My hacking journal

Git with different SSH identities

· by admin · Read in about 3 min · (450 Words)
git ssh

Nowdays the best way to access remote Git repositories is through the HTTP transport. However most service still offer SSH connectivity, and there are times when you want to access different hosts with SSH identities different than the default one (id_rsa). Useful links

Disclaimer: I pasted content from the aforementioned sources. I hope I have the time to review it and clarify and make it my own. For the time, it’s only a reference for myself.

If you have an active ssh-agent_ that has your id_rsa key loaded, then the problem is likely that _ssh_ is offering that key first. Unfuddle probably accepts it for authentication (e.g. in _sshd) but rejects it for authorization to access the company repositories (e.g. in whatever internal software they use for authorization, possibly something akin to Gitolite). Perhaps there is a way to add your personal key to the company account (multiple people are not sharing the same corp_rsa public and private key files, are they?).

The IdentitiesOnly .ssh/config configuration keyword can be used to limit the keys that ssh_offers to the remote _sshd_ to just those specified via IdentityFile keywords (i.e. it will refuse to use any additional keys that happen to be loaded into an active _ssh-agent).

Try these .ssh/config sections:

Host {personalaccount}.unfuddle.com
   IdentityFile ~/.ssh/id_rsa
   IdentitiesOnly yes
Host {companyaccount}.unfuddle.com
   IdentityFile ~/.ssh/{companyaccount}_rsa
   IdentitiesOnly yes

Then, use Git URLs like these:

git@{personalaccount}.unfuddle.com:{personalaccount}/my-stuff.git 
git@{companyaccount}.unfuddle.com:{companyaccount}/their-stuff.git

If you want to take full advantage of the .ssh/config mechanism, you can supply your own custom hostname and change the default user name:

Host uf-mine
    HostName {personalaccount}.unfuddle.com
    User git
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes
Host uf-comp
    HostName {companyaccount}.unfuddle.com
    User git
    IdentityFile ~/.ssh/{companyaccount}_rsa
    IdentitiesOnly yes

Then, use Git URLs like these:

uf-mine:{personalaccount}/my-stuff.git
uf-comp:{companyaccount}/their-stuff.git

This SCP-like syntax (which is not a valid URL by the way) is permitted by git. Also note uf-mine can either be a remote or a Host set in ~/.ssh/config [man ssh_config]:

Restricts the following declarations (up to the next Host keyword) to be only for those hosts that match one of the patterns given after the keyword. If more than one pattern is provided, they should be separated by whitespace. A single `*' as a pattern can be used to provide global defaults for all hosts. The host is the hostname argument given on the command line (i.e. the name is not converted to a canonicalized host name before matching)
What you actually do, it turns out, is use the IdentitiesOnly “yes” directive in ~/.ssh/config. This means that none of the ssh-agent magical keys will get in the priority queue, and only things explicitly specified either in config or on the commandline are allowed

Comments