Using Multiple SSH Public Keys
If you have an active ssh-agent that has your id_rsa key loaded, then the problem is likely that ssh is offering that key first. Unfuddle probably accepts it for authentication (e.g. in sshd) but rejects it for authorization to access the company repositories (e.g. in whatever internal software they use for authorization, possibly something akin to Gitolite). Perhaps there is a way to add your personal key to the company account (multiple people are not sharing the same corp_rsa public and private key files, are they?).
The IdentitiesOnly .ssh/config configuration keyword can be used to limit the keys that ssh offers to the remote sshd to just those specified via IdentityFile keywords (i.e. it will refuse to use any additional keys that happen to be loaded into an active ssh-agent).
Try these .ssh/config sections:
Host {personalaccount}.unfuddle.com
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
Host {companyaccount}.unfuddle.com
IdentityFile ~/.ssh/{companyaccount}_rsa
IdentitiesOnly yes
Then, use Git URLs like these:
git@{personalaccount}.unfuddle.com:{personalaccount}/my-stuff.git
git@{companyaccount}.unfuddle.com:{companyaccount}/their-stuff.git
If you want to take full advantage of the .ssh/config mechanism, you can supply your own custom hostname and change the default user name:
Host uf-mine
HostName {personalaccount}.unfuddle.com
User git
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
Host uf-comp
HostName {companyaccount}.unfuddle.com
User git
IdentityFile ~/.ssh/{companyaccount}_rsa
IdentitiesOnly yes
Then, use Git URLs like these:
uf-mine:{personalaccount}/my-stuff.git
uf-comp:{companyaccount}/their-stuff.git
IdentityFile and IdentitiesOnly work well. What bothers me is having to remember to use different host names to connect to, and the fact that the forwarded agent connection still holds all keys, meaning that if the remote host is compromised, they can use any of my identities while I'm in.
I've recently started using:
https://github.com/ccontavalli/ssh-ident
it's a wrapper around ssh, it:
- keeps an entirely separate agent for each identity you define.
- automatically shares agents across login sessions, nothing to do in your .bashrc.
- loads the agent and the corresponding keys on demand the first time you need them.
- determines which agent to use either based on ssh command line (hostname & such) or your current working directory. This is particularly handy as I tend to work from different paths depending on what I am doing.
man ssh_config
Something like
Host personal_repo
User personal
IdentityFile .ssh/personal_rsa
Host company_repo
User company
IdentityFile .ssh/company_rsa
And use personal_repo as host in your git repo.
Here's a proper way if you want to use ssh agent:
# Create public keys to make sure they exist
# this is a must if you use ssh agent forwarding
# or want to use ssh-agent at all
ssh-add -L | grep personal > ~/.ssh/personal_identity.pub
ssh-add -L | grep company > ~/.ssh/company_identity.pub
# Add to ~/.ssh/config
Host {personalaccount}.unfuddle.com
IdentityFile ~/.ssh/personal_identity.pub
Host {companyaccount}.unfuddle.com
IdentityFile ~/.ssh/company_identity.pub
Explanation: if you have private key in your ~/.ssh directory, ssh-agent won't be used. So we create public key under another name, so that ssh is forced to use ssh-agent. This also helps if you don't have access to private keys (e.g. ssh agent forwarding)