loading...
Cover image for How to Setup Multiple Ssh Keys for Multiple Github/Bitbucket accounts.

How to Setup Multiple Ssh Keys for Multiple Github/Bitbucket accounts.

shostarsson profile image Rémi Lavedrine Updated on ・6 min read

Git Security (2 Part Series)

1) How to Setup Multiple Ssh Keys for Multiple Github/Bitbucket accounts. 2) How to Use GPG to Sign your Commits on Github, Gitlab, Bitbucket

Photos from Jantine Doornbos on Unsplash

Hi everyone,

Everytime I get a new computer (which is not that often but often enough to write this), I am "struggling" with Git configuration for the different code repository accounts I have.

And everytime I have a new computer, I can't remember what I did a few years/months ago to set it up properly.
So that post is as much for future me than it is for present you, as you are reading it. 🤔


tl;dr

To sum up what we are going to do, we are going to create a bunch of SSH keys for our personal and professional identities on Github, Gitlab and Bitbucket and add them to the SSH-Agent.
Then we are going to configure which key must be used based on the host.
Then we are going to add the relevant keys to the corresponding service (Github, Gitlab and Bitbucket).
So we can clone, push and pull to repositories with the proper identities.
Every command to perform these actions is described below. 👨‍💻 ⬇️
Enjoy. 😎


Introduction

I have a personal accounts on GitHub, Bitbucket and GitLab and I have some work accounts on Github, Gitlab and Bitbucket.
How could I define everything to work properly through SSH Keys so that my system relies on the proper SSH key based on the identity it has to use.

For this particular post, we are going to connect a personal and professional identity for each accounts.
But you can add as many as you need. 😉


🔑 Keys Generation

We are going to create some default identities.

We can use the same SSH key to do that or we can use a specific key per account.
Same key : id_rsa
Specific key per account : id_rsa_github; id_rsa_bitbucket; id_rsa_gitlab

Let's use the "specific key per account" method. It will be clearer for everyone to understand the concept then.
Moreover we need the e-mail address that you are using for these accounts
But feel free to do whatever suits your need.😉

👨‍💻 🗝️ Personal Keys Generation

✍️ Information Required

Let sum up what we need in a table

- Default Github Default Gitlab Default Bitbucket
SSH Key Name id_rsa_github id_rsa_gitlab id_rsa_bitbucket
e-mail name.github@gmail.com name.gitlab@gmail.com name.bitbucket@gmail.com

🛠️ Keys creation

Let's run these commands to create the SSH keys.

ssh-keygen -f "~/.ssh/id_rsa_github" -t rsa -b 4096 -C "name.github@gmail.com"
ssh-keygen -f "~/.ssh/id_rsa_gitlab" -t rsa -b 4096 -C "name.gitlab@gmail.com"
ssh-keygen -f "~/.ssh/id_rsa_bitbucket" -t rsa -b 4096 -C "name.bitbucket@gmail.com"

Now, we have 3 keys for our personal use.

🏢 🔑 Organization Keys Generation

✍️ Information Required

Let sum up what we need in a table

- Organization Github Organization Gitlab Organization Bitbucket
SSH Key Name id_rsa_github_companyName id_rsa_gitlab_companyName id_rsa_bitbucket_companyName
e-mail name.github@company.com name.gitlab@company.com name.bitbucket@company.com

🛠️ Keys creation

Let's run these commands to create the SSH keys.

ssh-keygen -f "~/.ssh/id_rsa_github_companyName" -t rsa -b 4096 -C "name.github@company.com"
ssh-keygen -f "~/.ssh/id_rsa_gitlab_companyName" -t rsa -b 4096 -C "name.gitlab@company.com"
ssh-keygen -f "~/.ssh/id_rsa_bitbucket_companyName" -t rsa -b 4096 -C "name.bitbucket@company.com"

Now, we have 3 keys for our organisation use.

📦 Add the SSH Keys to the SSH-Agent

We have now 6 SSH keys. Let add them to the SSH-Agent.

# Add the personal keys
ssh-add ~/.ssh/id_rsa_github
ssh-add ~/.ssh/id_rsa_gitlab
ssh-add ~/.ssh/id_rsa_bitbucket

# Add the organisation keys
ssh-add ~/.ssh/id_rsa_github_companyName
ssh-add ~/.ssh/id_rsa_gitlab_companyName
ssh-add ~/.ssh/id_rsa_bitbucket_companyName

So we have in the SSH-Agent the 3 keys for our personal use and the 3 keys for our organisation usage.

Now it is mandatory to set up the configuration in order to define which key has to be use depending on the context.


📝 Configuration

Open the ~/.ssh/config file or create it if it doesn't exist yet.

nano ~/.ssh/config

We are going to define some rules based on the hosts.

Host github.com
  HostName github.com
  IdentityFile ~/.ssh/id_rsa_github

Host gitlab.com
  HostName gitlab.com
  IdentityFile ~/.ssh/id_rsa_gitlab

Host bitbucket.org
  HostName bitbucket.org
  IdentityFile ~/.ssh/id_rsa_bitbucket


Host companyname.github.com
  HostName github.com
  IdentityFile ~/.ssh/id_rsa_github_companyName

Host companyname.gitlab.com
  HostName gitlab.com
  IdentityFile ~/.ssh/id_rsa_gitlab_companyName

Host companyname.bitbucket.org
  HostName bitbucket.org
  IdentityFile ~/.ssh/id_rsa_bitbucket_companyName

Save and close the file by hitting Ctrl+O (Ctrl+X to exit the file).


💭 Add the Keys to your Repositories Accounts

Everything is setup properly on locally. Now we have to add the SSH public keys to the services you are using.

On MacOS, it is pretty easy to copy a SSH key to the clipboard.

pbcopy < ~/.ssh/id_rsa.pub

🐙 Github

Let's login to your Github account and go to the account's settings.

Github : Go to Settings

Select "SSH and GPG Keys".

Github : List SSH Keys

Click on the "New SSH Key" button.

1. Add the Personal SSH Key to Github :

  1. Define a relevant title for that SSH key, for example "FirstName LastName - MacBook Pro".
  2. Copy the content of the public key to your clipboard.
    • pbcopy < ~/.ssh/id_rsa_github.pub
  3. Paste it to the content of the key on the Github interface.
  4. Save it clicking on "Add SSH key".

Github : Add SSH Key

2. Add the Organization SSH Key to Github:

  1. Define a relevant title for that SSH key, for example "FirstName LastName - MacBook Pro - Organization".
  2. Copy the content of the public key to your clipboard.
    • pbcopy < ~/.ssh/id_rsa_github_companyName.pub
  3. Paste it to the content of the key on the Github interface.
  4. Save it clicking on "Add SSH key".

Github : Add SSH Key

🦊 Gitlab

To be added

🗑️ Bitbucket

Let's log in to your Bitbucket account and go to the account's settings.

Bitbucket : Go to Settings

Select "Bitbucket Settings" and "SSH Keys".

Bitbucket : List SSH Keys

Click on the "Add key" button.

1. Add the Personal SSH Key to Bitbucket :

  1. Define a relevant title for that SSH key, for example "FirstName LastName - MacBook Pro".
  2. Copy the content of the public key to your clipboard.
    • pbcopy < ~/.ssh/id_rsa_bitbucket.pub
  3. Paste it to the content of the key on the Bitbucket interface.
  4. Save it clicking on "Add key".

Bitbucket : Add SSH Key

2. Add the Organization SSH Key to Bitbucket :

  1. Define a relevant title for that SSH key, for example "FirstName LastName - MacBook Pro - Organization".
  2. Copy the content of the public key to your clipboard.
    • pbcopy < ~/.ssh/id_rsa_bitbucket_companyName.pub
  3. Paste it to the content of the key on the Bitbucket interface.
  4. Save it clicking on "Add key".

Bitbucket : Add SSH Key


👨‍👦 Clone Repositories

Now that we have our Setup for all our environments, we can clone repositories from Github, Gitlab or Bitbucket with the proper identity.

👨‍💻 Personal Repositories

So we can clone the projects using a command you should have used numerous times.

git clone git@bitbucket.org:yourPersonalAccount/pet-project.git

With that command, git is using the "default" SSH key. It is the one that was defined for the Host "Host github.com" in the file ~/.ssh/config.

Then you can pullor push to the repository with that identity.

🏢 Professional Repositories

For your organization projects, you just have to clone the project replacing bitbucket.org to companyname.bitbucket.org (as defined in the ~/.ssh/config file).

git clone git@companyname.bitbucket.org:companyName/company-project.git

So it is the proper identity that is going to be used.
You can then pullor pushas many times as you want with the identity of your organization.


I hope that helps you.

Cheers 🍻

This post was inspired by the very good job from Fredrik Andersson on Medium.

Git Security (2 Part Series)

1) How to Setup Multiple Ssh Keys for Multiple Github/Bitbucket accounts. 2) How to Use GPG to Sign your Commits on Github, Gitlab, Bitbucket

Posted on Jul 15 '19 by:

shostarsson profile

Rémi Lavedrine

@shostarsson

Software Dev turned Security Dev. Follow me on dev.to, twitch.tv/shostarsson or youtube.com/shostarsson

Discussion

markdown guide
 

Genuinely curious, why use multiple keys instead of using the same key for all services?

 

Bitbucket won't let me use the same key pub key for two different accounts

 

That is bad practice indeed to have the same public key used for two different accounts.
Why don't you want to create 2 key pairs (private/public) and use them on the two different accounts?
Once it is set up, you just have to forget it. So it is not a lot of work to add.

I’m perfectly happy making multiple key pairs. I was just answering the comment question that in that circumstance it is not an option to use the same key.

 

At least for me it's because I use the same computer for work and personal projects.
So I have 2 github accounts, one with email@work.com and the other with email@gmail.com...
Or something...

 

Why not use the same key in that case as well? (Also, "or something" 😂)

Same as Hazael.
And I don't use the same key because from time to time you will have to revoke the key (leaving the company)
In that case you will not have to redo it for all the other accounts. 😉

You're only giving the service your public keys though. No need to "revoke" them. Your employer would likely want to remove your key so you no longer have access, but they would want to do that no matter what key you provided. And even if they left it in, it wouldn't be a security risk to you.

Definitely right.
Nevertheless, for the purpose of that post, I think that it is good to explain things clearly and not to use "implicit" behavior. That is why I used so many keys in that example. When you are familiar with this you are indeed going to use less keys and not remove everything.
And then, I think that your comment would be of great benefit. :-)

@Cully Sometimes you want to use different accounts, in order to isolate the access to the repositories from different devices. In that case (my case) the platform (for example BitBucket) doesn't allow you to share the same public key across different accounts.

A byproduct of doing this is that it's really easy to identify which key does what.

 

Nice post. I've created a Node CLI last month for exact same purpose. It is used for generating ssh keys for using multiple github/bitbucket/gitlab accounts like you've mentioned in the post by answering few questions CLI asks you so you don't have to type those commands when setting this up.

Github repo url : github.com/punitda/ssh-git
npm package url : npmjs.com/package/ssh-git

Though after keys are generated you've to add those to account manually. Working on electron app which will make this process even much more easier.

Note : It(cli) works on Linux(though not thoroughly tested) and MacOS for now. Haven't looked into windows part yet but will soon add support for that.

 

That is nice.
Nevertheless, I am not sure if I would let a third (untrusted) party app add my SSH keys to the services.
It is too sensitive information to leave it to a third party app and then potentially reduce my security. 😄

 

Agree. But, what if,

  1. It is open source?
  2. It doesn't stores anything locally. It generates ssh keys, obtains one time token for publishing keys to github/bitbucket/gitlab(doesn't stores it locally) and adds generated keys to your account?

Yes, I am sure that it would be very legit and doesn't do anything wrong.
But as a Security person, I can't trust this kind of software. But it's just me. 😄
I am sure that this piece of software would be very useful to a a lot that can trust it. 😉

 

If you're already doing commit-signing, then you've likely also got the problem of having multiple GPG keys. You could save yourself some key-management effort by switching from SSH-only keys to using GPG keys for SSH activities (see this article - one of many on the topic).

 

Very interesting, one of my next article is to manage multiple GPG Keys to sign commits and tags. You can see it here.
I will definitely have a look at the article you mentionned.

 

Not sure what I am doing wrong but I always get ERROR: Repository not found. when I try the company version.

My SSH config:

Host company.github.com
  HostName github.com
  IdentityFile ~/.ssh/id_rsa_company
  PreferredAuthentications publickey

Host github.com
  HostName github.com
  IdentityFile ~/.ssh/id_rsa_gmail
  PreferredAuthentications publickey

And I clone with git clone git@company.github.com:company/repo.git

I've verified that both keys are loaded in the ssh agent.

EDIT: Fixed by the good 'ol turning it off and on again, perfect! Thanks for your guide :)

 

Very happy that it worked.

 
 

Hey bro, you helped me to solve my problem, thank you so much :)

 
 

Thank you for this amazing post!
Now I'm able to use multiple SSH Keys in my computer :)

 

Awesome post!! Thanks
It's still a lot config though... :(

Btw, small typo in ~/.ssh/config.

You have github instead of gitlab for company keys.

:)

 
 

Do we really need to add the ssh keys manuay to the ssh-agent?
As far as I know if you specify the IdentityFile line for any key in the config, its automatically added.

 

It is indeed not mandatory.

But I prefer to do it. So that way, when you explain, you understand everything that happens. And nothing is done implicitly that could bring some question in the future (if something goes wrong).