Composer private repository using SSH

Question

I have a private repository I want to include inside my composer.json, which will place the private repository in the vendor folder. Using the code from https://getcomposer.org/doc/articles/handling-private-packages-with-satis.md#security with SSH security, you need to fill in some user specific parts (see below).

"repositories": [
    {
        "type": "vcs",
        "url": "ssh2.sftp://example.org",
        "options": {
            "ssh2": {
                "username": "composer",
                "pubkey_file": "/home/composer/.ssh/id_rsa.pub",
                "privkey_file": "/home/composer/.ssh/id_rsa"
            }
        }
    }
]

The problem is I'm working with other programmers and I don't want specific user content inside the composer.json. Is there a way to exclude the specific user content from the composer.json?

I actually want composer to ask for the programmers personal public and private key during the excecution inside the commandline.

Answer 1

Using Composer on the command line with SSH key authenticated repositories works out of the box if the keys are made available to the CLI SSH process via a key agent.

My personal setup is to run Putty on Windows together with Pageant for the key authentication. I configure the SSH session to allow key forwarding, and when logged into a Linux system, I can run Composer commands as well as Git commands without any need to do additional authentication. A different way would be to run a key agent on Linux directly with the key.

The central part is: If Git commands like push or pull do work with the repository, Composer will also work, without the need to authenticate.

Note that there are some more options of giving authentication data to Composer: https://getcomposer.org/doc/articles/handling-private-packages-with-satis.md#authentication