Using Multiple SSH Public Keys

If you have an active ssh-agent that has your id_rsa key loaded, then the problem is likely that ssh is offering that key first. Unfuddle probably accepts it for authentication (e.g. in sshd) but rejects it for authorization to access the company repositories (e.g. in whatever internal software they use for authorization, possibly something akin to Gitolite). Perhaps there is a way to add your personal key to the company account (multiple people are not sharing the same corp_rsa public and private key files, are they?).

The IdentitiesOnly .ssh/config configuration keyword can be used to limit the keys that ssh offers to the remote sshd to just those specified via IdentityFile keywords (i.e. it will refuse to use any additional keys that happen to be loaded into an active ssh-agent).

Try these .ssh/config sections:

Host {personalaccount}.unfuddle.com
     IdentityFile ~/.ssh/id_rsa
     IdentitiesOnly yes

Host {companyaccount}.unfuddle.com
     IdentityFile ~/.ssh/{companyaccount}_rsa
     IdentitiesOnly yes

Then, use Git URLs like these:

git@{personalaccount}.unfuddle.com:{personalaccount}/my-stuff.git
git@{companyaccount}.unfuddle.com:{companyaccount}/their-stuff.git

If you want to take full advantage of the .ssh/config mechanism, you can supply your own custom hostname and change the default user name: 

Host uf-mine
     HostName {personalaccount}.unfuddle.com
     User git
     IdentityFile ~/.ssh/id_rsa
     IdentitiesOnly yes

Host uf-comp
     HostName {companyaccount}.unfuddle.com
     User git
     IdentityFile ~/.ssh/{companyaccount}_rsa
     IdentitiesOnly yes

Then, use Git URLs like these:

uf-mine:{personalaccount}/my-stuff.git
uf-comp:{companyaccount}/their-stuff.git

IdentityFile and IdentitiesOnly work well. What bothers me is having to remember to use different host names to connect to, and the fact that the forwarded agent connection still holds all keys, meaning that if the remote host is compromised, they can use any of my identities while I'm in.

I've recently started using:

https://github.com/ccontavalli/ssh-ident

it's a wrapper around ssh, it:

  • keeps an entirely separate agent for each identity you define.
  • automatically shares agents across login sessions, nothing to do in your .bashrc.
  • loads the agent and the corresponding keys on demand the first time you need them.
  • determines which agent to use either based on ssh command line (hostname & such) or your current working directory. This is particularly handy as I tend to work from different paths depending on what I am doing.

man ssh_config

Something like

Host personal_repo
  User personal
  IdentityFile .ssh/personal_rsa

Host company_repo
  User company
  IdentityFile .ssh/company_rsa

And use personal_repo as host in your git repo.

Tags:

Git

Ssh Keys

Recent Posts