Configuring Different SSH Keys per Git Repository

SSH keys are a very convenient and secure way to authenticate with Git servers such as GitHub. I used to use a single SSH key for the few private repositories I had, but in the meantime I have accumulated quite a number of SSH keys. Having different SSH keys for different purposes (e.g. personal keys and keys used for client work) makes it simpler for me to organize and rotate keys.

GitHub SAML SSO Error when Accessing a Repository via SSH

Recently I faced an issue while trying to pull from a repository on GitHub from one day to the other.

$ git pull
ERROR: The 'myorg' organization has enabled or enforced SAML SSO. To access
this repository, you must use the HTTPS remote with a personal access token
or SSH with an SSH key and passphrase
that has been whitelisted for this organization. Visit
https://help.github.com/articles/authenticating-to-a-github-organization-with-saml-single-sign-on/ for more information.

fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

What happened? Puzzling about whether some setting at the GitHub organization changed I debugged the git pull command:

$ GIT_SSH_COMMAND="ssh -v" git pull
# ...
debug1: Offering RSA public key: ~/.ssh/rsa-key-for-different-purpose
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535

So what happened was that Git all of a sudden offered a different SSH key as it did before and that was the wrong one. In fact, I have enabled multiple SSH keys in my GitHub account, and authorized only one specific key for SAML SSO with that particular organization. And my Git client simply didn't take the key that was allowed to access the repositories from that organization.

Different SSH Configs for Different Repositories

Luckily, we can use SSH config files to enforce the use of a particular SSH key for a particular repository. In order to do so, we'll need to setup an SSH config file per SSH key that we want to use, so for example:

# ~/.ssh/config-github-client-one
Host github.com
    HostName github.com
    Port 22
    User git
    IdentityFile ~/.ssh/id_rsa_client_one

And a second config file for the other client, that references a different SSH key:

# ~/.ssh/config-github-client-two
Host github.com
    HostName github.com
    Port 22
    User git
    IdentityFile ~/.ssh/id_rsa_client_two

We now have two SSH config files that each use a different SSH key for the same SSH connection. The only thing we need to do is to tell Git to use either of the two files for our repository. This answer on StackOverflow pointed me in the right direction, so I set a Git config setting in each local repository where I need to use a specific key:

$ cd /development/client-one/awesome-app
$ git config core.sshCommand "ssh -F ~/.ssh/config-github-client-one"
# and now it just works:
$ git pull 

A simple and easy trick that did the job for me.

Subscribe to blog updates

Of course, we handle your email address very carefully and will not give it to third parties. You will not receive spam emails from us. Have a look at previous emails, to see what you subscribe for.

Comments