14

How can I store 2 different private SSH keys for the same host? I have tried 2 entries in /etc/ssh/ssh_config for the same host with the different keys, and I've also tried to put both keys in the same file and referencing it from one hosts setting, however both do not work.

More detail: I'm running Ubuntu server (12.04) and I want to connect to GitHub via SSH to download the latest source for my projects. There are multiple projects running on the same server and each project has a GitHub repo with it's own unique deloyment key-pair. So the host is always the same (github.com) but the keys need to be different depending on which repo I'm using.

Different /etc/ssh/ssh_config versions I have tried:

Host github.com
    IdentityFile /etc/ssh/my_project_1_github_deploy_key
    StrictHostKeyChecking no
Host github.com
    IdentityFile /etc/ssh/my_project_2_github_deploy_key
    StrictHostKeyChecking no

and this with both keys in the same file:

Host github.com
    IdentityFile /etc/ssh/my_project_github_deploy_keys
    StrictHostKeyChecking no

I've had no luck with either. Any help would be greatly appreciated!

Sencha
  • 303
  • 2
  • 5

2 Answers2

8

I would do it like this:

Host project_1
    HostName github.com
    IdentityFile /etc/ssh/my_project_1_github_deploy_key

Host project_2
    HostName github.com
    IdentityFile /etc/ssh/my_project_2_github_deploy_key

and then use project_1 or project_2 as the host to access the repository.

faker
  • 17,326
  • 2
  • 60
  • 69
  • 1
    Disabling host key checking is a terrible idea (security wise) and unrelated to the solution you propose. Other than that, it's a good answer. – gertvdijk Dec 19 '12 at 17:02
  • 1
    @gertvdijk you are of course correct, edited my answer. – faker Dec 19 '12 at 17:09
  • I've disabled strict host key checking myself because my scripts are automated and it avoids the prompts that occur the first time you connect. Can you recommend a more secure alternative @gertvdijk? – Sencha Dec 19 '12 at 17:10
  • @Sencha add the host key to the known_hosts file, that file can also be specified via `UserKnownHostsFile` in ssh_config – faker Dec 19 '12 at 17:13
  • @faker Ah great, would it be okay to store it in `/etc/known_hosts`? I'd like to keep everything system wide and not locked down to a particular user. – Sencha Dec 19 '12 at 17:24
  • Hmm, it seems the IP is stored in the known_hosts file too. What if Github have multiple IP addresses or they change? Then the automation won't work. – Sencha Dec 19 '12 at 17:29
  • 1
    I totally overlooked it was in the question already. Sorry. Maybe we can discuss this in another question. – gertvdijk Dec 19 '12 at 17:31
  • @Sencha I'd go for `/etc/ssh/known_hosts`. And if you want it truly global you can add `GlobalKnownHostsFile` to `/etc/ssh/ssh_config`. Yes if the IP of github.com changes it would break, you could disable that check too via `CheckHostIP`, of course this has impact on the effectiveness of host key checking. – faker Dec 19 '12 at 17:39
  • That's great, thanks for the info! I would have thought that if the public key is valid then I'm happy enough with that level of security regardless of the IP address. To spoof it with DNS they'd still need to have GitHub's private key right? – Sencha Dec 19 '12 at 17:43
  • @Sencha correct. But I also doubt they will change their IP often – faker Dec 19 '12 at 17:52
  • Okay great, really appreciate the help! – Sencha Dec 19 '12 at 17:58
8

You can provide multiple identity files that SSH will attempt in sequence until one works or they all fail.

Host github.com
    IdentityFile /etc/ssh/my_project_1_github_deploy_key
    IdentityFile /etc/ssh/my_project_2_github_deploy_key
    StrictHostKeyChecking no
ceejayoz
  • 32,469
  • 7
  • 81
  • 105
  • 3
    MaxAuthTries must not be set too low serverside (default value is 6 so problem are likely to appear when your reach my_project_6). –  Dec 19 '12 at 16:59
  • I've just tried this but it's not working. Whatever is the first identify file works, but when trying to connect with one of the additional identities it fails. – Sencha Dec 19 '12 at 16:59
  • 1
    @Sencha Please provide the relevant output of `ssh -vvv` when connecting. Relevant as in what keys are offered and why it is refused. – gertvdijk Dec 19 '12 at 17:04
  • I'm actually doing the commands through `git`, so perhaps that's why it's failing? Perhaps `git` isn't doing the relevant re-attempts? – Sencha Dec 19 '12 at 17:08
  • 1
    @Sencha Git just uses the SSH client under water. That's why I suggest running `ssh` yourself in order to check at what point it fails. – gertvdijk Dec 20 '12 at 23:53
  • 1
    I find this answer better than having to use a custom url. – Adrian Dec 20 '19 at 04:25