378

I'm having some trouble getting two different SSH keys/GitHub accounts to play well together. I have the following setup:

Repos accessible from one account using [email protected]:accountname

Repos accessible from another account using [email protected]:anotheraccount

Each account has its own SSH key. Both SSH keys have been added and I have created a config file. I don't believe the config file is correct though. I'm not quite sure how to specify that repos accessed using [email protected]:accountname should use id_rsa and [email protected]:anotheraccount should use id_rsa_anotheraccount.

Improve this question
5
  • 1
    I found this link helpful medium.freecodecamp.org/… Commented Apr 18, 2019 at 17:57
  • I have 3 separate SSH identities in ~/.ssh/config. The one for school server has a passcode; the 2 for separate work/personal GitHub accts do not. Running git pull kept failing & asking for the school passcode, despite separate Identity files, "IdentitiesOnly=yes," separate domains & Hostnames, all present in ssh-add -l ... The uni key was 'first' regardless of that setup. Had to move its section below the others in .ssh/config, and now git pull from both GitHub accts succeeds w/o asking for uni ssh password. Commented May 28, 2019 at 18:00
  • 1
    That is answered in detail here superuser.com/questions/232373/… Commented Jul 22, 2020 at 16:39
  • Check the answer below with the sshCommand git config option. Commented Aug 24, 2022 at 17:31
  • Does this answer your question? Multiple GitHub accounts on the same computer? Commented May 5, 2024 at 7:49

15 Answers 15

Reset to default
448

Andy Lester's response is accurate but I found an important extra step I needed to make to get this to work. In trying to get two profiles set up, one for personal and one for work, my ~/.ssh/config was roughly as follows:

Host me.github.com
    HostName github.com
    PreferredAuthentications publickey
    IdentityFile ~/.ssh/me_rsa

Host work.github.com
    HostName github.com
    PreferredAuthentications publickey
    IdentityFile ~/.ssh/work_rsa

My work profile didn't take until I did a ssh-add ~/.ssh/work_rsa. After that connections to github used the correct profile. Previously they defaulted to the first public key.

If you encounter problems, they are likely from using the wrong account. You can troubleshoot things from the command line with a command like this (use ssh -vvv for max verbosity):

$ GIT_SSH_COMMAND='ssh -v' git pull --verbose

For Could not open a connection to your authentication agent when using ssh-add,
check https://stackoverflow.com/a/17695338/1760313

For defaulted to the first public key, add IdentitiesOnly to the Host * section at the bottom of your ~/.ssh/config file. This tells ssh to only use specified identities rather than all unlocked keys in your agent.

If your Host * section has an IdentityFile line, this will not work. Remove that line and add it to a new Host !work.github.com * secion.

If you use ControlMaster and you try to use different Github accounts before the ControlPersist timeout expires, it will use the persisted connection, which may be for the other account. Change your ControlPath to include %k (the host key alias if specified, otherwise this is identical to %h, the hostname). If you prefer, you can limit this to just one Github account's path with e.g. ControlPath ~/.ssh/control-%C-2 solely in the Host work.github.com stanza.

Improve this answer
Sign up to request clarification or add additional context in comments.

22 Comments

See also doblock.com/articles/…. The key new piece of info there is that you may need to add the username ("work", in this example) to the hostname in the remote URL, i.e., [email protected]:work/my_repo.git (as opposed to "[email protected]...")
This works: superuser.com/questions/232373/…
To fix the problem that "they defaulted to the first public key", add IdentitiesOnly yes to the Host * section of your ~/.ssh/config file. This tells ssh to actually use the IdentityFiles you specify, rather than spamming the server with all of them.
Note if you have a 'Host *' block with an 'IdentityFile' statement, to force a particular key, you need to negate the target hostname for that Host block - e.g. 'Host * !work.github.com' - that, in addition to IdentitiesOnly as @Mechanicalsnail suggests will force a particular key.
So every single time I am supposed to change identity using ssh-add ?
|
250

I recently had to do this and had to sift through all these answers and their comments to eventually piece the information together, so I'll put it all here, in one post, for your convenience:


Step 1: ssh keys
Create any keypairs you'll need. In this example I've named me default/original 'id_rsa' (which is the default) and my new one 'id_rsa-work':

ssh-keygen -t rsa -C "[email protected]"


Step 2: ssh config
Set up multiple ssh profiles by creating/modifying ~/.ssh/config. Note the slightly differing 'Host' values:

# Default GitHub
Host github.com
    HostName github.com
    PreferredAuthentications publickey
    IdentityFile ~/.ssh/id_rsa

# Work GitHub
Host work.github.com
    HostName github.com
    PreferredAuthentications publickey
    IdentityFile ~/.ssh/id_rsa_work


Step 3: ssh-add
You may or may not have to do this. To check, list identity fingerprints by running:

$ ssh-add -l
2048 1f:1a:b8:69:cd:e3:ee:68:e1:c4:da:d8:96:7c:d0:6f stefano (RSA)
2048 6d:65:b9:3b:ff:9c:5a:54:1c:2f:6a:f7:44:03:84:3f [email protected] (RSA)

If your entries aren't there then run:

ssh-add ~/.ssh/id_rsa_work


Step 4: test
To test you've done this all correctly, I suggest the following quick check:

$ ssh -T [email protected]
Hi stefano! You've successfully authenticated, but GitHub does not provide shell access.

$ ssh -T [email protected]
Hi stefano! You've successfully authenticated, but GitHub does not provide shell access.

Note that you'll have to change the hostname (github / work.github) depending on what key/identity you'd like to use. But now you should be good to go! :)

Improve this answer

6 Comments

This is a great response. I had to use ssh-add to add both the ssh keys to utilize the config file.. Thanks :)
The only thing I like to add is when you run ssh-keygen -t rsa, it will give you a default file name, that is where you enter your custom file name.
One of best answers. Also this video helped me. youtube.com/watch?v=fnSRBRiQIU8&feature=youtu.be
Good post, would be nice if this post included setting your git config 'email': help.github.com/articles/…
If anyone else is getting "error connecting to agent" when doing "ssh-agent", check this out stackoverflow.com/questions/52113738/…
|
62

Let's say alice is a github.com user, with 2 or more private repositories repoN. For this example we'll work with just two repositories named repo1 and repo2

https://github.com/alice/repo1

https://github.com/alice/repo2

You need to be to pull from these repositories without entering a passwords probably on a server, or on multiple servers. You want to perform git pull origin main for example, and you want this to happen without asking for a password.

You don't like dealing with ssh-agent, you have discovered (or you're discovering now) about ~/.ssh/config a file that let's your ssh client know what private key to use depending on Hostname and username, with a simple configuration entry that looks like this:

Host github.com
  HostName github.com
  User git
  IdentityFile /home/alice/.ssh/alice_github.id_rsa
  IdentitiesOnly yes

So you went ahead and created your (alice_github.id_rsa, alice_github.id_rsa.pub) keypair, you then also went to your repository's .git/config file and you modified the url of your remote origin to be something like this:

[remote "origin"]
        url = "ssh://[email protected]/alice/repo1.git"

And finally you went to the repository Settings > Deploy keys section and added the contents of alice_github.id_rsa.pub

At this point you could do your git pull origin main without entering a password without issue.

but what about the second repository?

So your instinct will be to grab that key and add it to repo2's Deploy keys, but github.com will error out and tell you that the key is already being used.

Now you go and generate another key (using ssh-keygen -t rsa -C "[email protected]" without passwords of course), and so that this doesn't become a mess, you will now name your keys like this:

  • repo1 keypair: (repo1.alice_github.id_rsa, repo1.alice_github.id_rsa.pub)
  • repo2 keypair: (repo2.alice_github.id_rsa, repo2.alice_github.id_rsa.pub)

You will now put the new public key on repo2's Deploy keys configuration at github.com, but now you have an ssh problem to deal with.

How can ssh tell which key to use if the repositories are hosted on the same github.com domain?

Your .ssh/config file points to github.com and it doesn't know which key to use when it's time to do the pull.

So I found a trick with github.com. You can tell your ssh client that each repository lives in a different github.com subdomain, in these cases, they will be repo1.github.com and repo2.github.com

So first thing is editing the .git/config files on your repo clones, so they look like this instead:

For repo1

[remote "origin"]
        url = "ssh://[email protected]/alice/repo1.git"

For repo2

[remote "origin"]
        url = "ssh://[email protected]/alice/repo2.git"

And then, on your .ssh/config file, now you will be able to enter a configuration for each subdomain :)

Host repo1.github.com
  HostName github.com
  User git
  IdentityFile /home/alice/.ssh/repo1.alice_github.id_rsa
  IdentitiesOnly yes

Host repo2.github.com
  HostName github.com
  User git
  IdentityFile /home/alice/.ssh/repo2.alice_github.id_rsa
  IdentitiesOnly yes

Now you are able to git pull origin main without entering any passwords from both repositories.

If you have multiple machines, you could copy the keys to each of the machines and reuse them, but I'd advise doing the leg work to generate 1 key per machine and repo. You will have a lot more keys to handle, but you will be less vulnerable if one gets compromised.

Improve this answer

4 Comments

Specifying the subdomain that matches the host in .ssh/config is the crucial step - thanks a lot for that
Hi I have two machines, can you tell how can I copy key from one laptop to another? copy and then rename? Does this work?
your keys are usually inside your ~/.ssh folder, just copy the files over in whatever way you can.
Good job! See the same example.
56

I have 2 accounts on github, and here is what I did (on linux) to make it work.

Keys

  • Create 2 pair of rsa keys, via ssh-keygen, name them properly, so that make life easier.
  • Add private keys to local agent via ssh-add path_to_private_key
  • For each github account, upload a (distinct) public key.

Configuration

~/.ssh/config

Host github-kc
    Hostname        github.com
    User git
    IdentityFile    ~/.ssh/github_rsa_kc.pub
    # LogLevel DEBUG3

Host github-abc
    Hostname        github.com
    User git
    IdentityFile    ~/.ssh/github_rsa_abc.pub
    # LogLevel DEBUG3

Set remote url for repo:

  • For repo in Host github-kc:

    git remote set-url origin git@github-kc:kuchaguangjie/pygtrans.git

  • For repo in Host github-abc:

    git remote set-url origin git@github-abc:abcdefg/yyy.git

Explaination

Options in ~/.ssh/config:

  • Host github-<identify_specific_user>
    Host could be any value that could identify a host plus an account, it don't need to be a real host, e.g github-kc identify one of my account on github for my local laptop,

    When set remote url for a git repo, this is the value to put after git@, that's how a repo maps to a Host, e.g git remote set-url origin git@github-kc:kuchaguangjie/pygtrans.git


  • [Following are sub options of Host]
  • Hostname
    specify the actual hostname, just use github.com for github,
  • User git
    the user is always git for github,
  • IdentityFile
    specify key to use, just put the path the a public key,
  • LogLevel
    specify log level to debug, if any issue, DEBUG3 gives the most detailed info.
Improve this answer

4 Comments

lovely -- did not need ssh-add path_to_private_key -- probably because the agent isn't required in this case. The config file is explicitly defining the path to the keys.
@MarkChackerian I think you don't need ssh-add because your keys aren't password protected or (if you're on a Mac) the OSX keychain is handling it for you. ssh-add prevents you from needing to enter the passphrase every time you access your keys.
Great, to the point and what I was looking for. Thanks
Excellent explanation. The key here is to use "git remote set-url ..." to tell git which ssh key to use by referencing the right host!
25

A possibly simpler alternative to editing the ssh config file (as suggested in all other answers), is to configure an individual repository to use a different (e.g. non-default) ssh key.

Inside the repository for which you want to use a different key, run:

git config core.sshCommand 'ssh -i ~/.ssh/id_rsa_anotheraccount'

If your key is passhprase-protected and you don't want to type your password every time, you have to add it to the ssh-agent. Here's how to do it for ubuntu and here for macOS.

It should also be possible to scale this approach to multiple repositories using global git config and conditional includes (see example).

Improve this answer

6 Comments

You can even configure this using includeIf in your global .gitconfig.
This answer was the most useful to me. I'd hate to have to change the URL manually every time I want to clone something, but this is easy to add to the script I'm already using to set my email address and other identity details per work directory before starting to work.
@marcelocra I am late, but would you post an example how to do that?
@ZelphirKaltstahl Sorry, only saw your comment today. Take a look at this other answer as it has an example of what I meant. Also, perhaps GCM (git credential manager) is relevant to you.
I wish LLMs would pick up on this answer. Everything suggests the far more annoying multiple hosts.
|
21

Use the IdentityFile parameter in your ~/.ssh/config:

Host github.com
    HostName github.com
    IdentityFile ~/.ssh/github.rsa
    User petdance
Improve this answer

3 Comments

Thanks but this isn't quite accurate. I found the answer and shared below.
I'm pretty sure my approach will work in your case. You can identify different users and different identity files. Just need to give each a different Host parameter on the config stanza.
Andy, according to the link I found below I needed to drop the .com from the host. Once I did that it worked fine.
9

I spent a lot of time to understand all the steps. So lets describe step by step:

  1. Create new identity file using ssh-keygen -t rsa. Give it an alternative like proj1.id_rsa and hit with no doubt because you don't need a passphrase.

  2. Add new section in .ssh/config:

    Host proj1.github.com
    HostName github.com
    PreferredAuthentications publickey
    IdentityFile ~/.ssh/proj1.id_rsa

Take into account the first section and note that proj1.github.com we will back to the section later.

  1. Add the identity to ssh agent ssh-add ~/.ssh/proj1.id_rsa
  2. That what I messed first time - now when you want to clone a proj1 repo you do it using proj1.github.com (exactly the host from the config file). git clone [email protected].

A good tutorial.

Don't mess up with hosts

Improve this answer

2 Comments

Thanks for the link to the turorial! You have a typo: the key names id_rsa_proj1 and proj1_id_rsa should actually be same. You could also add the part about .git/config settings from the tutorial to your answer.
You still have a typo: proj1.id_rsa vs. proj1_id_rsa
9

I find solution of this problem and try to explain it. We should make change in both file ~/.ssh/config and in ~/.gitconfig

Let's show.

1. Create keys

You will need one key for each different account you will use on either GitHub or BitBucket.

Whichever site you have more identities with determines how many keys you will need.

A single key can act both as a GitHub and BitBucket key but cannot be associated with more than one BitBucket or GitHub account.

If you already have created a key in ~/.ssh/id_rsa (the default location), you may use that in place of the ~/.ssh/msmith key in my examples or you can leave that key and add additional keys for the other identities.

Create the keys and ssh-add them (make sure to enter a secure password and do not just leave it blank)

$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/key1_rsa -C "[email protected]"

Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): ************ Enter same passphrase again: Your identification has been saved in /Users/me/.ssh/key1_rsa. Your public key has been saved in /Users/me/.ssh/key1_rsa.pub. The key fingerprint is: ...

$  ssh-add ~/.ssh/key1_rsa
$  ssh-keygen -t rsa -b 4096 -f ~/.ssh/key2_rsa -C "[email protected]"

Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): ************ Enter same passphrase again: Your identification has been saved in /Users/me/.ssh/key2_rsa. Your public key has been saved in /Users/me/.ssh/key2_rsa.pub. The key fingerprint is: ...

$ ssh-add ~/.ssh/key2_rsa

2. Setup ~/.ssh/config

Create a file in ~/.ssh/config (if it does not already exist). You must make sure it is readable only by the owner and the group and public bits are set off.

touch ~/.ssh/config
chmod 600 ~/.ssh/config

We now need to add SSH configuration that specifies the github and bitbucket hostnames but with a suffix appended to qualify which key to use. We set the HostName to the correct github.com or bitbucket.org address.

Note: Linux users should either omit UseKeychain yes or add IgnoreUnknown UseKeychain (thanks soulofmischief)

~/.ssh/config
...

Host github.com-msmith
  HostName github.com
  UseKeychain yes
  AddKeysToAgent yes
  User git
  IdentityFile ~/.ssh/msmith_rsa
  IdentitiesOnly yes

Host bitbucket.org-msmith
  HostName bitbucket.org
  UseKeychain yes
  AddKeysToAgent yes
  User git
  IdentityFile ~/.ssh/msmith_rsa
  IdentitiesOnly yes

Host github.com-jblige
  HostName github.com
  UseKeychain yes
  AddKeysToAgent yes
  User git
  IdentityFile ~/.ssh/jblige_rsa
  IdentitiesOnly yes

Host bitbucket.org-jblige
  HostName bitbucket.org
  UseKeychain yes
  AddKeysToAgent yes
  User git
  IdentityFile ~/.ssh/jblige_rsa
  IdentitiesOnly yes

...

3. Add public keys to GitHub and BitBucket

Log into GitHub for each user and add the keys from ~/.ssh/xxxxx.pub to the respective users authorized SSH keys.

For more information on this see: https://confluence.atlassian.com/bitbucket/set-up-an-ssh-key-728138079.html

or

https://help.github.com/en/articles/adding-a-new-ssh-key-to-your-github-account

4. Create key specific .gitconfig

You will need a single directory where all code that corresponds to a given key will be checked out to.

I prefer to keep all those directories in one directory in my home ~/src and I name them according to the account name associated with the key

mkdir -p ~/src/msmith
mkdir -p ~/src/jblige

In each directory put a .gitconfig file.

~/src/msmith/.gitconfig
...
[user]
  email = [email protected]
    
[url "[email protected]"]
  insteadOf = [email protected]
  
[url "[email protected]"]
  insteadOf = [email protected]
~/src/jblige/.gitconfig
...
[user]
  email = [email protected]
  signingkey = ABCD1234
  
[url "[email protected]"]
  insteadOf = [email protected]
  
[url "[email protected]"]
  insteadOf = [email protected]
  
[commit]
  gpgsign = true

This way, I use the correct email address for both keys and have even set up automatic commit signing for jblige. I also rewrite all the hostnames for the original SSH connections to the correctly suffixed hostnames I created in the SSH config file.

For more information about GPG signing see:

https://help.github.com/en/articles/signing-commits

or

https://confluence.atlassian.com/bitbucketserver/using-gpg-keys-913477014.html

5. Setup Git config includeif

To activate the .gitconfig files in ~/src/*, edit the .gitconfig file in your home directory and add an includeif statement for each of the .gitconfig files referencing the directory they are in

~/.gitconfig
...

[includeif "gitdir:~/src/msmith/"]
    path = ~/src/msmith/.gitconfig
    
[includeif "gitdir:~/src/jblige/"]
    path = ~/src/jblige/.gitconfig

Do not forget the trailing slash in the [includeif "gitdir:... statement.

6. Cloning the repositories

You then clone the code using the SSH clone address (i.e. [email protected]... or [email protected]..., not https://bitbucket.org... nor https://github.com...) into the directory that corresponds to the key you want to use for that clone.

$  cd ~/src/msmith
$  git clone [email protected]:someuser/somerepo.git
...

Because of the rewriting, git will actually attempt to clone using the suffixed address corresponding to the configuration in the SSH config file but because of the SSH configuration it will use the original hostname when actually connecting to the host ensuring you use the right key.

All commits/pulls/pushes to/from those repositories will use the corresponding config/key/account.

Improve this answer

2 Comments

One thing to add here is that gitdir is a glob pattern, so your clones don't have to be a direct child of that path but could be a grandchild. E.g. I have a <parent> directory for my uni work, which is where my included .gitignore lives, then each unit that I have lives under that with their respective files/folder structure. A git repo might not be encountered until 3 or 4 levels down. So long as <parent> is in the path, it will include the correct .gitignore.
this url rewrite helped me. with it i no longer need to mind the hostname while cloning. what also works is to modify ssh command using core.sshCommand.
5

In my case none of the solutions above solved my issue, but ssh-agent does. Basically, I did the following:

  1. Generate key pair using ssh-keygen shown below. It will generate a key pair (in this example .\keyfile and .\keyfile.pub)

    ssh-keygen -t rsa -b 4096 -C "yourname@yourdomain" -f keyfile

  2. Upload keyfile.pub to the git provider

  3. Start ssh-agent on your machine (you can check with ps -ef | grep ssh-agent to see if it is running already)
  4. Run ssh-add .\keyfile to add credentials
  5. Now you can run git clone git@provider:username/project.git
Improve this answer

1 Comment

You can use this to validate it got added or not "ssh-add -l -E md5"
5

Simplest way to use multiple Git accounts and clone without any changes would be to add your username to the ssh config.

  1. Open ~/.ssh/config. Create if one doesn't exist
  2. Add your host entry as following
Host github.com:<YOUR_GITHUB_USERNAME>
  AddKeysToAgent yes
  IdentityFile ~/.ssh/<YOUR_SSH_KEY_FILENAME>

Replace <YOUR_GITHUB_USERNAME> with your desired github username (personal or work) Replace <YOUR_SSH_KEY_FILENAME> with your keyfile name in .ssh folder (ex: id_ed25519). Add a host record for each of the github account you want to maintain.

Now git clone would be simple as git clone github.com:<YOUR_GITHUB_USERNAME>/your-repo.git. No custom gihub domains to remember when cloning ;-)

Made a gist with further information https://gist.github.com/udantha/fed5439630eaf4651272f4fba6e1c6a3

Improve this answer

2 Comments

This is actually on of the best answers. With the :<YOUR_GITHUB_USERNAME> part being really important. The reason being is that let's say you want to reference a private git repo as a package in your package.json file, if you end up having to use something like: "package" : "git+ssh://git@new-host:<user>/<repo>.git" Which means everyone has to update their .ssh config file to match yours. But if you include the :<YOUR_GITHUB_USERNAME> then you can be assured everyone can access it directly whether or not the have multiple ssh keys or not.
But I can have different username / organisation where I want to push directly. In that case we have add multiple host:username combination. Directory based solution works well instead of configuring ssh config file update git config file core.sshcommand = "ssh -i ~/.ssh/<ssh-key>"
5

You don't have to edit your ssh config and deal with weird remote URLs at all. Leverage gitconfig!

# ~/.gitconfig, only used in this directory
[includeIf "gitdir:/home/user/work/"]
    path = ~/.work.gitconfig

# ~/.work.gitconfig
[user]
        email = "[email protected]"
        name = John Doe
[core]
        sshCommand = ssh -i ~/.ssh/id_rsa_work # use my other ssh key
Improve this answer

1 Comment

Make sure to put [includeIf .. ] section at the end of your ~/.gitconfig file.
3

As a complement of @stefano 's answer, It is better to use command with -f when generate a new SSH key for another account, 

ssh-keygen -t rsa -f ~/.ssh/id_rsa_work -C "[email protected]"

Since id_rsa_work file doesn't exist in path ~/.ssh/, and I create this file manually, and it doesn't work :(

Improve this answer

Comments

1

I used,

Host github.com
   HostName github.com
   IdentityFile ~/.ssh/github_rsa
   User [email protected]

It wokred fine.

Use the above setting in your .ssh/config file for different rsa keys for different usernames.

Improve this answer

Comments

1

I posted the technique I use to deal with these here

Improve this answer

Comments

1

This is the only config that worked for me to be able to use two GitHub accounts with different SSH keys.

Replace id_ed25519 (representing my work SSH key) and id_ed25519-personal (representing my personal SSH key) with your SSH keys' filenames.

Host github.com
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519
IdentityFile ~/.ssh/id_ed25519-personal
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.