Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save gubatron/d96594d982c5043be6d4 to your computer and use it in GitHub Desktop.
Save gubatron/d96594d982c5043be6d4 to your computer and use it in GitHub Desktop.
How to configure multiple deploy keys for different private github repositories on the same computer without using ssh-agent

How to configure multiple deploy keys for different private github repositories on the same computer without using ssh-agent

Let's say alice is a github.com user, with 2 or more private repositories repoN. For this example we'll work with just two repositories named repo1 and repo2

https://github.com/alice/repo1

https://github.com/alice/repo2

You need to be to pull from these repositories without entering a passwords probably on a server, or on multiple servers. You want to perform git pull origin master for example, and you want this to happen without asking for a password.

You don't like dealing with ssh-agent, you have discovered (or you're discovering now) about ~/.ssh/config a file that let's your ssh client know what private key to use depending on Hostname and username, with a simple configuration entry that looks like this:

Host github.com
  HostName github.com
  User git
  IdentityFile /home/alice/.ssh/alice_github.id_rsa
  IdentitiesOnly yes

So you went ahead and created your (alice_github.id_rsa, alice_github.id_rsa.pub) keypair, you then also went to your repository's .git/config file and you modified the url of your remote origin to be something like this:

[remote "origin"]
        url = "ssh://git@github.com:alice/repo1.git"

And finally you went to the repository Settings > Deploy keys section and added the contents of alice_github.id_rsa.pub

At this point you could do your git pull origin master without entering a password without issue.

but what about the second repository?

So your instinct will be to grab that key and add it to repo2's Deploy keys, but github.com will error out and tell you that the key is already being used.

Now you go and generate another key (using ssh-keygen -t rsa -C "alice@alice.com" without passwords of course), and so that this doesn't become a mess, you will now name your keys like this:

  • repo1 keypair: (repo1.alice_github.id_rsa, repo1.alice_github.id_rsa.pub)
  • repo2 keypair: (repo2.alice_github.id_rsa, repo2.alice_github.id_rsa.pub)

You will now put the new public key on repo2's Deploy keys configuration at github.com, but now you have an ssh problem to deal with.

How can ssh tell which key to use if the repositories are hosted on the same github.com domain?

Your .ssh/config file points to github.com and it doesn't know which key to use when it's time to do the pull.

So I found a trick with github.com. You can tell your ssh client that each repository lives in a different github.com subdomain, in these cases, they will be repo1.github.com and repo2.github.com

So first thing is editing the .git/config files on your repo clones, so they look like this instead:

For repo1

[remote "origin"]
        url = "ssh://git@repo1.github.com:alice/repo1.git"

For repo2

[remote "origin"]
        url = "ssh://git@repo2.github.com:alice/repo2.git"

And then, on your .ssh/config file, now you will be able to enter a configuration for each subdomain :)

Host repo1.github.com
  HostName github.com
  User git
  IdentityFile /home/alice/.ssh/repo1.alice_github.id_rsa
  IdentitiesOnly yes

Host repo2.github.com
  HostName github.com
  User git
  IdentityFile /home/alice/.ssh/repo2.alice_github.id_rsa
  IdentitiesOnly yes

Now you are able to git pull origin master without entering any passwords from both repositories.

If you have multiple machines, you could copy the keys to each of the machines and reuse them, but I'd advise doing the leg work to generate 1 key per machine and repo. You will have a lot more keys to handle, but you will be less vulnerable if one gets compromised.

@cristiancalara
Copy link

cristiancalara commented Feb 13, 2022

Hey guys

In the newer versions of git, there's a new configuration option - "core.sshCommand" https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresshCommand

As such, I think another approach (easier in my opinion) for handling the above would be to actually:

  1. Create a two new config files:
  • .ssh/config-alice-repo1
Host github.com
  IdentityFile /home/alice/.ssh/repo1.alice_github.id_rsa
  • .ssh/config-alice-repo2
Host github.com
 IdentityFile /home/alice/.ssh/repo2.alice_github.id_rsa
  1. When cloning the repo, set the core.sshCommand like this:
  • git -c core.sshCommand="ssh -F /home/ubuntu/.ssh/config-alice-repo1" clone ssh://git@github.com:alice/repo1.git
  • git -c core.sshCommand="ssh -F /home/ubuntu/.ssh/config-alice-repo2" clone ssh://git@github.com:alice/repo2.git

And that's it. Now, every time you'll do any git action, the proper ssh key / deploy key will be used.

If you already have a repo setup, you can modify the config using something like git config core.sshCommand "ssh -F /home/forge/.ssh/config-alice-repo1" (while in the repo1 folder).

@gubatron
Copy link
Author

Thank you for that update @cristiancalara

@alingse
Copy link

alingse commented Mar 1, 2022

hello everyone, I make a simple command tool to auto manage this, see https://github.com/alingse/git-ssh-key .
the command git-ssh-key your-repo-link will print the new rewrite alias repo link, auto will write to your ssh config
after add public key to your [private] repo, you can clone with the alias link

install

pip install git-ssh-key

example

$ git-ssh-key https://github.com/alingse/git-ssh-key.git
New repo address: git@github.com-f5851eb:alingse/git-ssh-key.git
New repo public rsa key: /Users/alingse/.ssh/github.com-f5851eb.id_rsa.pub


$ git clone git@github.com-f5851eb:alingse/git-ssh-key.git

( I haven't try it in Windows, but in Linux and Mac it works fine.

@hazardland
Copy link

hazardland commented Mar 28, 2022

hello everyone, I make a simple command tool to auto manage this, see https://github.com/alingse/git-ssh-key . the command git-ssh-key your-repo-link will print the new rewrite alias repo link, auto will write to your ssh config after add public key to your [private] repo, you can clone with the alias link

install

pip install git-ssh-key

example

$ git-ssh-key https://github.com/alingse/git-ssh-key.git
New repo address: git@github.com-f5851eb:alingse/git-ssh-key.git
New repo public rsa key: /Users/alingse/.ssh/github.com-f5851eb.id_rsa.pub


$ git clone git@github.com-f5851eb:alingse/git-ssh-key.git

( I haven't try it in Windows, but in Linux and Mac it works fine.

It worked, I was kind of sleepy and under deadline so I checked your code and risked to use it : D Hope build does not contain any backdoor

But on config file git clone says:

Bad owner or permissions on /home/ec2-user/.ssh/config

So to make it work it needs a quick fix:

chmod go-w ~/.ssh/config

Anyways thanks

@alingse
Copy link

alingse commented Mar 29, 2022

@hazardland aha, There is no backdoor, you can check the code in github (https://github.com/alingse/git-ssh-key and https://github.com/sorend/sshconf )
git-ssh-key only use https://github.com/sorend/sshconf to manage ssh config

So your git clone error message Bad owner or permissions is only because , /home/ec2-user/.ssh/config is not allow read

You can see some solution here
https://serverfault.com/questions/253313/ssh-returns-bad-owner-or-permissions-on-ssh-config
https://superuser.com/questions/348694/bad-owner-or-permissions-error-using-cygwins-ssh-exe

@hazardland
Copy link

@hazardland aha, There is no backdoor, you can check the code in github (https://github.com/alingse/git-ssh-key and https://github.com/sorend/sshconf ) git-ssh-key only use https://github.com/sorend/sshconf to manage ssh config

So your git clone error message Bad owner or permissions is only because , /home/ec2-user/.ssh/config is not allow read

You can see some solution here https://serverfault.com/questions/253313/ssh-returns-bad-owner-or-permissions-on-ssh-config https://superuser.com/questions/348694/bad-owner-or-permissions-error-using-cygwins-ssh-exe

Sorry I edited my answer, actually this command helped that day on EC-2 instance:

chmod go-w ~/.ssh/config

@kodekracker
Copy link

@emrahaydemir
Copy link

Hey guys

In the newer versions of git, there's a new configuration option - "core.sshCommand" https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresshCommand

As such, I think another approach (easier in my opinion) for handling the above would be to actually:

  1. Create a two new config files:
  • .ssh/config-alice-repo1
Host github.com
  IdentityFile /home/alice/.ssh/repo1.alice_github.id_rsa
  • .ssh/config-alice-repo2
Host github.com
 IdentityFile /home/alice/.ssh/repo2.alice_github.id_rsa
  1. When cloning the repo, set the core.sshCommand like this:
  • git -c core.sshCommand="ssh -F /home/ubuntu/.ssh/config-alice-repo1" clone ssh://git@github.com:alice/repo1.git
  • git -c core.sshCommand="ssh -F /home/ubuntu/.ssh/config-alice-repo2" clone ssh://git@github.com:alice/repo2.git

And that's it. Now, every time you'll do any git action, the proper ssh key / deploy key will be used.

If you already have a repo setup, you can modify the config using something like git config core.sshCommand "ssh -F /home/forge/.ssh/config-alice-repo1" (while in the repo1 folder).

I've been struggling with this problem for about 7 hours. this solution worked mysteriously and was very easy to implement. You didn't specify the part about generating new ssh keys. But it was easy to spot. Thank you very much...

@gubatron
Copy link
Author

gubatron commented Aug 5, 2022

@emrahaydemir that's really cool

@warrenkeil
Copy link

Hey guys

In the newer versions of git, there's a new configuration option - "core.sshCommand" https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresshCommand

As such, I think another approach (easier in my opinion) for handling the above would be to actually:

  1. Create a two new config files:
  • .ssh/config-alice-repo1
Host github.com
  IdentityFile /home/alice/.ssh/repo1.alice_github.id_rsa
  • .ssh/config-alice-repo2
Host github.com
 IdentityFile /home/alice/.ssh/repo2.alice_github.id_rsa
  1. When cloning the repo, set the core.sshCommand like this:
  • git -c core.sshCommand="ssh -F /home/ubuntu/.ssh/config-alice-repo1" clone ssh://git@github.com:alice/repo1.git
  • git -c core.sshCommand="ssh -F /home/ubuntu/.ssh/config-alice-repo2" clone ssh://git@github.com:alice/repo2.git

And that's it. Now, every time you'll do any git action, the proper ssh key / deploy key will be used.

If you already have a repo setup, you can modify the config using something like git config core.sshCommand "ssh -F /home/forge/.ssh/config-alice-repo1" (while in the repo1 folder).

Thanks! This worked for me

@la4gia
Copy link

la4gia commented Apr 17, 2023

After creating and adding your deploy keys, you can update your .ssh/config file like so:

Host github.com-repo00
  Hostname github.com
  Identityfile=~/.ssh/repo00-key

Host github.com-repo01
  Hostname github.com
  Identityfile=~/.ssh/repo01-key

You can then clone with:
git clone git@github.com-repo00:username/repo00.git
git clone git@github.com-repo01:username/repo01.git

@AndreiCherniaev
Copy link

Thanks. The same example.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment