Photos from Jantine Doornbos on Unsplash
Hi everyone,
Everytime I get a new computer (which is not that often but often enough to write this), I am "struggling" with Git configuration for the different code repository accounts I have.
And everytime I have a new computer, I can't remember what I did a few years/months ago to set it up properly.
So that post is as much for future me than it is for present you, as you are reading it. 🤔
tl;dr
To sum up what we are going to do, we are going to create a bunch of SSH keys for our personal and professional identities on Github, Gitlab and Bitbucket and add them to the SSH-Agent.
Then we are going to configure which key must be used based on the host.
Then we are going to add the relevant keys to the corresponding service (Github, Gitlab and Bitbucket).
So we can clone, push and pull to repositories with the proper identities.
Every command to perform these actions is described below. 👨💻 ⬇️
Enjoy. 😎
Introduction
I have a personal accounts on GitHub, Bitbucket and GitLab and I have some work accounts on Github, Gitlab and Bitbucket.
How could I define everything to work properly through SSH Keys so that my system relies on the proper SSH key based on the identity it has to use.
For this particular post, we are going to connect a personal and professional identity for each accounts.
But you can add as many as you need. 😉
🔑 Keys Generation
We are going to create some default identities.
We can use the same SSH key to do that or we can use a specific key per account.
Same key : id_rsa
Specific key per account : id_rsa_github; id_rsa_bitbucket; id_rsa_gitlab
Let's use the "specific key per account" method. It will be clearer for everyone to understand the concept then.
Moreover we need the e-mail address that you are using for these accounts
But feel free to do whatever suits your need.😉
👨💻 🗝️ Personal Keys Generation
✍️ Information Required
Let sum up what we need in a table
- | Default Github | Default Gitlab | Default Bitbucket |
---|---|---|---|
SSH Key Name | id_rsa_github | id_rsa_gitlab | id_rsa_bitbucket |
name.github@gmail.com | name.gitlab@gmail.com | name.bitbucket@gmail.com |
🛠️ Keys creation
Let's run these commands to create the SSH keys.
ssh-keygen -f "~/.ssh/id_rsa_github" -t rsa -b 4096 -C "name.github@gmail.com"
ssh-keygen -f "~/.ssh/id_rsa_gitlab" -t rsa -b 4096 -C "name.gitlab@gmail.com"
ssh-keygen -f "~/.ssh/id_rsa_bitbucket" -t rsa -b 4096 -C "name.bitbucket@gmail.com"
Now, we have 3 keys for our personal use.
🏢 🔑 Organization Keys Generation
✍️ Information Required
Let sum up what we need in a table
- | Organization Github | Organization Gitlab | Organization Bitbucket |
---|---|---|---|
SSH Key Name | id_rsa_github_companyName | id_rsa_gitlab_companyName | id_rsa_bitbucket_companyName |
name.github@company.com | name.gitlab@company.com | name.bitbucket@company.com |
🛠️ Keys creation
Let's run these commands to create the SSH keys.
ssh-keygen -f "~/.ssh/id_rsa_github_companyName" -t rsa -b 4096 -C "name.github@company.com"
ssh-keygen -f "~/.ssh/id_rsa_gitlab_companyName" -t rsa -b 4096 -C "name.gitlab@company.com"
ssh-keygen -f "~/.ssh/id_rsa_bitbucket_companyName" -t rsa -b 4096 -C "name.bitbucket@company.com"
Now, we have 3 keys for our organisation use.
📦 Add the SSH Keys to the SSH-Agent
We have now 6 SSH keys. Let add them to the SSH-Agent.
# Add the personal keys
ssh-add ~/.ssh/id_rsa_github
ssh-add ~/.ssh/id_rsa_gitlab
ssh-add ~/.ssh/id_rsa_bitbucket
# Add the organisation keys
ssh-add ~/.ssh/id_rsa_github_companyName
ssh-add ~/.ssh/id_rsa_gitlab_companyName
ssh-add ~/.ssh/id_rsa_bitbucket_companyName
So we have in the SSH-Agent the 3 keys for our personal use and the 3 keys for our organisation usage.
Now it is mandatory to set up the configuration in order to define which key has to be use depending on the context.
📝 Configuration
Open the ~/.ssh/config
file or create it if it doesn't exist yet.
nano ~/.ssh/config
We are going to define some rules based on the hosts.
Host github.com
HostName github.com
IdentityFile ~/.ssh/id_rsa_github
Host gitlab.com
HostName gitlab.com
IdentityFile ~/.ssh/id_rsa_gitlab
Host bitbucket.org
HostName bitbucket.org
IdentityFile ~/.ssh/id_rsa_bitbucket
Host companyname.github.com
HostName github.com
IdentityFile ~/.ssh/id_rsa_github_companyName
Host companyname.gitlab.com
HostName gitlab.com
IdentityFile ~/.ssh/id_rsa_gitlab_companyName
Host companyname.bitbucket.org
HostName bitbucket.org
IdentityFile ~/.ssh/id_rsa_bitbucket_companyName
Save and close the file by hitting Ctrl+O (Ctrl+X to exit the file).
💭 Add the Keys to your Repositories Accounts
Everything is setup properly on locally. Now we have to add the SSH public keys to the services you are using.
On MacOS, it is pretty easy to copy a SSH key to the clipboard.
pbcopy < ~/.ssh/id_rsa.pub
🐙 Github
Let's login to your Github account and go to the account's settings.
Select "SSH and GPG Keys".
Click on the "New SSH Key" button.
1. Add the Personal SSH Key to Github :
- Define a relevant title for that SSH key, for example "FirstName LastName - MacBook Pro".
- Copy the content of the public key to your clipboard.
pbcopy < ~/.ssh/id_rsa_github.pub
- Paste it to the content of the key on the Github interface.
- Save it clicking on "Add SSH key".
2. Add the Organization SSH Key to Github:
- Define a relevant title for that SSH key, for example "FirstName LastName - MacBook Pro - Organization".
- Copy the content of the public key to your clipboard.
pbcopy < ~/.ssh/id_rsa_github_companyName.pub
- Paste it to the content of the key on the Github interface.
- Save it clicking on "Add SSH key".
🦊 Gitlab
To be added
🗑️ Bitbucket
Let's log in to your Bitbucket account and go to the account's settings.
Select "Bitbucket Settings" and "SSH Keys".
Click on the "Add key" button.
1. Add the Personal SSH Key to Bitbucket :
- Define a relevant title for that SSH key, for example "FirstName LastName - MacBook Pro".
- Copy the content of the public key to your clipboard.
pbcopy < ~/.ssh/id_rsa_bitbucket.pub
- Paste it to the content of the key on the Bitbucket interface.
- Save it clicking on "Add key".
2. Add the Organization SSH Key to Bitbucket :
- Define a relevant title for that SSH key, for example "FirstName LastName - MacBook Pro - Organization".
- Copy the content of the public key to your clipboard.
pbcopy < ~/.ssh/id_rsa_bitbucket_companyName.pub
- Paste it to the content of the key on the Bitbucket interface.
- Save it clicking on "Add key".
👨👦 Clone Repositories
Now that we have our Setup for all our environments, we can clone repositories from Github, Gitlab or Bitbucket with the proper identity.
👨💻 Personal Repositories
So we can clone the projects using a command you should have used numerous times.
git clone git@bitbucket.org:yourPersonalAccount/pet-project.git
With that command, git is using the "default" SSH key. It is the one that was defined for the Host "Host github.com" in the file ~/.ssh/config
.
Then you can pull
or push
to the repository with that identity.
🏢 Professional Repositories
For your organization projects, you just have to clone the project replacing bitbucket.org
to companyname.bitbucket.org
(as defined in the ~/.ssh/config
file).
git clone git@companyname.bitbucket.org:companyName/company-project.git
So it is the proper identity that is going to be used.
You can then pull
or push
as many times as you want with the identity of your organization.
I hope that helps you.
Cheers 🍻
This post was inspired by the very good job from Fredrik Andersson on Medium.
Video produced by Wild & Secure, your consulting firm to all things security and real estate.
If you want to receive weekly quality content about security, subscribe to our newsletter on our website.
Top comments (29)
Genuinely curious, why use multiple keys instead of using the same key for all services?
Bitbucket won't let me use the same key pub key for two different accounts
That is bad practice indeed to have the same public key used for two different accounts.
Why don't you want to create 2 key pairs (private/public) and use them on the two different accounts?
Once it is set up, you just have to forget it. So it is not a lot of work to add.
I’m perfectly happy making multiple key pairs. I was just answering the comment question that in that circumstance it is not an option to use the same key.
At least for me it's because I use the same computer for work and personal projects.
So I have 2 github accounts, one with email@work.com and the other with email@gmail.com...
Or something...
Why not use the same key in that case as well? (Also, "or something" 😂)
Same as Hazael.
And I don't use the same key because from time to time you will have to revoke the key (leaving the company)
In that case you will not have to redo it for all the other accounts. 😉
Hahahaha your reply made my day
You're only giving the service your public keys though. No need to "revoke" them. Your employer would likely want to remove your key so you no longer have access, but they would want to do that no matter what key you provided. And even if they left it in, it wouldn't be a security risk to you.
Definitely right.
Nevertheless, for the purpose of that post, I think that it is good to explain things clearly and not to use "implicit" behavior. That is why I used so many keys in that example. When you are familiar with this you are indeed going to use less keys and not remove everything.
And then, I think that your comment would be of great benefit. :-)
@Cully Sometimes you want to use different accounts, in order to isolate the access to the repositories from different devices. In that case (my case) the platform (for example BitBucket) doesn't allow you to share the same public key across different accounts.
A byproduct of doing this is that it's really easy to identify which key does what.
Nice post. I've created a Node CLI last month for exact same purpose. It is used for generating ssh keys for using multiple github/bitbucket/gitlab accounts like you've mentioned in the post by answering few questions CLI asks you so you don't have to type those commands when setting this up.
Github repo url : github.com/punitda/ssh-git
npm package url : npmjs.com/package/ssh-git
Though after keys are generated you've to add those to account manually. Working on electron app which will make this process even much more easier.
Note : It(cli) works on Linux(though not thoroughly tested) and MacOS for now. Haven't looked into windows part yet but will soon add support for that.
That is nice.
Nevertheless, I am not sure if I would let a third (untrusted) party app add my SSH keys to the services.
It is too sensitive information to leave it to a third party app and then potentially reduce my security. 😄
Agree. But, what if,
Yes, I am sure that it would be very legit and doesn't do anything wrong.
But as a Security person, I can't trust this kind of software. But it's just me. 😄
I am sure that this piece of software would be very useful to a a lot that can trust it. 😉
This was an absolute lifesaver for me..... thank you a lot
If you're already doing commit-signing, then you've likely also got the problem of having multiple GPG keys. You could save yourself some key-management effort by switching from SSH-only keys to using GPG keys for SSH activities (see this article - one of many on the topic).
Very interesting, one of my next article is to manage multiple GPG Keys to sign commits and tags. You can see it here :
How to Use GPG to Sign your Commits on Github, Gitlab, Bitbucket
Rémi Lavedrine ・ Jul 17 '19 ・ 6 min read
I will definitely have a look at the article you mentionned.
Not sure what I am doing wrong but I always get
ERROR: Repository not found.
when I try the company version.My SSH config:
And I clone with
git clone git@company.github.com:company/repo.git
I've verified that both keys are loaded in the ssh agent.
EDIT: Fixed by the good 'ol turning it off and on again, perfect! Thanks for your guide :)
Very happy that it worked.
Hey bro, you helped me to solve my problem, thank you so much :)
So happy that helps.
Thanks!
Awesome post!! Thanks
It's still a lot config though... :(
Btw, small typo in ~/.ssh/config.
You have github instead of gitlab for company keys.
:)
Thank you for that. ❤️
Thank you for this amazing post!
Now I'm able to use multiple SSH Keys in my computer :)
Do we really need to add the ssh keys manuay to the ssh-agent?
As far as I know if you specify the IdentityFile line for any key in the config, its automatically added.
It is indeed not mandatory.
But I prefer to do it. So that way, when you explain, you understand everything that happens. And nothing is done implicitly that could bring some question in the future (if something goes wrong).