I have the following use case: I would like to be able to push to git@git.company.com:gitolite-admin
using the private key of user gitolite-admin
, while I want to push to git@git.company.com:some_repo
using 'my own' private key. AFAIK, I can't solve this using ~/.ssh/config
, because the user name and server name are identical in both cases. As I mostly use my own private key, I have that defined in ~/.ssh/config
for git@git.company.com
. Does anyone know of a way to override the key that is used for a single git
invocation?
(Aside: gitolite distinguishes who is doing the pushing based on the key, so it's not a problem, in terms of access, ownership and auditing, that the user@server string is identical for different users.)
One Unix based systems (Linux, BSD, Mac OS X), the default identity is stored in the directory $HOME/.ssh, in 2 files:
private key: $HOME/.ssh/id_rsa public key: $HOME/.ssh/id_rsa.pub
When you usessh
without option-i
, it uses the default private key to authenticate with remote system.If you have another private key you want to use, for example $HOME/.ssh/deploy_key, you have to use
ssh -i ~/.ssh/deploy_key ...
It is annoying. You can add the following lines in to your $HOME/.bash_profile :
ssh-add ~/.ssh/deploy_key ssh-add ~/.ssh/id_rsa
So each time you use
ssh
orgit
orscp
(basicallyssh
too), you don't have to use option-i
anymore.You can add as many keys as you like in the file $HOME/.bash_profile.
An alternative approach to the one offered above by Mark Longair is to use an alias that will run any git command, on any remote, with an alternative SSH key. The idea is basically to switch your SSH identity when running the git commands.
Advantages relative to the host alias approach in the other answer:
remote
explicitly.I use a few small scripts and a git alias
admin
. That way I can do, for example:To push to the default remote using the alternative ("admin") SSH key. Again, you could use any command (not just
push
) with this alias. You could even dogit admin clone ...
to clone a repository that you would only have access to using your "admin" key.Step 1: Create the alternative SSH keys, optionally set a passphrase in case you're doing this on someone else's machine.
Step 2: Create a script called “ssh-as.sh” that runs stuff that uses SSH, but uses a given SSH key rather than the default:
Step 3: Create a script called “git-as.sh” that runs git commands using the given SSH key.
Step 4: Add an alias (using something appropriate for “PATH_TO_SCRIPTS_DIR” below):
More details at: http://noamlewis.wordpress.com/2013/01/24/git-admin-an-alias-for-running-git-commands-as-a-privileged-ssh-identity/
Even if the user and host are the same, they can still be distinguished in
~/.ssh/config
. For example, if your configuration looks like this:Then you just use
gitolite-as-alice
andgitolite-as-bob
instead of the hostname in your URL:Note
You want to include the option
IdentitiesOnly yes
to prevent the use of default ids. Otherwise, if you also have id files matching the default names, they will get tried first because unlike other config options (which abide by "first in wins") theIdentityFile
option appends to the list of identities to try. See: https://serverfault.com/questions/450796/how-could-i-stop-ssh-offering-a-wrong-key/450807#450807Another alternative is to use ssh-ident, to manage your ssh identities.
It automatically loads and uses different keys based on your current working directory, ssh options, and so on... which means you can easily have a work/ directory and private/ directory that transparently end up using different keys and identities with ssh.
You can utilize git environment variable
GIT_SSH_COMMAND
. Run this in your terminal under your git repository:Replace
~/.ssh/your_private_key
with the path of ssh private key you wanna use. And you can change the subsequent git command (in the example isgit submodule update --init
) to others likegit pull
,git fetch
, etc.You might need to remove (or comment out) default Host configuration