Skip to content

Instantly share code, notes, and snippets.

@oanhnn
Last active September 13, 2024 16:47
Show Gist options
  • Save oanhnn/80a89405ab9023894df7 to your computer and use it in GitHub Desktop.
Save oanhnn/80a89405ab9023894df7 to your computer and use it in GitHub Desktop.
Using multiple github accounts with ssh keys

Problem

I have two Github accounts: oanhnn (personal) and superman (for work). I want to use both accounts on same computer (without typing password everytime, when doing git push or pull).

Solution

Use ssh keys and define host aliases in ssh config file (each alias for an account).

How to?

  1. Generate ssh key pairs for accounts and add them to GitHub accounts.

  2. Edit/Create ssh config file (~/.ssh/config):

    # Default github account: oanhnn
    Host github.com
       HostName github.com
       IdentityFile ~/.ssh/oanhnn_private_key
       IdentitiesOnly yes
       
    # Other github account: superman
    Host github-superman
       HostName github.com
       IdentityFile ~/.ssh/superman_private_key
       IdentitiesOnly yes
    

    NOTE: If you use any account frequently, you should use the default hostname (github.com).

  3. Add ssh private keys to your agent:

    $ ssh-add ~/.ssh/oanhnn_private_key
    $ ssh-add ~/.ssh/superman_private_key
  4. Test your connection

    $ ssh-keyscan github.com >> ~/.ssh/known_hosts
    $ ssh -T git@github.com
    $ ssh -T git@github-superman

    If everything is OK, you will see these messages:

    Hi oanhnn! You've successfully authenticated, but GitHub does not provide shell access.
    Hi superman! You've successfully authenticated, but GitHub does not provide shell access.
  5. Now all are set, you need remeber

    git@github-superman:org/project.git => user is superman
    git@github.com:org/project.git.     => user is oanhnn
    
  • If you need clone a repository, just do:
$ git clone git@github-superman:org1/project1.git /path/to/project1
$ cd /path/to/project1
$ git config user.email "superman@example.com"
$ git config user.name  "Super Man"
  • If you already have the repo set up, after the ssh config instructions, you need change the URL of origin, just do:
$ cd /path/to/project2
$ git remote set-url origin git@github-superman:org2/project2.git
$ git config user.email "superman@example.com"
$ git config user.name  "Super Man"
  • If you are creating a new repository on local:
$ cd /path/to/project3
$ git init
$ git remote add origin git@github-superman:org3/project3.git
$ git config user.email "superman@example.com"
$ git config user.name  "Super Man"
$ git add .
$ git commit -m "Initial commit"
$ git push -u origin master

Done! Goodluck!

Addon:

The bash script that prompts for your git account. Thank @davorpa

#!/bin/bash

# silent prompt
read -p 'GIT profile: ' profile

# switch
case $profile in
  superman)
    git config user.email "superman@example.com"
    git config user.name "superman" 
    git config user.signingKey "superman_gpg_public_key"
    ;;
  oanhnn)
    git config user.email "oanhnn@example.com"
    git config user.name "oanhnn" 
    git config user.signingKey "oanhnn_gpg_public_key"
    ;;
  # default case: raise error
  *)
    >&2 echo "ERR: Unknown profile: $profile"
    exit 1
esac
@oanhnn
Copy link
Author

oanhnn commented Sep 6, 2023

@manzaloros
I see SSH was attempted with two keys

  • K1: /Users/<me>/.ssh/<my work account>_ssh_key <RSA key>
  • K2/Users/<me>/.ssh/<my personal account>private_key <ED key>

For some reason, both K1 and K2 match with host, but K1 was given priority over K2.
I'm not sure but it could be due to the key type and algorithms.
All algorithms involved in SSH connection, including the same process, select the host key type:

  • First the server and the client exchange lists of algorithms they support
  • Then one party (in this case the client) picks the one it prefers out of commonly supported algorithms.

You should:

  • Check all ssh_config files and included files ( include ~/.ssh/config.v1.1.67 is missing file)
  • Check all ssh_know_hosts for Github host and your alias host
  • Check HostKeyAlgorithms config

My debug

$ ssh -vT <my host alias>
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/<me>/.ssh/config
debug1: Reading configuration data /Users/<me>/.colima/ssh_config
debug1: /Users/<me>/.ssh/config line 167: Applying options for <my host alias>
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Connecting to github.com port 22.
debug1: Connection established.
debug1: identity file /Users/<me>/.ssh/id_rsa type 0
debug1: identity file /Users/<me>/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version babeld-7e018303
debug1: compat_banner: no match: babeld-7e018303
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /Users/<me>/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
debug1: load_hostkeys: fopen /Users/<me>/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in /Users/<me>/.ssh/known_hosts:6
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 3 keys
debug1: Will attempt key: /Users/<me>/.ssh/id_rsa <RSA key> explicit agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/<me>/.ssh/id_rsa <RSA key> explicit agent
debug1: Server accepts key: /Users/<me>/.ssh/id_rsa <RSA key> explicit agent
Authenticated to github.com ([xx.xx.xx.xx]:22) using "publickey".
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /Users/<me>/.ssh/known_hosts for github.com / (none)
debug1: client_input_hostkeys: searching /Users/<me>/.ssh/known_hosts2 for github.com / (none)
debug1: client_input_hostkeys: hostkeys file /Users/<me>/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: Sending environment.
debug1: channel 0: setting env LC_TERMINAL_VERSION = "3.4.20"
debug1: channel 0: setting env LC_CTYPE = "UTF-8"
debug1: channel 0: setting env LC_TERMINAL = "iTerm2"
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
Hi <me>! You've successfully authenticated, but GitHub does not provide shell access.
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3532, received 3056 bytes, in 0.9 seconds
Bytes per second: sent 4068.4, received 3520.1
debug1: Exit status 1

@manzaloros
Copy link

manzaloros commented Sep 10, 2023

Thanks @oanhnn .

One note is that I didn't add an alias for my work account — just one for my personal account.

According to this discussion it looks like the search for the host is recursive and once SSH finds my hostname is github.com, it just defaults to my work settings.

Also worth noting that adding
sshCommand = ssh -i ~/.ssh/my-personal-key -F /dev/null to the repo's git config changes the error from

ERROR: Permission to <personal repo>.git denied to <my work account>.

to:

ssh: Could not resolve hostname <my personal alias>: nodename nor servname provided, or not known

@ploissken
Copy link

Finally something that works! Thank you so much!

@fons-digitect
Copy link

fons-digitect commented Sep 19, 2023

@oanhnn It is worth specifically mentioning that with step 4, the file should literally be called "config" without any extension. Otherwise testing the connection will fail, because your config file isn't recognized by ssh. Check out the green answer at: https://github.com/orgs/community/discussions/22589

For the rest this article helped, thanks!

@awais305
Copy link

awais305 commented Oct 21, 2023

Thanks. it's really helpful.
I have a question about the bash script. Could you please clarify where it's supposed to be added and then use it? I'm a bit confused about that part.

@oanhnn
Copy link
Author

oanhnn commented Oct 23, 2023

@fons-digitect
The file naming is very clear.
Everyone does exactly that.

@awais305
You can save the bash script anywhere and call it by /path/to/bash-script.sh.
You should save to /usr/local/bin/git-profile (or anywhere in $PATH) for calling shorter (only git-profile)

@iskode
Copy link

iskode commented Nov 6, 2023

Thank you so much... I've been unable to work collaboratively for 3 weeks !
Finally I can resume.

@shagha-macrometa
Copy link

Thank you for sharing this!! Such a simple and clever solution! Saved me the trouble of reading through git config docs!

@mihokpeter
Copy link

Hi there! Are any of you guys using this setup also using Fork as a git client or GUI for git? I am asking this, because I have some problems with fetching/pull/pushing my personal repo.

Here's my setup of .ssh/config file:

Work github account: peter.mihok-work

Host github.com
HostName github.com
IdentityFile ~/.ssh/id_work
IdentitiesOnly yes
UseKeychain yes
AddKeysToAgent yes
ControlMaster no

Personal github account: mihokpeter

Host github.com-mihokpeter
HostName github.com
IdentityFile ~/.ssh/id_mihokpeter
IdentitiesOnly yes
UseKeychain yes
AddKeysToAgent yes
ControlMaster no

What I don't understand is that even-thought my remote origin url is set either git@github.com:something/file.git or git@github.com-mihokpeter:mihokpeter/file.git. In my personal repo I also added git config user.email and git config user.name. While using Fork I can easily push/pull/etc.. on my work branch, but I can't do none of this on my personal one. However, I can do all of those in terminal in my personal branch. So, with that said I think my ssh must be setup correctly (as those git commands are working) + I can see correct names being printed out in terminal after running ssh -T git@github.com-mihokpeter and ssh -T git@github.com.

Any ideas what can be wrong? I am really struggling here and I would appreciate any help!

@oanhnn
Copy link
Author

oanhnn commented Dec 15, 2023

@mihokpeter
You should ensure that your repository's remote origin URL is

$ git remote -v
origin git@github.com-mihokpeter:mihokpeter/file.git (fetch)
origin git@github.com-mihokpeter:mihokpeter/file.git (push)

Please look at the 2nd dot of step 5 in this gist.

@y-he2
Copy link

y-he2 commented Dec 22, 2023

This is super! However I couldnt get the "ssh -T" verify step to work without adding:

Host git@...
        ...
	User git
	...

So something to be awared maybe.

@oanhnn
Copy link
Author

oanhnn commented Dec 22, 2023

@y-he2 Can you show debug log (ssh -T git@github-alias) in case Host github-alias?

@y-he2
Copy link

y-he2 commented Dec 22, 2023

@y-he2 Can you show debug log (ssh -T git@github-alias) in case Host github-alias?

Heres what I could dig up from log with ChatGPT:
(Without "User git") It seems with "ssh -v HostName" even the SHA is matching, but it just give:
...
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
my_os_username @ github.com: Permission denied (publickey).

@oanhnn
Copy link
Author

oanhnn commented Dec 23, 2023

@y-he2
In your case, ssh will use a username from the logged-in user in the shell.

Host github-alias
   HostName github.com
   IdentityFile ~/.ssh/account1_private_key
   IdentitiesOnly yes
oanhnn@localhost:~$ ssh -vT github-alias
oanhnn@localhost:~$ ssh -vT oanhnn@github.com

Two commands have the same effect.
You should set it up one of two ways.

1 (your solution)

Host github-alias
   HostName github.com
   User git
   IdentityFile ~/.ssh/account1_private_key
   IdentitiesOnly yes
ssh -vT github-alias

2 (like my guide):

Host github-alias
   HostName github.com
   IdentityFile ~/.ssh/account1_private_key
   IdentitiesOnly yes
ssh -vT git@github-alias

@y-he2
Copy link

y-he2 commented Dec 24, 2023

@y-he2 In your case, ssh will use a username from the logged-in user in the shell.

Host github-alias
   HostName github.com
   IdentityFile ~/.ssh/account1_private_key
   IdentitiesOnly yes
oanhnn@localhost:~$ ssh -vT github-alias
oanhnn@localhost:~$ ssh -vT oanhnn@github.com

Two commands have the same effect. You should set it up one of two ways.

1 (your solution)

Host github-alias
   HostName github.com
   User git
   IdentityFile ~/.ssh/account1_private_key
   IdentitiesOnly yes
ssh -vT github-alias

2 (like my guide):

Host github-alias
   HostName github.com
   IdentityFile ~/.ssh/account1_private_key
   IdentitiesOnly yes
ssh -vT git@github-alias

Ah that "git@" is obviously what I have been missing, thanks for the clarification!

@oanhnn
Copy link
Author

oanhnn commented Jan 12, 2024

@viktorianer
Copy link

👍 That solution is good. But the only issue is that typing that command is somewhat long and tiring.

That is nota problem at all. Just add an alias for this command, a short one! ☺️

@gentunian
Copy link

problem with this is that only allows you to use your keys for cloning. But it won't work for installing dependencies that points to ssh@github.com/some/repo.

@alwaisy
Copy link

alwaisy commented Feb 3, 2024

Thanks bunch it worked for me. Saved my time. Stay happy and posting amazing stuff.

@smali-kazmi
Copy link

please add one thing in your gist suppose there is an github-superman account so you have to update your package.json like this

{
  "dependencies": {
      ......
      ......
      testRepo: "git+ssh://git@github-superman:org/testRepo.git#main"
  }
}

@IbroRebronja
Copy link

Very useful!

@David7ce
Copy link

David7ce commented Apr 2, 2024

Now is fixed. (I had the same Host I misunderstood, and put the same Hostname instead of the same Host.
The Host must be differ.

NOTE: If you use any account frequently, you should use the default hostname (github.com)

I have a problem, I have configured the config and add the pair of SSH keys both locally (to agent) and the remote server (GitHub) to two of my GitHub accounts. The pair of keys works fine independently if only have one pair of keys (moving the other outside), but if I have the two pairs of keys in the ~/.ssh/ the test only show me

ssh -T git@github.com
Hi <other-user> ! You've successfully authenticated, but GitHub does not provide shell access.

Here's is my config, I have two "Host github.com" but this should work fine and I think I have used in the past.

# Default github account: david7ce
Host github.com
   HostName github.com
   User git
   IdentityFile ~/.ssh/david7ce

# Second github account: <other-user> 
Host github.com
   HostName github.com
   User git
   IdentityFile ~/.ssh/<other-user> 

@IbroRebronja
Copy link

IbroRebronja commented Apr 2, 2024

You have two keys for the same door, but they're getting mixed up. Let's label one key for your main account and the other for your second account, so each key knows which door to open.

# Default github account: david7ce
Host github.com
   HostName github.com
   User git
   IdentityFile ~/.ssh/david7ce

# Second github account: <other-user> 
Host github-other
   HostName github.com
   User git
   IdentityFile ~/.ssh/<other-user>

@David7ce
Copy link

David7ce commented Apr 3, 2024

@IbroRebronja yes that was the issue, thanks for explanation

@IvanildoBarauna
Copy link

Thanks @oanhnn!

@mobeigi
Copy link

mobeigi commented Aug 8, 2024

Seems like an okay solution, although its a bit annoying to have aliases like github_personal when it should clearly be github.com.

I believe other alternatives exist which may be nicer:

  • Aliases or commands to load / unload the right SSH key into your SSH agent
  • Aliases or commands to export GIT_SSH_COMMAND variable (see here)

That way, usage would be something like:

git_work   // trigger alias to set GIT_SSH_COMMAND to work SSH key
git clone git@github.com:Company/Project
git_me  // trigger alias to set GIT_SSH_COMMAND to personal SSH key
git clone git@github.com:Personal/Project

All the repos have the correct hostname, your .ssh config is correct and all you need to do is remember to trigger the alias as you hop between different projects. If you get it wrong you get permission denied or not found so its simple to then remember and switch to the right one. Feels more correct to me.

@oanhnn
Copy link
Author

oanhnn commented Aug 9, 2024

@mobeigi Great idea.
You can make a bash script git-me.sh

#!/usr/bin/env bash

SSH_PRIVATE_KEY=~/.ssh/personal_private_key.pem

GIT_SSH_COMMAND="ssh -i $SSH_PRIVATE_KEY -o IdentitiesOnly=yes" git $@

And use it for personal projects.

git clone git@github.com:Company/Project.git
git-me.sh clone git@github.com:Personal/Project.git

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment