GitHub SSH keys for multiple accounts
I knew about the SSH configuration (located at ~/.ssh/config) for supporting multiple GitHub domains (for example, my work domain is GitHub.tools.xxx.com and the personal one is GitHub.com), but I ran into some grief with multiple accounts for the same domain (in this case GitHub.com). I have two accounts on GitHub.com — one is a personal one, and another created with my work email. I created the latter to have a clean, “sandboxed” account that could pull/contribute code from/to repositories where the work organization was added as a collaborator. I mostly needed the SSH config for the work GitHub itself, and although I had added SSH keys for my development machine on GitHub.com, I suppose I only ended up testing that with the latter work email.
I ran into issues cloning a repository (via SSH) from the personal account on GitHub.com. I checked that the SSH key was added into the GitHub settings, but cloning a repository failed with the error:
amit.prabhudesai@IM1634-X0 GitHub % git clone git@github.com:amitprabhudesai/<myrepository>.git
Cloning into '<myrepository>'...
ERROR: Repository not found.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.My SSH config (located at ~/.ssh/config) looked like so:
Host github.tools.inmobi.com
HostName github.tools.inmobi.com
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa# GitHub account
Host github.com
IdentityFile ~/.ssh/id_ed25519
User amit-prabhudesai
In hindsight, the clue to what was going wrong was staring my in the face. The User property was amit-prabhudesai which was my username registered with the work email. The username for the personal account was amitprabhudesai and I eventually realized this, but I probably would have saved myself an hour or so had I realized this sooner. The username that is used to authenticate with GitHub also becomes explicit if you look at the output of testing your SSH key:
amit.prabhudesai@IM1634-X0 .ssh % ssh -T git@github.comHi amit-prabhudesai! You've successfully authenticated, but GitHub does not provide shell access.
The username is right there at the start of the output spewed.
Okay, so I realized that I am authenticating with the wrong username (the wrong account — I was authenticating with the GitHub account name I set up for work, and I was looking to clone a repository I created under my personal account). So how do I fix this? Searching on the internetworks I came across this; this suggested that situations like these need two separate SSH keys to be set up and configured in SSH config. This was what was wrong with my configuration — I was using separate keys for the github.xxx.com and github.com domains, but I was sharing the key for the two different accounts on the same (github.com) domain. This is also made explicit by running the following:
amit.prabhudesai@IM1634-X0 GitHub % ssh -vvv git@github.com
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/amit.prabhudesai/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to github.com port 22.
debug1: Connection established.
debug1: identity file /Users/amit.prabhudesai/.ssh/id_rsa type 0
debug1: identity file /Users/amit.prabhudesai/.ssh/id_rsa-cert type -1
debug1: identity file /Users/amit.prabhudesai/.ssh/id_dsa type -1
debug1: identity file /Users/amit.prabhudesai/.ssh/id_dsa-cert type -1
debug1: identity file /Users/amit.prabhudesai/.ssh/id_ecdsa type -1
debug1: identity file /Users/amit.prabhudesai/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/amit.prabhudesai/.ssh/id_ed25519 type 3
debug1: identity file /Users/amit.prabhudesai/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/amit.prabhudesai/.ssh/id_xmss type -1
debug1: identity file /Users/amit.prabhudesai/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version babeld-ccb88c3b
debug1: no match: babeld-ccb88c3b
debug3: fd 5 is O_NONBLOCK
debug1: Authenticating to github.com:22 as 'git'
debug3: hostkeys_foreach: reading file "/Users/amit.prabhudesai/.ssh/known_hosts"
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
...
...
debug1: Will attempt key: /Users/amit.prabhudesai/.ssh/id_rsa RSA SHA256:cM3m37dxAuwIAJoaUaf2F1CuXk83RFEW8JrP5Ig2810 agent
debug1: Will attempt key: /Users/amit.prabhudesai/.ssh/id_dsa
debug1: Will attempt key: /Users/amit.prabhudesai/.ssh/id_ecdsa
debug1: Will attempt key: /Users/amit.prabhudesai/.ssh/id_ed25519 ED25519 SHA256:cvCeIJd6lHTYZOC2rm4tz75/rvepoCQ1EYWy8Kg4yzM
debug1: Will attempt key: /Users/amit.prabhudesai/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
...
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/amit.prabhudesai/.ssh/id_rsa RSA SHA256:cM3m37dxAuwIAJoaUaf2F1CuXk83RFEW8JrP5Ig2810 agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/amit.prabhudesai/.ssh/id_dsa
debug3: no such identity: /Users/amit.prabhudesai/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /Users/amit.prabhudesai/.ssh/id_ecdsa
debug3: no such identity: /Users/amit.prabhudesai/.ssh/id_ecdsa: No such file or directory
debug1: Offering public key: /Users/amit.prabhudesai/.ssh/id_ed25519 ED25519 SHA256:cvCeIJd6lHTYZOC2rm4tz75/rvepoCQ1EYWy8Kg4yzM
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/amit.prabhudesai/.ssh/id_xmss
debug3: no such identity: /Users/amit.prabhudesai/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).This shows the list of keys that are attempted for authentication, and I could not see the key I added in that list. As mentioned here, I had added the key to ssh agent with the -K switch. The -K switch does not seem to work, though. Adding to the ssh-agent without this worked fine.
Finally, here is what I did to get this working:
- Log in to GitHub with each of my accounts.
- Delete any existing SSH keys from each of the accounts.
- Generate new keys for each of the accounts, and add these to the correct accounts.
- Add the SSH keys to the ssh-agent.
- Update the SSH config file.
Here is what my SSH config file looks like right now:
amit.prabhudesai@IM1634-X0 .ssh % cat config# InMobi Corp GitHub (InMobi)
Host github.tools.inmobi.com
HostName github.tools.inmobi.com
AddKeysToAgent yes
UseKeychain yes
IdentityFile <primary-ssh-key># GitHub account (InMobi)
Host github.com-<work-username>
HostName github.com
AddKeysToAgent yes
UseKeychain yes
IdentityFile <work-ssh-key>
User <work-username># GitHub account (personal)
Host github.com-<personal-username>
HostName github.com
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/<personal-ssh-key>
User <personal-username>
I tested this by cloning out a repository each from the two different accounts on GitHub.com, and it worked like a charm :)
