1021

ssh has the -i option to tell which private key file to use when authenticating:

-i identity_file

    Selects a file from which the identity (private key) for RSA or DSA authentication is read.  The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2.  Identity files may also be specified on a per-host basis in the configuration file.  It is possible to have multiple -i options (and multiple identities specified in configuration files).

Is there a similar way to tell git which private key file to use on a system with multiple private keys in the ~/.ssh directory?

jrdioko
  • 11,565
  • 5
  • 26
  • 26
  • 3
    See [this question in StackOverflow](http://stackoverflow.com/q/4565700/247696) as well. – Flimm May 08 '15 at 09:46
  • 2
    Also related http://serverfault.com/questions/194567/how-do-i-tell-git-for-windows-where-to-find-my-private-rsa-key – Machavity Jun 28 '16 at 14:51
  • Don't mess around with all the host-based top-rated answers. See Dmytro Buryak's path-based answer instead. – opyate Jul 05 '22 at 13:33

25 Answers25

968

In ~/.ssh/config, add:

Host github.com
 HostName github.com
 IdentityFile ~/.ssh/id_rsa_github

If the config file is new, you might need to do chmod 600 ~/.ssh/config

Now you can do git clone git@github.com:{ORG_NAME}/{REPO_NAME}.git

  • Where {ORG_NAME} is your GitHub user account (or organization account)'s GitHub URI name.
    • Note that there is a colon : after github.com instead of the slash / - as this is not a URI.
  • And {REPO_NAME} is your GitHub repo's URI name
  • For example, for the Linux kernel this would be git clone git@github.com:torvalds/linux.git).

NOTE: On Linux and macOS, verify that the permissions on your IdentityFile are 400. SSH will reject, in a not clearly explicit manner, SSH keys that are too readable. It will just look like a credential rejection. The solution, in this case, is:

chmod 400 ~/.ssh/id_rsa_github
kas
  • 304
  • 3
  • 6
shellholic
  • 10,941
  • 1
  • 15
  • 9
  • 245
    What if you need to connect to the same host with different keys? – Valentin Klinghammer Nov 30 '12 at 11:24
  • I'm using this trick in my [`github-keygen`](https://github.com/dolmen/github-keygen) tool that I built to manage SSH keys and settings for Github. – dolmen Sep 20 '13 at 10:10
  • 1
    @Cliff Nop, in my manpage: "`HostName`: Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts." My ssh version is openssh-6.7p1. – Grissiom Jan 07 '15 at 02:17
  • 1
    @Grissiom That's exactly what it says. But you seem to understand the meaning backwards. Host (or Match) is required. To create a host nickname you place the nickname in the Host line and the real hostname in the HostName line. Examples: http://www.saltycrane.com/blog/2008/11/creating-remote-server-nicknames-sshconfig/ – Cliff Jan 08 '15 at 03:55
  • 20
    If the config file is new, don't forget to do `chmod 600 ~/.ssh/config` – elysch Mar 15 '16 at 23:02
  • User git perfact – Nullpointer Sep 08 '16 at 09:53
  • Note you might not need "username" in your git path. e.g. my user on our local gitlab with permission for our shared project is Alice, I'm logged onto Linux as Bob. I created the ssh keys as Bob and put the public key on gitlab associated with Alice. Now I can clone like this from Linux, logged in as Bob, without mentioning "Alice" anywhere, – lessthanideal Nov 14 '16 at 14:12
  • OMG why wouldn't it just tell me that the rights are wrong... It said its wrong first (warned) and then I've changed it. It didn't tell me next time saying me just that permission is denied. – ivkremer Aug 18 '17 at 13:04
  • 10
    @ValentinKlinghammer the answer from @Flimm has the solution for this question. It is to use `core.sshCommand` git configuration. https://superuser.com/a/912281/162466 – VasyaNovikov Dec 28 '17 at 20:47
  • 1
    This worked for me - important to note that creating a directory inside `.ssh` and trying to organize keys inside directories would require to also change the permissions of that directory. – nuno Sep 06 '18 at 09:35
  • none worked for me...not sure why – Goddard Jan 24 '19 at 19:50
  • 6
    This forces git to use a specific key for an entire domain, which usually won't work. For example, if someone has a personal github account as well as a work account, this configuration will break one of them. – Cerin Aug 22 '19 at 20:09
  • Won't work with GIT LFS – Ross Ivantsiv Apr 10 '20 at 18:09
  • This answer is outdated. – pwned Oct 20 '20 at 10:17
  • The user option is not required since you're passing the user in the git clone command. – kas Nov 20 '20 at 21:10
  • 4
    Regarding contacting the same host with different keys: Here it is essential to understand that in `.ssh/config` `Host` is a custom name you can give to the host specified under `HostName`. The `github.com` part in the git URL `git@github.com:torvalds/linux.git` refers to this `Host` and thus has to match it exactly. If you have a second Github ssh key, you can create a section `Host github2` in `.ssh/config` and then use the URL `git@github2:torvalds/linux.git` (see also https://superuser.com/a/1519694/96128). – user905686 Apr 12 '21 at 17:42
645

Environment variable GIT_SSH_COMMAND

From Git version 2.3.0, you can use the environment variable GIT_SSH_COMMAND like this:

GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa_example" git clone example

Note that -i can sometimes be overridden by your config file, in which case, you should give SSH an empty config file, like this:

GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa_example -F /dev/null" git clone git@github.com:example/example.git

Configuration core.sshCommand

Since Git version 2.10.0, you can configure this per repo or globally, using the core.sshCommand setting. There's no more need to use the environment variable. Here's how you clone a repo and set this configuration at the same time:

git clone -c "core.sshCommand=ssh -i ~/.ssh/id_rsa_example -F /dev/null" git@github.com:example/example.git
cd example/
git pull
git push

If the repo already exists, run:

git config core.sshCommand "ssh -i ~/.ssh/id_rsa_example -F /dev/null"

The configuration is saved in .git/config

Flimm
  • 9,057
  • 5
  • 29
  • 37
  • 5
    I had to export the *shell* variable to an environment variable to make this work, i.e. `export GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa_example"`, then `git clone example` – Abdull Dec 01 '15 at 13:46
  • 10
    @Abdull In Bash, doing the assignment on the same line as the command exports the environment variable for just that command. Try it: `example=hello /usr/bin/env | grep example`. – Flimm Jan 08 '16 at 09:50
  • 4
    things have become even better: as of Git 2.10, you can store the command in your Git configuration: http://stackoverflow.com/a/38474220/520162 – eckes Oct 21 '16 at 07:57
  • For me I had to remove the ` -F /dev/null` i dont know why , otherwise it would tell me: `git config core.sshCommand "ssh -i ~/.ssh/toptal_i nterview_3_rsa -f /dev/null" PS C:\Users\Mercurius\Desktop\timekeep> git push -u origin master ssh: Could not resolve hostname /dev/null: Name or service not known` – Noitidart Mar 06 '17 at 23:55
  • 2
    @Noitidart `/dev/null` is only a valid filename in UNIX-like operating systems, it doesn't work on Windows. – Flimm Mar 07 '17 at 08:19
  • 1
    Thanks very much @Flimm, so it is safe to do your command without the `-F` too? Also I don't understand in the second part, since 2.10.0 you mention we can configure it globally, but the second part only shows the local method no? – Noitidart Mar 07 '17 at 12:03
  • The `core.sshCommand` config setting was just the thing I needed, because it lets me use a certain key by default in most circumstances, but then specify a different key with a `core.sshCommand` in a `repository/.git/config` file for a specific repo. Thank you! – Pistos Mar 17 '17 at 15:01
  • 1
    If you need multiple keys, the -i parameter can be repeated, and ssh will try each key in turn. `git config core.sshcommand "ssh -i /path/to/keyA -i /path/to/keyB"`. This lets git use different keys with different remote hosts. – Mark Jun 23 '17 at 03:44
  • For git versions < 2.3, you can use `GIT_SSH` (see other answers). – luator Nov 08 '17 at 14:31
  • You saved my life! Been struggling with different work and private Github & Heroku credentials for hours!! – Sprachprofi Apr 09 '18 at 18:46
  • 14
    For me `GIT_SSH_COMMAND` didn't work until I used [`IdentitiesOnly`](https://superuser.com/q/268776/55307), such as this command: `GIT_SSH_COMMAND="ssh -i ~/.ssh/mysubdir/id_rsa -o 'IdentitiesOnly yes'" git push`. – Tyler Collier Oct 07 '18 at 07:13
  • This is the best answer. The use of the environment variable via `export GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa_otherkey"` is so handy and flexible. I don't like setting multiple github keys in configuration `.ssh/config` because I also have to alias the github url for example, `github.com` becomes `github.com.smeagol` just to differentiate and this alias URL becomes your git remote address. – truthadjustr Jul 02 '19 at 12:56
  • This is especially useful when debugging git ssh. I can add -vvv to increase verbose mode. – Ding-Yi Chen Nov 26 '19 at 08:07
  • Hi !! Do you know how to propagate this to a submodule? – Arka Prava Basu Dec 27 '19 at 13:00
  • Why are you adding the -F flag? To make sure no other config is used aside from the one explicitly mentioned? – Muhamed Huseinbašić Oct 09 '20 at 11:58
  • 1
    @MuhamedHuseinbašić Yes. – Flimm Oct 09 '20 at 18:19
  • 2
    With Windows that would be `-F nul`, but with OpenSSH one can use `-F none` – Jakob Jan 14 '21 at 10:38
  • Brilliant stuff. – Vadim Jun 12 '21 at 10:50
  • I spent hours looking for a solution and this was the easiest. Works like a charm for setting different ID files using a shell function by just setting the env var. – nick-s Aug 23 '21 at 04:37
  • Useful answer. In addition, in Mac `-F /dev/null` is not required. – Arnold Parge Oct 17 '21 at 13:35
173

There is no direct way to tell git which private key to use, because it relies on ssh for repository authentication. However, there are still a few ways to achieve your goal:

Option 1: ssh-agent

You can use ssh-agent to temporarily authorize your private key.

For example:

$ ssh-agent sh -c 'ssh-add ~/.ssh/id_rsa; git fetch user@host'

Option 2: GIT_SSH_COMMAND

Pass the ssh arguments by using the GIT_SSH_COMMAND environment variable (Git 2.3.0+).

For example:

$ GIT_SSH_COMMAND='ssh -i ~/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
  git clone user@host

You can type this all on one line — ignore $ and leave out the \.

Option 3: GIT_SSH

Pass the ssh arguments by using the GIT_SSH environment variable to specify alternate ssh binary.

For example:

$ echo 'ssh -i ~/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $*' > ssh
$ chmod +x ssh
$ GIT_TRACE=1 GIT_SSH='./ssh' git clone user@host

Note: The above lines are shell (terminal) command lines which you should paste into your terminal. They will create a file named ssh, make it executable, and (indirectly) execute it.

Note: GIT_SSH is available since v0.99.4 (2005).

Option 4: ~/.ssh/config

Use the ~/.ssh/config file as suggested in other answers in order to specify the location of your private key, e.g.

Host github.com
  User git
  Hostname github.com
  IdentityFile ~/.ssh/id_rsa
kenorb
  • 22,906
  • 25
  • 122
  • 184
87

Use custom host config in ~/.ssh/config, like this:

Host gitlab-as-thuc  
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_rsa.thuc
    IdentitiesOnly yes

then use your custom hostname like this:

git remote add thuc git@gitlab-as-thuc:your-repo.git  
thucnguyen
  • 979
  • 6
  • 4
  • 6
    This is the answer I was looking for, as I have separate GitHub accounts for home and work. I just had to set `Host work.github.com` `HostName github.com` `IdentityFile ~/.ssh/work`, and then replace "github.com" by "work.github.com" whenever I clone a work repository. It still connects to "github.com", but using a non-default key pair. – Mikkel May 25 '16 at 17:06
  • 1
    The URL for details ("http://itblog.study.land/...") doesn't work any more :( – Carl Smotricz Sep 15 '17 at 08:10
  • @CarlSmotricz the original one was moved here: https://medium.com/@thucnc/how-to-specify-different-ssh-keys-for-git-push-for-a-given-domain-bef56639dc02 – thucnguyen Nov 27 '18 at 07:13
  • 13
    FINALLY!!! This answer actually shows how you can utilize what you put in the `~/.ssh/config` file. Every other answer misses how you can set the host when you add the origin, which automatically allows git to use the correct key file. THANK YOU!! – Mageician Dec 04 '18 at 15:17
  • 1
    Nice, that was what I was looking :) – Lucas D'Avila Apr 04 '19 at 18:19
  • +1 upvote great answer, it helped me also, I've used this and found this to work. 2 additional tips: 1) slightly different for bitbucket, repos are identified by project/repo-name, so my git `origin` looks like: `git@therobyouknow:therobyouknow/myproject.git` (where the first therobyouknow is the `Host` in `config` and the 2nd therobyouknow is the bitbucket project. – therobyouknow Dec 29 '20 at 22:22
  • 1
    Tip 2) and essential: if you have other `Host *` also in your config, whereby you want to use that for all over remote machines, _except_ for your gitlab/bitbucket/github, then you need to make sure you _exclude_ that config from `Host *` and I did this by changing `Host *` to `Host !bitbucket.org` which meant that its config doesnt "bleed" into my bitbucket config. See [My comment here](https://superuser.com/questions/732231/how-can-i-apply-some-settings-to-a-ssh-hosts-excluding-one-other-host#comment2460460_732274) to the original answer there I want to give credit for here for this idea – therobyouknow Dec 29 '20 at 22:27
  • 1
    To clarify Tip 2) further: from what I've found, it does the same job as `Host * !bitbucket.org` (which itself _didn't_ work for me) but without the `*`, so what `Host !bitbucket.org`(which _did_ work for me) is saying is: " `Host *` - everything _except for_ `bitbucket.org` " - the `*` - meaning "everything", though absent, is still in effect and implied. – therobyouknow Dec 29 '20 at 23:24
  • This is it. There's no git command hacks no nothing. This is it. *Thank you.* – Aspiring Dev May 02 '21 at 23:28
  • This was particularly useful setting up a CICD pipeline that pulled multiple projects from github. Github insists on using a separate deploy key per project, and using these custom hosts is how I get the pipeline to use the right keys per project. – Tony Park Jul 29 '21 at 07:53
  • The full process is also documented on https://chasethedevil.github.io/post/github-and-ssh/ (which uses the same trick) – jherek Aug 18 '21 at 13:41
  • If it was my question, I would mark this as the correct answer. Cheers! – toryan Oct 28 '21 at 16:55
63

If you need to connect to the same host with different keys then you can achieve it by:

  1. Configure the ~/.ssh/config with different Hosts but same HostNames.
  2. Clone your repo using the appropriate host.

Example:

~/.ssh/config

Host work
  HostName bitbucket.org
  IdentityFile ~/.ssh/id_rsa_work
  User git
    
Host personal
  HostName bitbucket.org
  IdentityFile ~/.ssh/id_rsa_personal
  User git

Then instead cloning your repos like:

git clone git@bitbucket.org:username/my-work-project.git
git clone git@bitbucket.org:username/my-personal-project.git

you must do

git clone git@work:username/my-work-project.git
git clone git@personal:username/my-personal-project.git
nyxz
  • 733
  • 6
  • 7
33

Write a script that calls ssh with the arguments you want, and put the filename of the script in $GIT_SSH. Or just put your configuration in ~/.ssh/config.

Ignacio Vazquez-Abrams
  • 108,889
  • 8
  • 195
  • 241
  • 2
    [Another explanation](http://superuser.com/a/355696/235231) of how to do this. – Sithsu May 12 '14 at 19:44
  • 1
    `~/.ssh/config` Is *the* way to go. – hek2mgl May 08 '15 at 13:56
  • I work on a machine (A) from which I git push to a server (B) that only accepts ssh key authentication. While my ~/.ssh/config setup on (A) works perfectly fine when I work directly _on_ that machine, it does not when I login from some other location (C). Using `$GIT_SSH` and a script solved this problem. Thanks! – bsumirak Dec 03 '15 at 17:28
29

If you do not want to have to specify environment variables every time you run git, do not want another wrapper script, do not/can not run ssh-agent(1), nor want to download another package just for this, use the git-remote-ext(1) external transport:

$ git clone 'ext::ssh -i $HOME/.ssh/alternate_id git.example.com %S /path/to/repository.git'
Cloning into 'repository'
(...)
$ cd repository
$ git remote -v
origin  ext::ssh -i $HOME/.ssh/alternate_id git.example.com %S /path/to/repository.git (fetch)
origin  ext::ssh -i $HOME/.ssh/alternate_id git.example.com %S /path/to/repository.git (push)

I consider this solution superior because:

  • It is repository/remote specific
  • Avoid wrapper script bloat
  • Do not need the SSH agent -- useful if you want unattended clones/push/pulls (e.g. in cron)
  • Definitely, no external tool needed
flaviovs
  • 419
  • 4
  • 5
  • // , Excellent solution. I wonder, though, if this would allow one to specify an identity passed through using agent forwarding. Most of my keys are not local to the servers I am using them on. I asked about this here: http://superuser.com/questions/971732/how-do-i-undo-an-ssh-add-on-a-forwarded-identity-to-access-github – Nathan Basanese Sep 11 '15 at 18:09
  • The answer deals only with a way of specifying arbitrary command lines to be used as git repositories. IMHO, you should try to sort out your issue using ssh alone first (e.g. "ssh _host_" should connect using the right key). I will try to provide more info on your other question, though. – flaviovs Sep 14 '15 at 16:34
  • Re my last comment, for some reason I cannot comment in your other question -- and do not have a concrete answer. Well, you might want to checkout http://serverfault.com/questions/599560/use-a-specific-forwarded-key-from-ssh-agent and the answer from user kasperd. – flaviovs Sep 14 '15 at 17:51
  • 2
    This answer was exactly what I needed to force Chef's `git` resource to use repository-specific deployment keys to clone/fetch from private Github repositories. The additional advantage of this method over the environment/script based ones is that since the key-path is encoded in the working-repo's config, it will use the same key on both initial clone and subsequent fetches/pushes. – Adam Franco Nov 19 '15 at 16:20
  • 3
    WOW! This is just great, didn't know about this. Thanks for the answer, quite helpful as well in puppet environments, to prevent the extra hassle to manage `.ssh/config` etc. +1! – gxx Jun 10 '16 at 18:36
  • Excellent answer! If you're using github, I made a quick guide about it: https://mattlebrun.com/use-different-git-ssh-key-per-project.html – cr8ivecodesmith Sep 15 '16 at 03:11
  • 2
    This solution does not work together with the --recursive flag. The submodules are not fetched using the specified key and therefor fails if they require auth. – Daniele Testa Dec 21 '16 at 16:05
  • 1
    Each submodule is an entirely different repository, with their own set of remotes. They're glued together by Git for your convenience, but in no way remotes for a submodule are tied to the ones in the parent repository. I'm afraid that you must set the remote using the `ext` transport in _each_ submodule for recursion in the parent to work. – flaviovs Dec 22 '16 at 19:10
  • 4
    If you encounter the following error `fatal: transport 'ext' not allowed`, you have to whitelist the ext protocol via the `export GIT_ALLOW_PROTOCOL=ext`. Basically, the git-remote-ext remote helper (which supports "ext::ssh example.com %S foo/repo" URLs) allows arbitrary command execution. This normally isn't ever a concern because user always sees and trusts the URL they pass to git. However git submodules, through the .gitmodules file, allow an attacker to request the client to fetch arbitrary git URLs. https://hackerone.com/reports/104465 – Gomino May 13 '18 at 17:21
  • What is "git.example.com"? How would you use this with github or bitbucket, neither of which have a git.* subdomain? – Cerin Aug 03 '18 at 16:32
  • 1
    This doesn't work when trying it with bitbucket, `git clone 'ext::ssh -i /home/myuser/.ssh/id_rsa_customkey git.bitbucket.org %S repo/project.git'` => `Permission denied (publickey). fatal: Could not read from remote repository.` – Cerin Aug 03 '18 at 16:36
  • `git.example.com` is a placeholder host name. You must be able to ssh to the actual host for this to work, so I suggest you try ssh first using the specified key and get to the command line, double-check the actual path to the repository, and **only then** try to use the `ext` transport. – flaviovs Aug 04 '18 at 17:56
  • 1
    This is probably a good way, but my Git tries my default GitHub user, which has another key (GitHub wants unique-per-user keys). How can I make it use another user for other repo? – Ondra Žižka Sep 03 '18 at 19:22
  • 1
    @OndraŽižka, you can add `-l USER` to the ssh command line to log in as user `USER`. – flaviovs Sep 04 '18 at 21:44
18

After my struggle with $GIT_SSH I would like to share what worked for me.

Through my examples I will assume you have your private key located at/home/user/.ssh/jenkins

Error to avoid: GIT_SSH value includes options

$ export GIT_SSH="ssh -i /home/user/.ssh/jenkins"

or whatever similar will fails, as git will try to execute the value as a file. For that reason, you have to create a script.

Working example of $GIT_SSH script /home/user/gssh.sh

The script will be invoked as follows:

$ $GIT_SSH [username@]host [-p <port>] <command>

Sample script working could look like:

#!/bin/sh
ssh -i /home/user/.ssh/jenkins $*

Note the $* at the end, it is important part of it.

Even safer alternative, which would prevent any possible conflict with anything in your default config file (plus explicitly mentioning the port to use) would be:

#!/bin/sh
ssh -i /home/user/.ssh/jenkins -F /dev/null -p 22 $*

Assuming the script is in /home/user/gssh.sh, you shall then:

$ export GIT_SSH=/home/user/gssh.sh

and all shall work.

Jan Vlcinsky
  • 461
  • 3
  • 10
  • Thanks. Just note: use "$@" instead of $* for pass-thru arguments, as the former behaves correctly when arguments contain whitespace. – Piotr Findeisen Mar 31 '16 at 07:39
  • @PiotrFindeisen Thanks for your note. However, I do not understand it completely - in zsh it helps me to keep strings with space in one piece, but in bash not. Can you tell me more or point to some explanation? I do not want to add some modification blindly. – Jan Vlcinsky Mar 31 '16 at 10:33
  • You should remove the first half of your answer. No one's interested in a solution that doesn't work, and it's wasted reading that obfuscates the correct answer at the bottom, which works wonderfully. – Cerin Aug 03 '18 at 16:47
  • @Cerin If you mean removing the "Error to avoid" I am going to keep it there. It shares common pitfall to avoid and it is very short. I am sure, someone would try optimizing the solution by providing all the things into variable (this happened to me), so I tried to shorten the path to success. – Jan Vlcinsky Aug 04 '18 at 20:14
11

So I set the GIT_SSH env variable to $HOME/bin/git-ssh.

In order to support having my repo configuration dictate which ssh identity to use, my ~/bin/git-ssh file is this:

#!/bin/sh
ssh -i $(git config --get ssh.identity) -F /dev/null -p 22 $*

Then I have a global git config setting:

$ git config --global ssh.identity ~/.ssh/default_id_rsa

And within any git repository I can just set a local ssh.identity git config value:

$ git config --local ssh.identity ~/.ssh/any_other_id_rsa

Voila!

If you can have a different email address for each identity, it gets even simpler, because you can just name your keys after your email addresses and then have the git config's user.email drive the key selection in a ~/bin/git-ssh like this:

#!/bin/sh
ssh -i $HOME/.ssh/$(git config --get user.email) -F /dev/null -p 22 $*
Brendan Baldwin
  • 111
  • 1
  • 5
11

This is my setup for multiple accounts, each using separate rsa key. It doesn't matter whether it's github, bitbucket, or whatever; this setup is not touching ssh client config, neither it uses hosts as selectors for configuration. It uses directory structure instead, and per-dir-subtree configurations.

$HOME/.gitconfig
[user]
  name = My Public Account Name
  email = my-public-email@public.com

[core]
  sshCommand = "ssh -i ~/.ssh/my_public_account_id_rsa"

# public github user - IDEA
[includeIf "gitdir:~/idea/"]
  path = ~/idea/.gitconfig

# org-1 user
[includeIf "gitdir:~/idea/org-1/"]
  path = ~/idea/org-1/.gitconfig

# org-2 user
[includeIf "gitdir:~/idea/org-2/"]
  path = ~/idea/org-2/.gitconfig

# public github user - ruby
[includeIf "gitdir:~/rubymine/"]
  path = ~/rubymine/.gitconfig

# org-1 user
[includeIf "gitdir:~/rubymine/org-1/"]
  path = ~/rubymine/org-1/.gitconfig

And if I need to override key and user details for some projects, then I keep them in the same dir. And in that dir I create a ".gitconfig" file, like:

$HOME/idea/org-1/.gitconfig
[user]
  name = My Org-1 Account Name
  email = my-org1-email@org-1.com

[core]
  sshCommand = "ssh -i ~/.ssh/my_org1_account_id_rsa"

Whenever I run any git command in ~/idea/org-1 directory or its sub-dirs, then it picks up my org-1 specific config and uses my_org1_account_id_rsa for ssh. And another name/email also for commits, not only rsa key.

This is hierarchical configuration, i.e. configurations are evaluated from more generic to more specific one. This is achieved by ordering "includeIf" clauses in your $HOME/.gitconfig and having trailing slash in glob patterns, which results in adding ** at the end. It's described nicely in documentation gitconfig includeIf docs. So keep in mind that order matters, and glob patterns matter.

Dmytro Buryak
  • 211
  • 2
  • 2
8

I had a client that needed a separate github account. So I needed to use a separate key just for this one project.

My solution was to add this to my .zshrc / .bashrc:

alias infogit="GIT_SSH_COMMAND=\"ssh -i ~/.ssh/id_specialkey\" git $@"

Whenever I want to use git for that project I replace "infogit" with git:

infogit commit -am "Some message" && infogit push

For me, it's easier to remember.

Michael Cole
  • 587
  • 4
  • 8
6

You can just use ssh-ident instead of creating your own wrapper.

You can read more at: https://github.com/ccontavalli/ssh-ident

It loads ssh keys on demand when first needed, once, even with multiple login sessions, xterms or NFS shared homes.

With a tiny config file, it can automatically load different keys and keep them separated in different agents (for agent forwarding) depending on what you need to do.

rabexc
  • 189
  • 1
  • 2
4

Generally, you want to use ~/.ssh/config for this. Simply pair server addresses with the keys you want to use for them as follows:

Host github.com
  IdentityFile ~/.ssh/id_rsa.github
Host heroku.com
  IdentityFile ~/.ssh/id_rsa.heroku
Host *
  IdentityFile ~/.ssh/id_rsa

Host * denotes any server, so I use it to set ~/.ssh/id_rsa as the default key to use.

Zaz
  • 2,355
  • 2
  • 23
  • 36
4

I build on @shellholic and this SO thread with a few teaks. I use GitHub as an example and assume that you have a private key in ~/.ssh/github (otherwise, see this SO thread) and that you added the public key to your GitHub profile (otherwise see GitHub's help).

If needed, create a new SSH config file at ~/.ssh/config and change permissions to 400

touch ~/.ssh/config
chmod 600 ~/.ssh/config

Add this to the ~/.ssh/config file:

Host github.com
    IdentityFile ~/.ssh/github
    IdentitiesOnly yes

If you already have a remote set up, you may want to delete it, otherwise you may still be prompted for username and password:

git remote rm origin

Then add a remote to the git repository, and notice the colon before the user name:

git remote add origin git@github.com:user_name/repo_name.git

And then git commands work normally, e.g.:

git push origin master
git pull origin 

@HeyWatchThis on this SO thread suggested adding IdentitiesOnly yes to prevent the SSH default behavior of sending the identity file matching the default filename for each protocol. See that thread for more information and references.

miguelmorin
  • 1,563
  • 3
  • 12
  • 26
3

My solution was this:

create a script:

#!/bin/bash
KEY=dafault_key_to_be_used
PORT=10022 #default port...
for i in $@;do
   case $i in
    --port=*)
        PORT="${i:7}";;
    --key=*)KEY="${i:6}";;
   esac
done
export GIT_SSH_COMMAND="ssh -i $HOME/.ssh/${KEY} -p ${PORT}"
echo Command: $GIT_SSH_COMMAND

then when you have to change the var run:

. ./thescript.sh [--port=] [--key=]

Don't forget the extra dot!! this makes the script set the environments vars!! --key and --port are optional.

Salsicha
  • 31
  • 1
2

All the information up to now (2020-01) are useful, but IMHO are a little bit messy, and no post sums them up to a clean solution.

So here are my solutions. If you are lucky with your current solution, then you are free to ignore this post.

Overall Premise:
Solution for *nix-based OS. Tested on Debian-based OS, but should work on other *nix-based OS.

Overall Prerequisites:

  • Separate identity files (keys) for different hosts and/or users available, e.g. generated via ssh-keygen -f <filename> ...

Goals:

  • Use a specific identity file (key) per repository (optional: per host)
  • Works with any host: GitHub, GitLab, BitBucket, etc
  • Simple to use and to adopt
  • Prefer not messing around with URLs and use them as-is
  • Prefer to use normal configuration of git and ssh
  • (nice-to-have) Working in shell and gui tools
  • (nice-to-have) Works with any tool: git, ssh, svn, rsync, etc.

Solutions:

  1. Convenient tool ssh-ident
  2. Just normal git and ssh, with a minor portition of shell magic
  3. Host renaming (also works with Putty/Pageant/Plink)

Note: A Match Path feature for OpenSSH would not help here, see https://marc.info/?l=openssh-unix-dev&m=141833748901966&w=2

Solution #1 - Tool ssh-ident
Notes:

  • Currently (as of 2020-01) I link my own fork of the original ssh-ident, as it gives more flexibility to argument and key filename matching.
  • See docstring inside ssh-ident for how to use

Prerequisites:

  • none

Download and prepare

  • Download first to a project directory, then install to /usr/local/bin
    DLDIR="${HOME}/work/packages/ssh-ident"
    [ -d "${DLDIR}" ] || mkdir -vp "${DLDIR}"
    #
    #original: DLURL='https://raw.githubusercontent.com/ccontavalli/ssh-ident/master'
    DLURL='https://raw.githubusercontent.com/ssh-ident/ssh-ident1/dev'
    wget -P "${DLDIR}" -N "${DLURL}/ssh-ident"
    unset -v DLURL
    #
    install -v -D -t /usr/local/bin "${DLDIR}/ssh-ident"
    ## Debian base >=11 "bullseye": sed -i -e '1 s#\(\spython\)\(\s\|$\)#\13\2#' /usr/local/bin/ssh-ident
    #
    unset -v DLDIR
    

Configure ssh-ident and the identities

  • Prepare files and directories
    [ -f ~/.ssh-ident ] || printf -- '\n' >~/.ssh-ident
    MYEXTRAIDENTITIES='1 gh2 dummy'
    for MYIDENTITY in ${MYEXTRAIDENTITIES}; do
      echo "${MYIDENTITY}"
      [ -d ~/.ssh/identities/"${MYIDENTITY}" ] || mkdir -vp ~/.ssh/identities/"${MYIDENTITY}"
    done
    chmod -v -R u=rwX,go= ~/.ssh/identities
    unset -v MYEXTRAIDENTITIES MYIDENTITY
    
  • Maintain configuration of ssh-ident to detect GitHub repositories
    Example: ~/.ssh-ident
    ...
    MATCH_ARGV = [
      (r"\s(git@)?github\.com\s.*'my-git-user-1\/dummy\.git'", "dummy"),
      (r"\s(git@)?github\.com\s.*'my-git-user-1\/.+\.git'", "1"),
      (r"\s(git@)?github\.com\s.*'my-git-user-2\/.+\.git'", "gh2"),
      ...
      #
      (r"\s(git@)?gist\.github\.com\s.*'abcdef01234567890fedcba912345678\.git'", "1"),
      ...
    ]
    ...
    
  • Copy private keys plus their public keys(!) to the corresponding identity directory
  • Optionally create a per-identity ssh config file
    Example: ~/.ssh/identities/1/config
    Host github.com,gist.github.com
        IdentitiesOnly yes
        IdentityFile ~/.ssh/identities/1/github-user1.key
        User git
    

Enable ssh-ident

  • Setup as ssh wrapper by installing as ssh via symbolic link to ssh-ident, either in /usr/local/bin for all users or in a user bin directory
    ln -s -T /usr/local/bin/ssh-ident ~/bin/ssh
    
  • Testing ssh-ident config. Pass fitting parameters to the SSH call.
    ssh -vT git@github.com "test 'my-git-user-1/test-repo.git'"
    
  • Use git as normal.

Solution #2 - Just normal git and ssh
Prerequisites:

  • git version 2.10+
    • git config core.sshCommand (2.10+)
  • OpenSSH client version 6.5+
    • function Match (6.5+)
    • option IdentityFile none (6.3+)
    • option IdentitiesOnly (3.9+)

Concept:
Use OpenSSH client config's Match Exec functionality to check for an environment variable (e.g. SSHGITUSER) to select a specific identity file (key). Fail when environment variable is not set or contains an unknown user id.

Allows for the following options:

  • One account on host: use Host block in OpenSSH client config to directly define the IdentityFile = pure vanilla ssh standard, no environment variable needed
  • Multiple accounts on a host: pass the environment variable to the OpenSSH client, so it can react on it within Match blocks
    • Either set the environment variable directly in front of the git call (e.g. SSHGITUSER='<id>' git ...)
      • Has to be used when cloning a git repository (e.g. SSHGITUSER='<id>' git clone ...)
      • Works also for remotes that need different identity files (e.g. SSHGITUSER='<id>' git fetch <remote>)
      • Works also when using environment variables GIT_SSH_COMMAND or GIT_SSH (see docs)
    • or use git config core.sshCommand to hard-code it for a repository (e.g. git config --local core.sshCommand "SSHGITUSER='<id>' ssh")
      • Does not work for remotes that need different identity files
      • Does not work when using environment variables GIT_SSH_COMMAND or GIT_SSH (see docs) as these override git config core.sshCommand of the repository

Setting up OpenSSH client config ssh_config:
Whenever we connect via ssh to a host, then we only want to connect with the identity files we explicitly specify. This can be achieved by setting IdentitiesOnly to yes and IdentityFile to none in a matching Host block, then no other identity files are offered to the target server, even when cached inside ssh-agent, nor the default key definitions will be tried.
If a default Host block exists for all servers, then extend its pattern to exclude the special host there.
Select the wanted identity file by checking an environment variable (e.g. SSHGITUSER). Define an id (number, letter or name) for each user and create a Match block for each id. The Match block should check the Host first to avoid using the identity file for other hosts and to avoid useless calls to the shell for testing the environment variable.
Specifing the user git for github.com and gist.github.com allows to remove git@ from the URL. This setting is overriden when a user is defined in the URL.

Example ~/.ssh/config for GitHub:

...
### >>> GitHub
## use: SSHGITUSER='<id>' git ...
## optional: git config --local core.sshCommand "SSHGITUSER='<id>' ssh"
Host github.com,gist.github.com
    IdentitiesOnly yes
    IdentityFile none
    User git

Match Host github.com,gist.github.com Exec "test ${SSHGITUSER:-_} = '1'"
    IdentityFile ~/.ssh/github-user1.key

Match Host github.com,gist.github.com Exec "test ${SSHGITUSER:-_} = 'gh2'"
    IdentityFile ~/.ssh/github-user2.key

Match Host github.com,gist.github.com Exec "test ${SSHGITUSER:-_} = 'dummy'"
    IdentityFile ~/.ssh/github-dummy-fake.key
### <<< GitHub
...
Host !github.com,!gist.github.com,*
    IdentityFile ~/.ssh/personal.key
...

Notes:

  • If only a single identity file is used for a host, then in the related Host block change IdentityFile from none directly to the identity file and no Match blocks are needed.
  • Remote User can also be set in a Match block. Remember a user in the URL overrides this setting.

Testing ssh config:
Pass the environment variable for the SSH call by defining it directly in front of the command. Use a wrong user in the URL to avoid actual logins as we just want to see the identity files offered to the server.

SSHGITUSER='1' ssh -vT ssh-test-dummy@github.com

Setting up git config of a repository for a hard-coded user id:
To hard-code the user id to a repository use git config core.sshCommand on the repository itself (via --local) to pass the environment variable to the ssh command.
The ssh command for git is either defined by the environment variable GIT_SSH_COMMAND (since git 2.3) or git config core.sshCommand (since git 2.10). If both are empty, then it normally defaults to just ssh (see Code funtions get_ssh_command() and fill_ssh_args() in connect.c).
Special case is when cloning a repository, then there is no config for the not yet cloned repository, and the environment variable has to be set directly in front of the git call (e.g. SSHGITUSER='<id>' git clone ...).

Example:

SSHGITUSER='1' git clone git@github.com:my-git-user-1/test-repo.git ~/work/test-repo
cd ~/work/test-repo
git config --local core.sshCommand "SSHGITUSER='1' ssh"
# Test: git fetch

Notes:
When using environment variables GIT_SSH_COMMAND or GIT_SSH (see docs) these will override git config core.sshCommand of the repository.
Check first via set | grep -e '^GIT_SSH' and if any is set, then adapt from using environment variables to git config core.sshCommand of the user (via --global) and remove the GIT_SSH[_COMMAND] variable.
(e.g. git config --global core.sshCommand "<content of used GIT_SSH[_COMMAND] variable>", plus git config --local core.sshCommand "SSHGITUSER='<id>' <content of used GIT_SSH[_COMMAND] variable>")

Other ideas for #2:

  • Use environment variable for IdentityFile ~/.ssh/github-${SSHGITUSER}.key or User ${SSHGITUSER}. Has the tendency to longer user ids.

Setting up other tools for #2:
On the command line just pass the environment variable by defining it directly in front of the command.
For hard-coding the user id the task is to find out how to pass the environment variable to the tool, e.g. configuration, wrapper script, alias, etc.

Solution #99 - Host renaming
Prerequisites:

  • none

Concept:
As also mentioned in this thread you can rename the host as described in the git FAQ for the ssh config to recognize it, choose the identity depending on it and set the correct host name.
I normally do not prefer to mess up URLs instead of using configurations/variables. Still I would then add the user id as a subdomain, e.g. <user id>.github.com.
After some talk adding the user id behind the host has the advantage that normally DNS resolution will fail as the TLD got messed up and therefore the connection will immediately fail also. Extended the example for this, e.g. github.com-<user id>.

This also works for Plink and Pageant from Putty. Putty checks for a saved session named like the "host", e.g. session github.com-<user id>. This can be used for this solution.
Then Putty checks for a session which references the host, e.g. session testing with host github.com. Just to let you know.

Example ~/.ssh/config for GitHub:

...
### >>> GitHub
Host github.com,gist.github.com,*.github.com,*.gist.github.com,github.com-*,gist.github.com-*
        IdentitiesOnly yes
        IdentityFile none
        User git

Host 1.github.com,github.com-1
        IdentityFile ~/.ssh/github-user1.key
        Hostname github.com

Host 1.gist.github.com,gist.github.com-1
        IdentityFile ~/.ssh/github-user1.key
        Hostname gist.github.com

Host gh2.github.com,github.com-gh2
        IdentityFile ~/.ssh/github-user2.key
        Hostname github.com

Host gh2.gist.github.com,gist.github.com-gh2
        IdentityFile ~/.ssh/github-user2.key
        Hostname gist.github.com

### <<< GitHub

Host !github.com,!gist.github.com,*
   IdentityFile ~/.ssh/personal.key
...
Maddes
  • 31
  • 4
  • Just for your interest: A `Match Path` feature for OpenSSH would not help here, see https://marc.info/?l=openssh-unix-dev&m=141833748901966&w=2 – Maddes Jan 09 '21 at 17:19
1

Just use ssh-agent and ssh-add commands.

# create an agent
ssh-agent

# add your default key
ssh-add ~/.ssh/id_rsa

# add your second key
ssh-add ~/.ssh/<your key name>

After executing the above commands, you can use both keys as same time. Just type

git clone git@github.com:<yourname>/<your-repo>.git

to clone your repository.

You need to execute the above command after you reboot your machine.

Run5k
  • 15,408
  • 24
  • 47
  • 62
  • Please explain the process including How can I create an agent – Srikrushna Apr 06 '19 at 20:20
  • Sounds smart, - but maybe a little to good to be true, considering how clumbsy all the other answers are. I couldn't get this to work. – Zeth Aug 15 '20 at 09:48
  • @Zeth You may have a problem when creating the ssh agent. If you are using MacOS, you only need to execute `ssh-agent`. If you are using Linux, I suggest you read this article https://wiki.archlinux.org/index.php/SSH_keys#ssh-agent – Jinmiao Luo Dec 26 '20 at 17:53
1

While the question doesn't request it, I am including this answer for anyone else looking to solve the same problem just specifically for .

The gitlab solution

I tried using the approach, but even the git documentation recommends using ~/.ssh/config for anything more than the simple case. In my case I am pushing to a server - and I wanted to do so as a specific user - which is of course defined by the during and not the username git. Once implemented I simply perform the following:

~/myrepo> git mycommit -m "Important Stuff"
~/myrepo> git mypush
[proceed to enter passphrase for private key...]

Setup

Recall the location of your /myfolder/.ssh/my_gitlab_id_rsa in my case.

Add an entry in ~/.ssh/config:

Host gitlab-delegate
    HostName gitlab.mydomain.com
    User git
    IdentityFile /myfolder/.ssh/my_gitlab_id_rsa
    IdentitiesOnly yes

Add the in ~/.gitconfig:

mypush = "!f() { \
           path=$(git config --get remote.origin.url | cut -d':' -f2); \
           branch=$(git rev-parse --abbrev-ref HEAD); \
           git remote add gitlab_as_me git@gitlab-delegate:$path && \
           git push gitlab_as_me $branch && \
           git pull origin $branch; \
           git remote remove gitlab_as_me; \
         }; f"

As a bonus, I perform my commits on this same host as a specific user with this :

mycommit = "!f() { \
             git -c "user.name=myname" -c "user.email=myname@mysite.com" commit \"$@\"; \
           }; f"

Explanation

All of the above assumes the relevant remote is origin and the relevant branch is currently checked out. For reference I ran into several items that needed to be addressed:

  • The solution requires creating a new remote gitlab_as_me, and I didn't like seeing the extra remote hanging around in my log tree so I remove it when finished
  • In order to create the remote, there is a need to generate the remote's url on the fly - in the case of gitlab this was achieved with a simple bash
  • When performing a push to gitlab_as_me you need to be specific about what branch you are pushing
  • After performing the push your local origin pointer needs to be "updated" in order to match gitlab_as_me (the git pull origin $branch does this)
dtmland
  • 2,604
  • 1
  • 21
  • 30
1
    # start :: how-to use different ssh identity files

    # create the company identity file
    ssh-keygen -t rsa -b 4096 -C "first.last@corp.com"
    # save private key to ~/.ssh/id_rsa.corp, 
    cat ~/.ssh/id_rsa.corp.pub # copy paste this string into your corp web ui security ssh keys

    # create your private identify file
    ssh-keygen -t rsa -b 4096 -C "me@gmail.com"
    # save private key to ~/.ssh/id_rsa.me, note the public key ~/.ssh/id_rsa.me.pub
    cat ~/.ssh/id_rsa.me.pub # copy paste this one into your githubs, private keys

    # clone company internal repo as follows
    GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa.corp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \
    git clone git@git.in.corp.com:corp/project.git

    export git_msg="my commit msg with my corporate identity, explicitly provide author"
    git add --all ; git commit -m "$git_msg" --author "MeFirst MeLast <first.last@corp.com>"
    GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa.corp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \
    git push 
    # and verify 
    clear ; git log --pretty --format='%h %ae %<(15)%an ::: %s

    # clone public repo as follows
    GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa.corp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \
    git clone git@github.com:acoolprojectowner/coolproject.git

    export git_msg="my commit msg with my personal identity, again author "
    git add --all ; git commit -m "$git_msg" --author "MeFirst MeLast <first.last@gmail.com>"
    GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa.me -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \
    git push ; 
    # and verify 
    clear ; git log --pretty --format='%h %ae %<(15)%an ::: %s

    # stop :: how-to use different ssh identity files
Yordan Georgiev
  • 153
  • 1
  • 8
1

There are already a great many proposed solutions here, including numerous options working around the GIT_SSH_COMMAND environment variable, many of which I've actually used myself over the years.

However, I would like to share a much simpler process that I recently discovered, using only direnv.

My personal favourite point of this method: it requires no modification of any Git config files, but it also won't conflict with any modifications you may want/need/have..


Note: I'm going to approach this with one "primary" SSH key to use by default, and one "secondary" SSH key to use for specific projects. This will fit in well with doing "work" things on a "personal" machine, or vice versa, as well as extending to any additional "special" SSH keys you may need.

Also, I should note that I use this for both GitHub and GitLab, with a "work" and "personal" SSH keys on each platform, from multiple separate computers, and it "Just Works"(tm).

The following steps do make a few assumptions here:

  • you're running in a Unix-like environment (Linux, macOS, WSLv2 on Windows)
  • primary SSH key in ~/.ssh/id_ed25519
  • secondary SSH key in ~/.ssh/id_ed25519_personal
  • work workspace in ~/workspace
  • personal workspace in ~/personal

With that in place, the configuration process itself is dead simple:

  1. install direnv, ensure it's loaded by .bashrc/.zshrc/.profile/etc.
  2. create a file at ~/personal/.envrc with export GIT_SSH_COMMAND="ssh -i ~/.ssh/id_ed25519_personal"
  3. open terminal at ~/personal
  • at this point, you might see a message like direnv: error /Users/$USER/personal/.envrc is blocked. Run direnv allow to approve its content. note: you will see this message every time the target .direnv file is modified.

At this point, navigating into ~/personal in your terminal (or any subfolder, even directly) will load environment variables from .envrc, and navigating out to anywhere else will unload them.


Here's an example of this in action on macOS running ZSH enhanced with OMZ (bonus: OMZ comes bundled with a direnv plugin, which adds the binary to your $PATH and shows it's "active" status in your terminal window):

 ~ ------------------------------------------------------------------- 11:00:33 
> cd workspace 

 ~/workspace --------------------------------------------------------- 11:00:39 
> echo $GIT_SSH_COMMAND


 ~/workspace --------------------------------------------------------- 11:00:40 
> cd ../personal       
direnv: loading ~/personal/.envrc
direnv: export +GIT_SSH_COMMAND

 ~/personal ------------------------------------------------- direnv | 11:00:47 
> echo $GIT_SSH_COMMAND
ssh -i ~/.ssh/id_ed25519_personal

 ~/personal ------------------------------------------------- direnv | 11:00:49 
> cd ..
direnv: unloading

 ~ ------------------------------------------------------------------- 11:00:52 
> echo $GIT_SSH_COMMAND


 ~ ------------------------------------------------------------------- 11:00:53 
>

Hope this helps some people.. (:

0

I'm using git version 2.16 and I don't need a single piece of script not even a config or modified commands.

  • Just copied my private key to .ssh/id_rsa
  • set permissions to 600

And git reads to key automatically. I doesn't ask anything and it doesn't throw an error. Just works fine.

0

When you have multiple git account and you want different ssh key

You have to follow same step for generating the ssh key, but be sure you

ssh-keygen -t ed25519 -C your-email-id@gmail.com

Enter the path you want to save(Ex: my-pc/Desktop/.ssh/ed25519)

Note: ed25519 is the folder name

Add the public key to your gitlab (How to adding ssh key to gitlab)

You have to new ssh identity using the below comand

ssh-add ~/my-pc/Desktop/.ssh/ed25519
Srikrushna
  • 109
  • 4
  • (1) Are you quoting somebody or something? If so, please identify the source. If not, please don’t use quote formatting.  (2) What is “ed25519”? … … … … … … … … … … … Please do not respond in comments; [edit] your answer to make it clearer and more complete. – Scott - Слава Україні Apr 07 '19 at 00:35
0

Before calling your usual git commands run:

eval $(ssh-agent)
ssh-add ~/.ssh/your_spesific_private_key
  • 1
    You answer is really short for a very old question that has many documented answers. – Toto Sep 24 '21 at 15:33
0

For MacOS:

git config core.sshCommand "ssh -i ~/.ssh/id_rsa_2"
Toto
  • 15,574
  • 40
  • 29
  • 39
0

All of the answers above are correct, but they all fail, when using something like terraform

Imaginge this scenario

  1. You have a personal github account
  2. You join a new company, and create another github account with your work email

If you follow the instructions above, in 99% of the time, they will work. However, let's say you use terraform, with private git repos, and you have terraform modules and all of these modules are defined as

module "module_name" {
  source                     = "git@github.com:company/terraform-modules-repository.git//module_name?ref=v1.0.1"
  ..
}

Then when terraform tries to fetch these modules, they will fail. This is the problem.

Your constraints are

  1. You cannot modify the source code
  2. You will have to swap your private and work keys in your ssh config

See the problem?

Here is a better solution, that will work for many combinations

  1. You define a gitconfig, that allows you to override your gitconfig See https://git-scm.com/docs/git-config#_includes
$ cat ~/.gitconfig                              
[user]
    email = name.surname@gmail.com
    name = Name Surname
[includeIf "gitdir:**/company_name/"]
    path = ~/.git-preferences/work/company_name/.gitconfig
  1. Inside of your preferences file for your company you add your ssh key to be used
$ cat ~/.git-preferences/work/company_name/.gitconfig
[user]
    email = name.surname@company.com
[core]
    sshCommand = ssh -i ~/.ssh/namesurname-company
  1. With terraform specefically, it ignores the ssh command in the git config, and it will only work if you set the env variable https://github.com/hashicorp/terraform/issues/19232 Therefore you will also need to issue the command
export GIT_SSH_COMMAND="ssh -i ~/.ssh/namesurname-company"

This is the only way that I could get it working for all cases