Configuring a Different SSH Key per Git Repository
SSH keys are a very convenient and secure way to authenticate with Git servers such as GitHub. I used to use a single SSH key for the few private repositories I had, but in the meantime I have accumulated quite a number of SSH keys. Having different SSH keys for different purposes (e.g. personal keys and keys used for client work) makes it simpler for me to organize and rotate keys.
GitHub SAML SSO Error when Accessing a Repository via SSH
Recently I faced an issue while trying to pull from a repository on GitHub from one day to the other.
$ git pull ERROR: The 'myorg' organization has enabled or enforced SAML SSO. To access this repository, you must use the HTTPS remote with a personal access token or SSH with an SSH key and passphrase that has been whitelisted for this organization. Visit https://help.github.com/articles/authenticating-to-a-github-organization-with-saml-single-sign-on/ for more information. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
What happened? Puzzling about whether some setting at the GitHub organization changed I debugged the
git pull command:
$ GIT_SSH_COMMAND="ssh -v" git pull # ... debug1: Offering RSA public key: ~/.ssh/rsa-key-for-different-purpose debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
So what happened was that Git all of a sudden offered a different SSH key as it did before and that was the wrong one. In fact, I have enabled multiple SSH keys in my GitHub account, and authorized only one specific key for SAML SSO with that particular organization. And my Git client simply didn’t take the key that was allowed to access the repositories from that organization.
Different SSH Configs for Different Repositories
Luckily, we can use SSH config files to enforce the use of a particular SSH key for a particular repository. In order to do so, we’ll need to setup an SSH config file per SSH key that we want to use, so for example:
# ~/.ssh/config-github-client-one Host github.com HostName github.com Port 22 User git IdentityFile ~/.ssh/id_rsa_client_one
And a second config file for the other client, that references a different SSH key:
# ~/.ssh/config-github-client-two Host github.com HostName github.com Port 22 User git IdentityFile ~/.ssh/id_rsa_client_two
We now have two SSH config files that each use a different SSH key for the same SSH connection. The only thing we need to do is to tell Git to use either of the two files for our repository. This answer on StackOverflow pointed me in the right direction, so I set a Git config setting in each local repository where I need to use a specific key:
$ cd /development/client-one/awesome-app $ git config core.sshCommand "ssh -F ~/.ssh/config-github-client-one" # and now it just works: $ git pull
A simple and easy trick that did the job for me.