I had run into this issue a while back, when I had two Bitbucket accounts and wanted to had to store separate SSH keys for both. This is what worked for me.
I created two separate ssh configurations as follows.
Host personal.bitbucket.org
HostName bitbucket.org
User git
IdentityFile /Users/username/.ssh/personal
Host work.bitbucket.org
HostName bitbucket.org
User git
IdentityFile /Users/username/.ssh/work
Now when I had to clone a repository from my work account - the command was as follows.
Here is the solution that I used inspired from the answer of sajib-khan. The default configuration is not set; it's my personal account on GitLab and the other specified is my company account. Here is what I did:
For those who are working with aws I would highly recommend working with EC2 Instance Connect.
Amazon EC2 Instance Connect provides a simple and secure way to connect to your instances using Secure Shell (SSH).
With EC2 Instance Connect, you use AWS Identity and Access Management (IAM) policies and principles to control SSH access to your instances, removing the need to share and manage SSH keys.
After installing the relevant packages (pip install ec2instanceconnectcli or cloning the repo directly) you can connect very easy to multiple EC2 instances by just changing the instance id:
What is happening behind the scenes?
When you connect to an instance using EC2 Instance Connect, the Instance Connect API pushes a one-time-use SSH public key to the instance metadata where it remains for 60 seconds. An IAM policy attached to your IAM user authorizes your IAM user to push the public key to the instance metadata.
The SSH daemon uses AuthorizedKeysCommand and AuthorizedKeysCommandUser, which are configured when Instance Connect is installed, to look up the public key from the instance metadata for authentication, and connects you to the instance.
(*) Amazon Linux 2 2.0.20190618 or later and Ubuntu 20.04 or later comes preconfigured with EC2 Instance Connect. For other supported Linux distributions, you must set up Instance Connect for every instance that will support using Instance Connect. This is a one-time requirement for each instance.
# Generate key make sure you give it a new name (id_rsa_server2)
ssh-keygen
# Make sure ssh agent is running
eval `ssh-agent`
# Add the new key
ssh-add ~/.ssh/id_rsa_server2
# Get the public key to add it to a remote system for authentication
cat ~/.ssh/id_rsa_server2.pub
On Ubuntu 18.04 (Bionic Beaver) there is nothing to do. Perhaps the same holds for newer version of Ubuntu or Debian systems.
After having created an second SSH key successfully the system will try to find a matching SSH key for each connection.
Just to be clear you can create a new key with these commands:
# Generate key make sure you give it a new name (id_rsa_server2)
ssh-keygen
# Make sure ssh agent is running
eval `ssh-agent`
# Add the new key
ssh-add ~/.ssh/id_rsa_server2
# Get the public key to add it to a remote system for authentication
cat ~/.ssh/id_rsa_server2.pub
Note: If you want to change the host name “pizza” of .ssh/config in the future, go into the Git cloned folder, edit .git/config file URL line (see case B)
Case B: Already have Git clone folder
2.1 Go to the cloned folder, and then go into the .git folder
# Configuration for GitHub to support multiple GitHub keys
Host github.com
HostName github.com
User git
# UseKeychain adds each keys passphrase to the keychain so you
# don't have to enter the passphrase each time.
UseKeychain yes
# AddKeysToAgent would add the key to the agent whenever it is
# used, which might lead to debugging confusion since then
# sometimes the one repository works and sometimes the
# other depending on which key is used first.
# AddKeysToAgent yes
# I only use my private id file so all private
# repositories don't need the environment variable
# `GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa"` to be set.
IdentityFile ~/.ssh/id_rsa
I love the approach to set the following in file ~/.ssh/config:
# Configuration for GitHub to support multiple GitHub keys
Host github.com
HostName github.com
User git
# UseKeychain adds each keys passphrase to the keychain so you
# don't have to enter the passphrase each time.
UseKeychain yes
# AddKeysToAgent would add the key to the agent whenever it is
# used, which might lead to debugging confusion since then
# sometimes the one repository works and sometimes the
# other depending on which key is used first.
# AddKeysToAgent yes
# I only use my private id file so all private
# repositories don't need the environment variable
# `GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa"` to be set.
IdentityFile ~/.ssh/id_rsa
Then in your repository you can create a .env file which contains the ssh command to be used:
GIT_SSH_COMMAND="ssh -i ~/.ssh/your_ssh_key"
If you then use e.g. dotenv the environment environment variable is exported automatically and whoop whoop, you can specify the key you want per project/directory. The passphrase is asked for only once since it is added to the keychain.
This solution works perfectly with Git and is designed to work on a Mac (due to UseKeychain).
You can instruct ssh to try multiple keys in succession when connecting. Here's how:
$ cat ~/.ssh/config
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_rsa_old
IdentityFile ~/.ssh/id_ed25519
# ... and so on
$ ssh server.example.com -v
....
debug1: Next authentication method: publickey
debug1: Trying private key: /home/example/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/example/.ssh/id_rsa_old
debug1: read PEM private key done: type RSA
....
[server ~]$
This way you don't have to specify what key works with which server. It'll just use the first working key.
Also you would only enter a passphrase if a given server is willing to accept the key. As seen above ssh didn't try to ask for a password for .ssh/id_rsa even if it had one.
Surely it doesn't outbeat a per-server configuration as in other answers, but at least you won't have to add a configuration for all and every server you connect to!
The previous answers have properly explained the way to create a configuration file to manage multiple ssh keys. I think, the important thing that also needs to be explained is the replacement of a host name with an alias name while cloning the repository.
Suppose, your company's GitHub account's username is abc1234. And suppose your personal GitHub account's username is jack1234
And, suppose you have created two RSA keys, namely id_rsa_company and id_rsa_personal. So, your configuration file will look like below:
# Company account
Host company
HostName github.com
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_company
# Personal account
Host personal
HostName github.com
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_personal
Now, when you are cloning the repository(named demo) from the company's GitHub account, the repository URL will be something like:
This is the only purpose of that directive. If you don't need it (e.g. you always copy-paste the git clone command from the website), you can leave it out of the config.
发布评论
评论(21)
我同意 Tuomas 关于使用 ssh-agent 的观点。我还想添加第二个私钥用于工作和 这个教程对我来说就像一个魅力。
步骤如下:
$ ssh-agent bash$ ssh-add /path.to/private/key例如ssh-add ~/.ssh/id_rsa< /code>$ ssh-add -l进行验证$ssh -v进行测试,例如ssh -v [电子邮件受保护]I would agree with Tuomas about using ssh-agent. I also wanted to add a second private key for work and this tutorial worked like a charm for me.
Steps are as below:
$ ssh-agent bash$ ssh-add /path.to/private/keye.gssh-add ~/.ssh/id_rsa$ ssh-add -l$ssh -v <host url>e.gssh -v [email protected]对于 MacO 上的我来说,唯一可行的解决方案就是简单地将其添加到文件
~/.ssh/config中:your_ssh_key没有任何扩展名。不要使用.pub。For me on MacOs, the only working solution was to simply add this in file
~/.ssh/config:your_ssh_keyis without any extension. Don't use.pub.现在,使用最新版本的 Git,我们可以在特定于存储库的 Git 配置文件中指定 sshCommand:
Now, with the recent version of Git, we can specify sshCommand in the repository-specific Git configuration file:
不久前,我遇到了这个问题,当时我有两个 Bitbucket 帐户,并且希望为这两个帐户存储单独的 SSH 密钥。这对我有用。
我创建了两个单独的 ssh 配置,如下所示。
现在,当我必须从我的工作帐户克隆存储库时 - 命令如下。
我必须将此命令修改为:
同样,我的个人帐户中的克隆命令必须修改为
请参阅 此链接了解更多信息。
I had run into this issue a while back, when I had two Bitbucket accounts and wanted to had to store separate SSH keys for both. This is what worked for me.
I created two separate ssh configurations as follows.
Now when I had to clone a repository from my work account - the command was as follows.
I had to modify this command to:
Similarly the clone command from my personal account had to be modified to
Refer this link for more information.
这是我使用的解决方案,灵感来自 sajib-khan 的答案。默认配置没有设置;这是我在 GitLab 上的个人帐户,另一个指定的是我的公司帐户。这就是我所做的:
生成 SSH 密钥
编辑 SSH 配置
删除缓存的 SSH 密钥
测试一下!
使用它!
公司帐户
个人/默认帐户
这是
Here is the solution that I used inspired from the answer of sajib-khan. The default configuration is not set; it's my personal account on GitLab and the other specified is my company account. Here is what I did:
Generate the SSH key
Edit the SSH configuration
Delete the cached SSH key(s)
Test it!
Use it!
Company account
Personal/default account
Here is the source that I used.
使用 ssh-agent 作为您的密钥。
Use ssh-agent for your keys.
您可以在
~/.ssh文件夹中创建一个名为config的配置文件。它可以包含:这将允许您连接到这样的机器
You can create a configuration file named
configin your~/.sshfolder. It can contain:This will allow you to connect to machines like this
对于那些使用 aws 的人,我强烈推荐使用 EC2 Instance Connect。
Amazon EC2 Instance Connect 提供了一种简单安全的方式来使用 Secure Shell (SSH) 连接到您的实例。
通过 EC2 Instance Connect,您可以使用 AWS Identity and Access Management (IAM) 策略和原则控制对实例的 SSH 访问,无需共享和管理 SSH 密钥。
安装相关软件包(
pip install ec2instanceconnectcli或克隆 repo 直接)只需更改实例 ID,即可轻松连接到多个 EC2 实例:幕后发生了什么?
当您使用 EC2 Instance Connect 连接到实例时,Instance Connect API 会推送一次性 SSH 公钥到实例元数据,该元数据将保留 60 秒。附加到您的 IAM 用户的 IAM 策略授权您的 IAM 用户将公钥推送到实例元数据。
SSH 守护程序使用在安装 Instance Connect 时配置的 AuthorizedKeysCommand 和 AuthorizedKeysCommandUser 从实例元数据中查找公钥以进行身份验证,并将您连接到实例。
(*) Amazon Linux 2 2.0.20190618 或更高版本以及 Ubuntu 20.04 或更高版本预配置了 EC2 Instance Connect。
对于其他受支持的 Linux 发行版,您必须为支持使用 Instance Connect 的每个实例设置 Instance Connect。这是每个实例的一次性要求。
链接:
设置 EC2 实例连接
使用 EC2 Instance Connect 进行连接
确保安全使用 Amazon EC2 Instance Connect 的堡垒主机
For those who are working with aws I would highly recommend working with EC2 Instance Connect.
Amazon EC2 Instance Connect provides a simple and secure way to connect to your instances using Secure Shell (SSH).
With EC2 Instance Connect, you use AWS Identity and Access Management (IAM) policies and principles to control SSH access to your instances, removing the need to share and manage SSH keys.
After installing the relevant packages (
pip install ec2instanceconnectclior cloning the repo directly) you can connect very easy to multiple EC2 instances by just changing the instance id:What is happening behind the scenes?
When you connect to an instance using EC2 Instance Connect, the Instance Connect API pushes a one-time-use SSH public key to the instance metadata where it remains for 60 seconds. An IAM policy attached to your IAM user authorizes your IAM user to push the public key to the instance metadata.
The SSH daemon uses AuthorizedKeysCommand and AuthorizedKeysCommandUser, which are configured when Instance Connect is installed, to look up the public key from the instance metadata for authentication, and connects you to the instance.
(*) Amazon Linux 2 2.0.20190618 or later and Ubuntu 20.04 or later comes preconfigured with EC2 Instance Connect.
For other supported Linux distributions, you must set up Instance Connect for every instance that will support using Instance Connect. This is a one-time requirement for each instance.
Links:
Set up EC2 Instance Connect
Connect using EC2 Instance Connect
Securing your bastion hosts with Amazon EC2 Instance Connect
在 Ubuntu 18.04 (Bionic Beaver) 上没有什么可以做的做。
也许对于较新版本的 Ubuntu 或 Debian 系统也是如此。
成功创建第二个 SSH 密钥后,系统将尝试为每个连接查找匹配的 SSH 密钥。
需要明确的是,您可以使用以下命令创建一个新密钥:
On Ubuntu 18.04 (Bionic Beaver) there is nothing to do.
Perhaps the same holds for newer version of Ubuntu or Debian systems.
After having created an second SSH key successfully the system will try to find a matching SSH key for each connection.
Just to be clear you can create a new key with these commands:
正如Atlassian 博客页面中提到的,
在.ssh文件夹中生成config文件,包含以下文本:
然后您可以简单地使用后缀域进行签出,并且在项目中您可以配置作者姓名等本地。
As mentioned on a Atlassian blog page,
generate a config file within the .ssh folder, including the following text:
Then you can simply checkout with the suffix domain and within the projects you can configure the author names, etc. locally.
GitHub 上的多个密钥对
1.0 SSH 配置文件
1.1 创建 ~/.ssh/config
1.2 chmod 600 ~/.ssh/config (必须)
1.3 在文件中输入以下内容:
案例 A:全新的 Git 克隆
使用此命令进行 Git 克隆:
注意:如果您以后想更改 .ssh/config 的主机名“pizza” ,进入 Git 克隆文件夹,编辑 .git/config 文件 URL 行(参见案例 B)
案例 B:已有 Git 克隆文件夹
2.1 进入克隆文件夹,然后进入 .git文件夹
2.2 编辑配置文件
2.3 将 URL 从 *old 更新为 new:
Multiple key pairs on GitHub
1.0 SSH configuration file
1.1 Create ~/.ssh/config
1.2 chmod 600 ~/.ssh/config (must)
1.3 Input the following into the file:
Case A: Fresh new Git clone
Use this command to Git clone:
Note: If you want to change the host name “pizza” of .ssh/config in the future, go into the Git cloned folder, edit .git/config file URL line (see case B)
Case B: Already have Git clone folder
2.1 Go to the cloned folder, and then go into the .git folder
2.2 Edit configuration file
2.3 Update the URL from *old to new:
重要:您必须启动 ssh-agent
在使用 ssh-add 之前,您必须启动 ssh-agent(如果尚未运行),如下所示:
请注意,eval 命令在 Windows 上的 Git Bash。其他环境可能使用变体来启动 SSH 代理。
IMPORTANT: You must start ssh-agent
You must start ssh-agent (if it is not running already) before using ssh-add as follows:
Note that the eval command starts the agent on Git Bash on Windows. Other environments may use a variant to start the SSH agent.
我喜欢在文件 ~/.ssh/config 中设置以下内容的方法:
然后在您的存储库中,您可以创建一个
.env文件,其中包含要使用的ssh命令:如果您随后使用 dotenv 环境变量会自动导出哇哇,您可以为每个项目/目录指定所需的密钥。由于密码被添加到钥匙串中,因此仅需要输入一次密码。
该解决方案与 Git 完美配合,并且设计为在 Mac 上运行(由于
UseKeychain)。I love the approach to set the following in file ~/.ssh/config:
Then in your repository you can create a
.envfile which contains thesshcommand to be used:If you then use e.g. dotenv the environment environment variable is exported automatically and whoop whoop, you can specify the key you want per project/directory. The passphrase is asked for only once since it is added to the keychain.
This solution works perfectly with Git and is designed to work on a Mac (due to
UseKeychain).在运行 OpenSSH_5.3p1 和 OpenSSL 1.0.1e-fips 的 CentOS 6.5 上,我通过以下方式解决了该问题重命名我的关键文件,使它们都没有默认名称。
我的 .ssh 目录包含 id_rsa_foo 和 id_rsa_bar,但没有 id_rsa 等。
On CentOS 6.5 running OpenSSH_5.3p1 and OpenSSL 1.0.1e-fips, I solved the problem by renaming my key files so that none of them had the default name.
My .ssh directory contains id_rsa_foo and id_rsa_bar, but no id_rsa, etc.
您可以尝试这个 sshmulti npm 包来维护多个 SSH 密钥。
You can try this sshmulti npm package for maintaining multiple SSH keys.
从我的
.ssh/config:然后您可以使用以下内容进行连接:
ssh myshortnamessh myother等等。
From my
.ssh/config:Then you can use the following to connect:
ssh myshortnamessh myotherAnd so on.
您可以指示 ssh 在连接时连续尝试多个密钥。方法如下:
这样您就不必指定哪个密钥适用于哪个服务器。它只会使用第一个工作密钥。
此外,仅当给定服务器愿意接受密钥时,您才需要输入密码。如上所示,ssh 不会尝试询问
.ssh/id_rsa的密码,即使它有密码。当然,它不会像其他答案中那样优于每服务器配置,但至少您不必为连接到的所有服务器添加配置!
You can instruct ssh to try multiple keys in succession when connecting. Here's how:
This way you don't have to specify what key works with which server. It'll just use the first working key.
Also you would only enter a passphrase if a given server is willing to accept the key. As seen above ssh didn't try to ask for a password for
.ssh/id_rsaeven if it had one.Surely it doesn't outbeat a per-server configuration as in other answers, but at least you won't have to add a configuration for all and every server you connect to!
前面的答案已经正确解释了创建配置文件来管理多个 ssh 密钥的方法。我认为,还需要解释的重要事情是在克隆存储库时用别名替换主机名。
假设您的公司 GitHub 帐户的用户名是 abc1234。
假设您的个人 GitHub 帐户的用户名是 jack1234
并且,假设您创建了两个 RSA 密钥,即 id_rsa_company 和 id_rsa_personal。因此,您的配置文件将如下所示:
现在,当您从公司的 GitHub 帐户克隆存储库(名为 demo) 时,存储库 URL 将类似于:
现在,在执行 git clone 时,您应该将上述存储库 URL 修改为:
注意 github.com 现在如何替换为别名“company”,如下所示
同样,您必须根据配置文件中提供的别名修改个人帐户中存储库的克隆 URL。
The previous answers have properly explained the way to create a configuration file to manage multiple ssh keys. I think, the important thing that also needs to be explained is the replacement of a host name with an alias name while cloning the repository.
Suppose, your company's GitHub account's username is abc1234.
And suppose your personal GitHub account's username is jack1234
And, suppose you have created two RSA keys, namely id_rsa_company and id_rsa_personal. So, your configuration file will look like below:
Now, when you are cloning the repository (named demo) from the company's GitHub account, the repository URL will be something like:
Now, while doing
git clone, you should modify the above repository URL as:Notice how github.com is now replaced with the alias "company" as we have defined in the configuration file.
Similary, you have to modify the clone URL of the repository in the personal account depending upon the alias provided in the configuration file.
Randal Schwartz 的回答< /a> 几乎一路帮助了我。
我在服务器上有不同的用户名,因此我必须将 User 关键字添加到我的文件中:
现在您可以使用友好名称进行连接:
可以在 OpenSSH 手册页。 注意:列出的某些关键字可能已存在于您的/etc/ssh/ssh_config 文件中。
The answer from Randal Schwartz almost helped me all the way.
I have a different username on the server, so I had to add the User keyword to my file:
Now you can connect using the friendly-name:
More keywords can be found on the OpenSSH man page. NOTE: Some of the keywords listed might already be present in your /etc/ssh/ssh_config file.
确保在添加之前对其进行测试:
如果您遇到任何错误问题,有时更改文件的安全性会有所帮助:
Make sure you test it before adding with:
If you have any problems with errors sometimes changing the security of the file helps:
生成 SSH 密钥:
生成另一个 SSH 密钥:
现在,
~/.ssh/目录中应该存在两个公钥(id_rsa.pub、accountB.pub)。使用以下内容创建配置文件
~/.ssh/config:<前><代码> $ nano ~/.ssh/config
托管 bitbucket.org
用户git
主机名 bitbucket.org
PreferredAuthentications 公钥
身份文件 ~/.ssh/id_rsa
主机 bitbucket-accountB
用户git
主机名 bitbucket.org
PreferredAuthentications 公钥
身份只有是
身份文件 ~/.ssh/accountB
从
默认帐户克隆。从
accountB帐户克隆。注意:由于
User git指令,您可以省略存储库 URL 的git@部分,从而缩短clone命令,如下所示:是该指令的唯一目的。如果您不需要它(例如,您总是从网站复制粘贴 git clone 命令),您可以将其从配置中删除。
在这里查看更多内容
Generate an SSH key:
Generate another SSH key:
Now, two public keys (id_rsa.pub, accountB.pub) should be exists in the
~/.ssh/directory.Create configuration file
~/.ssh/configwith the following contents:Clone from
defaultaccount.Clone from the
accountBaccount.Note: Because of the
User gitdirective, you can omit thegit@portion of the repo URL, shortening yourclonecommand like so:This is the only purpose of that directive. If you don't need it (e.g. you always copy-paste the git clone command from the website), you can leave it out of the config.
See More Here