Always prefer accessing GitHub over SSH than HTTPS

Posted on by

This is to avoid accidentally cloning a repo as read-only when GitHub defaults to HTTPS links, and then having to edit the gitconfig later to get an SSH URL you can push to. Add these 2 lines to your global .gitconfig file in your home folder to override all github.com URLs from HTTPS to SSH:

[url "ssh://git@github.com/"]
     insteadOf = https://github.com/

Why though?

Note, this is not for all git remotes, only GitHub. I have a similar setting for the GitHub Enterprise instance we use at work. Generally though, for most remote servers I’m fine with whatever it gives me, which is usually HTTPS.

The difference becomes important if I ever want to contribute (i.e. push) to the cloned repo, as is mostly the case when cloning my own repos or work code. GitHub seems to remember which type of URL you picked last if you’re logged in, but by default, or if you’re logged out, you usually get an HTTPS URL which is kinda fine because you can actually clone that without authentication but it’s also read-only. Okay, not really read-only, you technically can push, it’ll give you a prompt asking you to paste your password (since last year this is now your auth token, whatever, extra security is good but it adds about 5 extra steps) and then what I don’t like so much is that this’ll be stored locally in plain text.

Apart from security, another thing the SSH URL is good for is if you’re using dependency management tools for programming languages like Go or PHP that fetch dependencies directly from GitHub. If you try to fetch too many at once you’ll get rate limited. Perhaps not when pulling down a repo or two for a hobby project but when everyone in the office runs composer install at the same time boom you’re gonna have to wait if you were pulling unauthenticated. Whereas if you were using the SSH URL, it knows who you are with no extra steps and you can clone and pull to your heart’s content.

Caveats

There are two caveats I’ve encountered so far, when you wouldn’t want to do this:

Firstly, if you’re on a strict network where outbound traffic on SSH port 22 is disallowed then you’re going to have to not use this, either removing this config and using HTTPS with basic auth or using a different network. In my case it was the work network and after explaining why we needed this, they opened port 22 for us.

Secondly, if you’re on a new computer and you haven’t set up your SSH keys there yet and you want to either clone something and not necessarily write to it, you’ll prefer to just use the HTTPS URL because it doesn’t require authentication. For example, in my vimrc repo, the plugins I use are listed as git submodules with HTTPS URLS so that I can clone this in a new environment without any additional setup required. It’s fine if they stay like this too because I don’t often contribute back to the plugin code, I’m usually just a user, but if I do contribute back it’s in a separate repo, outside of my .vim folder.

So, if it’s your daily work machine and there’s no harsh network restrictions, you’re really better off just using SSH every time, and if you don’t want to have to bother paying attention which one you pick from the GitHub web UI, apply the config above and have it handled for you 😉