How to Connect EZGIT to GitHub Enterprise for SSH Certificate Authentication

Prerequisites

  1. Registering the application in your tenant
  2. Selecting a Plan
  3. Sign Up for GitHub Enterprise

Video Version - Enabling GitHub SSH Certificates

Introduction

EZSSH Helps you protect your code hosted in GitHub by removing the non-expiring ssh keys from the equation. Instead using your secure corporate identity to authenticate the engineers and issuing a short term SSH certificate that can be used to authenticate with GitHub.

Setting up GitHub

  1. Go to the EZSSH Portal https://portal.ezssh.io
  2. Click on Settings
  3. In the settings page, make sure that GitHub Certificates are enabled for your subscription. Enable SSH Certificate CA for Github
  4. Enter the length in hours that you want your developers certificates to last (This is how ofter the engineer has to get a new certificate). Note: In Keytos we have it set to 8 hours so our engineers only request access once a day Set Just in time Access to Github with SSH Certificates
  5. Copy the CA Key and save it somewhere or leave this tab open. You will need it when setting up your GitHub Enterprise Security Copy SSH Certificate Authority Certificate
  6. Now we need to add the SSH CA Certificate to GitHub. Go to https://github.com
  7. Click on your profile picture on the right Go to Settings
  8. Click on the settings button of your organization Open GitHub organization settings
  9. Click on Organization Security Open GitHub Organization Settings to add your SSH Certificate
  10. Scroll down to “SSH Certificate Authorities, and click on the “New CA” button. How to Add an SSH CA to GitHub
  11. Enter the key we copied in step 5 and click save. Add your SSH CA Key to Github for certificate based authentication
  12. You should now have a CA listed in your SSH Certificate Authorities.
  13. Click the Require SSH Certificates checkbox to only allow git operations with SSH Certificates (Recommended) Require SSH Certificate Authentication in GitHub for Higher Security
  14. Click the “Save” button.

    EZGIT will assume that the username in the identity provider matches the user’s GitHub username. If user names are different, they will have to be mapped using the SAML mapping below.

  15. You are ready to start using EZSSH for GitHub

Setting Up SAML Mapping for GitHub SSH Certificate Authentication

When using GitHub Enterprise, you might let your engineers use their personal GitHub identity by linking it to your organization and their SAML Identity. To Give EZSSH Access to that mapping information, the following steps are needed:

1) Create GitHub Access Token

  1. First we have to create a GitHub access token. To get started, go to https://github.com and login with an account that is an owner of the organization.
  2. On the top right, click on your profile picture and then click on settings. Git Hub Settings
  3. Then Click on Developer Settings. Git Hub Developer Settings
  4. Click on the “Personal access tokens (Classic)” section.
  5. Click the “Generate new token” button. GitHub Create Personal Token
  6. Enter a name for the token. For Example “EZSSH User Mapping” GH Settings
  7. Select following Scopes:
    1. read:org
    2. read:user
    3. user:email Token permissions needed for SSH Certificate Authentication Github
  8. Click the “Generate token” button.
  9. Copy your token (you will need it for part two).

Enabling the token for SSO

If your organization uses SSO, you will have to grant SSO Access to your token.

  1. Click the “Enable SSO” button. Enable SAML mapping for SSH Certificates in Github
  2. Authenticate with your SSO Identity.

2) Add Mapping Information to EZSSH

  1. Once you have created your GitHub token, go to the EZSSH Portal, login with an account that owns the subscription that generates the GitHub certificates and go to settings.
  2. Find the correct subscription in the settings page and expand the Advance Settings Tab. Map SSH Certificate Users to GitHub SAML
  3. Enable the “Map SAML Users to GitHub Users” option. Map SAML Users to GitHub User for SSH CA
  4. Enter your organizations URL https://github.com/"ORGANIZATIONNAME" GitHub Organization URL
  5. Enter the GitHub Token generated in the previous section. Paste your GitHub Token
  6. Click Test Connection.
  7. If the connection is successful, click the “Save Changes” Button. GH Settings
  8. Your users will now be mapped at least once a day.