livebook, I get the following error:

git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

I’ve tried editing .livebookdesktop.sh – and the env var is set properly according to System.get_env; didn’t work.

I’ve tried using system_env: %{"GIT_SSH_COMMAND" => "ssh -i ... in Mix.install; didn’t work.

How do I get Mix.install to use alternate SSH identities inside Livebook?

Why is using the https://... links not an option, by the way? You can just export the GITHUB_TOKEN env var and it should just work. At least it does for me locally in the OS, locally in a Docker container, and in GitHub’s workers (with the .insteadOf git setting on top).

I don’t want the extra step involved in managing a personal access token.

Is that adding more friction than providing the extra step of a private key and the command to use it? Your call, seems to me the token would be a touch easier.

I’ve already got the extra private key, so: yes.

Moreover, in order to apply the .insteadOf option, I need a configuration file. And, because I’m keeping my personal and work configurations separate, it’s a separate configuration file.

And, if I could persuade Mix.install to use a separate configuration file, I wouldn’t need the env var – because the configuration file already specifies core.sshCommand, but that doesn’t seem to do anything here either.

1 Like

We don’t do anything special here, so my only suspicion is that the environment variable is not making its way to git. You could try creating a simple git script, put it on top of your $PATH, and call env to inspect all of the environment variables. If the GIT_SSH_COMMAND you set at .livebookdesktop.sh is missing, that would explain it.

I did this. The GIT_SSH_COMMAND environment variable is present, but seems to be ignored by the real git command.

Ah! I wonder whether it’s because it can’t talk to the running ssh agent, so it can’t unlock the private key…?

Yes, probably this. System.get_env() includes "SSH_AUTH_SOCK" => "/private/tmp/com.apple.launchd.BlahBlah/Listeners".

This is not the SSH_AUTH_SOCK that my shell’s using – SSH_AUTH_SOCK=/var/folders/bunch/of/letters/and/numbers/agent.1234

I’ve got two ssh-agent processes running, and Livebook’s talking to the one that doesn’t have my keys loaded.

I wonder how to get oh-my-zsh to talk to the launchd-started one, instead of starting a new one…? That’s a problem for a different forum, however.

Thanks for the pointers.

Summary:

  • Mix.install uses the git command normally, so environment variables and configuration settings should just work.
  • If you’re using SSH, it will need access to your private keys. This requires access to a running ssh-agent with those keys.
  • If you’re managing your ssh-agent with a login script, etc., you’ve probably got more than one ssh-agent running.
  • On macOS (at least), Livebook will be talking to the launchd-started ssh-agent.
  • This one won’t have your keys.
  • Sad times.
3 Likes