Guides

Git over SSH

Connect to brintOS repositories with SSH keys instead of tokens — clone, fetch, and push with git@git.brintos.io:owner/repo.git remotes. Your private key never leaves your computer.

1. Check for existing keys

You may already have a key pair. List the public keys on your machine:

ls ~/.ssh/*.pub

If you see a file such as id_ed25519.pub or id_rsa.pub you can reuse it — skip ahead to adding the key to your account.

2. Generate a new key

We recommend an Ed25519 key — small, fast, and supported everywhere modern. The comment (-C) is just a label to help you recognize the key later:

ssh-keygen -t ed25519 -C "you@example.com"

On older systems without Ed25519 support, use RSA with at least 2048 bits (we suggest 4096):

ssh-keygen -t rsa -b 4096 -C "you@example.com"

Accept the default file location, and choose a passphrase when prompted — it protects the key if your computer is ever compromised. To avoid retyping it on every push, add the key to your SSH agent:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
This creates two files: a private key (id_ed25519) that must never be shared, and a public key (id_ed25519.pub) that you give to brintOS.

3. Add the public key to your account

Copy the public key — the file ending in .pub:

# macOS
pbcopy < ~/.ssh/id_ed25519.pub

# Linux (or just cat and copy manually)
cat ~/.ssh/id_ed25519.pub

# Windows (PowerShell)
Get-Content ~/.ssh/id_ed25519.pub | Set-Clipboard

Then open Settings → SSH keys, paste the key, give it a title (e.g. “Work laptop”), and save. Supported key types: ssh-ed25519, ssh-rsa (≥ 2048 bits), ecdsa-sha2-*, and sk- security-key variants. A key can only be attached to one account.

4. Test the connection

ssh -T git@git.brintos.io

On success you'll see a greeting like:

Hi your-username! You've successfully authenticated, but brintOS does not provide shell access.

The first connection asks you to verify the server's host key. Its fingerprint should be one of:

TypeSHA256 fingerprint
Ed25519SHA256:NR1l/IuFAL8RVXQIKTRi4PBfYXI5XsZf6Cs/wk7xTVw
RSASHA256:3r7uLliH7ybOZfjfpa8HtrAq0VJuBNe0+YNCBkjNOQ4

5. Clone and push

git clone git@git.brintos.io:owner/repo.git

To switch an existing checkout from HTTPS to SSH:

git remote set-url origin git@git.brintos.io:owner/repo.git

Every repository page also offers the SSH URL — open the Checkout dropdown and pick the SSH tab.

Troubleshooting

  • Permission denied (publickey) — the server didn't recognize any key you offered. Make sure the key is added to your account and loaded in your agent (ssh-add -l), and that you're connecting as the user git (not your username).
  • ERROR: Repository not found. — the repository doesn't exist or your key's account has no access to it. Check the owner/repo spelling and which key is being offered (ssh -v shows the candidates).
  • ERROR: Permission to … denied — you can read the repository but not push to it.
  • Git LFS works over SSH remotes too: git-lfs-authenticate exchanges your SSH identity for a short-lived LFS token, and the object bytes themselves transfer over HTTPS.
SSH access is for git data only. Connections can run git-upload-pack, git-receive-pack, and git-lfs-authenticate (which only mints an LFS token) — there is no shell, port forwarding, or file transfer.