Using multiple (different) keys with GitHub

You are most likely aware of the fact that GitHub is no longer supporting simple username/password-based authentication when working from the command line using HTTP remote. This is deprecated and I wrote a post about Deploy Keys usage with GitHub.

In practice, there are two most common use cases for GitHub keys. The preferred way is to have your personal key configured on your personal account. This, in connection with the proper repository configuration (your personal account added as collaborator), will allow you to work on repositories easily. Push and pulls will use your personal key to identify yourself against GitHub.

The second common use case is to use Deploy Keys. This is useful when you are not able to add your account as a collaborator, or you want to configure GitHub access from the machine on which multiple users are working so you don’t want to keep your personal key there. It is also used in automation processes.

Why multiple keys for GitHub?

Given the above, why use multiple SSH keys? Sometimes you have to use separate GitHub accounts (so, different keys), or multiple machines on which you don’t want to keep your personal keys, so you generate keys on each of these machines.

Automation engines should also use different keys for security reasons. If the key is compromised for one of the pieces, you can invalidate this particular key and reconfigure this particular step. Much easier than trying to find all places where the shared key is in use.

How to use multiple keys?

By default, when pushing or pulling from GitHub repository using SSH-based remote, there is an SSH session running in the background. As you noticed, the typical remote address looks like this:

git@github.com:userName/repoName.git

The “git@github.com” part is always the same, the “username” and “repoName” change. If you are using such remote in your Git configuration, the underlying SSH connection will try to use your default (typically – id_rsa) key and other keys if the first one will not work properly. If you have only one key, there is no need for additional configuration.

When you have multiple keys and you want to use different keys for different repositories or even different remotes of the same repository, you should tell SSH which key to use. In my opinion, the simplest way to do this is to use an SSH config file.

SSH config file is located in “~/.ssh/” directory and is simply named “config” so you can open your editor and edit the file “~/.ssh/config”. Here is the sample file which I will describe below:

Host github-firstKey
  HostName github.com
  User git
  IdentityFile ~/.ssh/myFirstKey

Host github-secondKey
  HostName github.com
  User git
  IdentityFile ~/.ssh/mySecondKey

Host github-thirdKey
  HostName github.com
  User git
  IdentityFile ~/.ssh/myThirdKey

The above config file defines three hosts with three different keys. Note that the user names and hostnames are the same in all of them – the same as in a typical remote address. The change is in the “Host” line and in the “IdentityFile” which points to the particular key.

Such configuration allows us to configure different remotes. Take a look at these remote addresses:

# typical SSH remote:
git@github.com:userName/repoName.git

# the same remote using First Key:
github-firstKey:userName/repoName.git

# the same remote using Second Key:
github-secondKey:userName/repoName.git

# the same remote using Third Key:
github-thirdKey:userName/repoName.git

What does it mean? Once you have your configuration ready, you can define different remotes based on the hosts defined in your configuration. The host will dictate the key to use during the connection. You can use the same host for multiple repositories (use the same host value for remotes defined in different repositories) or you can use different hosts in different remotes in the same repository. The above method works with Deploy Keys and with personal keys configured in GitHub.

Leave a Reply

Your email address will not be published.