DEV Community

Cover image for How to Setup Multiple Ssh Keys for Multiple Github/Bitbucket accounts.
Rémi Lavedrine
Rémi Lavedrine

Posted on • Edited on

How to Setup Multiple Ssh Keys for Multiple Github/Bitbucket accounts.

Photos from Jantine Doornbos on Unsplash

Hi everyone,

Everytime I get a new computer (which is not that often but often enough to write this), I am "struggling" with Git configuration for the different code repository accounts I have.

And everytime I have a new computer, I can't remember what I did a few years/months ago to set it up properly.
So that post is as much for future me than it is for present you, as you are reading it. 🤔


tl;dr

To sum up what we are going to do, we are going to create a bunch of SSH keys for our personal and professional identities on Github, Gitlab and Bitbucket and add them to the SSH-Agent.
Then we are going to configure which key must be used based on the host.
Then we are going to add the relevant keys to the corresponding service (Github, Gitlab and Bitbucket).
So we can clone, push and pull to repositories with the proper identities.
Every command to perform these actions is described below. 👨‍💻 ⬇️
Enjoy. 😎


Introduction

I have a personal accounts on GitHub, Bitbucket and GitLab and I have some work accounts on Github, Gitlab and Bitbucket.
How could I define everything to work properly through SSH Keys so that my system relies on the proper SSH key based on the identity it has to use.

For this particular post, we are going to connect a personal and professional identity for each accounts.
But you can add as many as you need. 😉


🔑 Keys Generation

We are going to create some default identities.

We can use the same SSH key to do that or we can use a specific key per account.
Same key : id_rsa
Specific key per account : id_rsa_github; id_rsa_bitbucket; id_rsa_gitlab

Let's use the "specific key per account" method. It will be clearer for everyone to understand the concept then.
Moreover we need the e-mail address that you are using for these accounts
But feel free to do whatever suits your need.😉

👨‍💻 🗝️ Personal Keys Generation

✍️ Information Required

Let sum up what we need in a table

- Default Github Default Gitlab Default Bitbucket
SSH Key Name id_rsa_github id_rsa_gitlab id_rsa_bitbucket
e-mail name.github@gmail.com name.gitlab@gmail.com name.bitbucket@gmail.com

🛠️ Keys creation

Let's run these commands to create the SSH keys.

ssh-keygen -f "~/.ssh/id_rsa_github" -t rsa -b 4096 -C "name.github@gmail.com"
ssh-keygen -f "~/.ssh/id_rsa_gitlab" -t rsa -b 4096 -C "name.gitlab@gmail.com"
ssh-keygen -f "~/.ssh/id_rsa_bitbucket" -t rsa -b 4096 -C "name.bitbucket@gmail.com"
Enter fullscreen mode Exit fullscreen mode

Now, we have 3 keys for our personal use.

🏢 🔑 Organization Keys Generation

✍️ Information Required

Let sum up what we need in a table

- Organization Github Organization Gitlab Organization Bitbucket
SSH Key Name id_rsa_github_companyName id_rsa_gitlab_companyName id_rsa_bitbucket_companyName
e-mail name.github@company.com name.gitlab@company.com name.bitbucket@company.com

🛠️ Keys creation

Let's run these commands to create the SSH keys.

ssh-keygen -f "~/.ssh/id_rsa_github_companyName" -t rsa -b 4096 -C "name.github@company.com"
ssh-keygen -f "~/.ssh/id_rsa_gitlab_companyName" -t rsa -b 4096 -C "name.gitlab@company.com"
ssh-keygen -f "~/.ssh/id_rsa_bitbucket_companyName" -t rsa -b 4096 -C "name.bitbucket@company.com"
Enter fullscreen mode Exit fullscreen mode

Now, we have 3 keys for our organisation use.

📦 Add the SSH Keys to the SSH-Agent

We have now 6 SSH keys. Let add them to the SSH-Agent.

# Add the personal keys
ssh-add ~/.ssh/id_rsa_github
ssh-add ~/.ssh/id_rsa_gitlab
ssh-add ~/.ssh/id_rsa_bitbucket

# Add the organisation keys
ssh-add ~/.ssh/id_rsa_github_companyName
ssh-add ~/.ssh/id_rsa_gitlab_companyName
ssh-add ~/.ssh/id_rsa_bitbucket_companyName
Enter fullscreen mode Exit fullscreen mode

So we have in the SSH-Agent the 3 keys for our personal use and the 3 keys for our organisation usage.

Now it is mandatory to set up the configuration in order to define which key has to be use depending on the context.


📝 Configuration

Open the ~/.ssh/config file or create it if it doesn't exist yet.

nano ~/.ssh/config
Enter fullscreen mode Exit fullscreen mode

We are going to define some rules based on the hosts.

Host github.com
  HostName github.com
  IdentityFile ~/.ssh/id_rsa_github

Host gitlab.com
  HostName gitlab.com
  IdentityFile ~/.ssh/id_rsa_gitlab

Host bitbucket.org
  HostName bitbucket.org
  IdentityFile ~/.ssh/id_rsa_bitbucket


Host companyname.github.com
  HostName github.com
  IdentityFile ~/.ssh/id_rsa_github_companyName

Host companyname.gitlab.com
  HostName gitlab.com
  IdentityFile ~/.ssh/id_rsa_gitlab_companyName

Host companyname.bitbucket.org
  HostName bitbucket.org
  IdentityFile ~/.ssh/id_rsa_bitbucket_companyName

Enter fullscreen mode Exit fullscreen mode

Save and close the file by hitting Ctrl+O (Ctrl+X to exit the file).


💭 Add the Keys to your Repositories Accounts

Everything is setup properly on locally. Now we have to add the SSH public keys to the services you are using.

On MacOS, it is pretty easy to copy a SSH key to the clipboard.

pbcopy < ~/.ssh/id_rsa.pub
Enter fullscreen mode Exit fullscreen mode

🐙 Github

Let's login to your Github account and go to the account's settings.

Github : Go to Settings

Select "SSH and GPG Keys".

Github : List SSH Keys

Click on the "New SSH Key" button.

1. Add the Personal SSH Key to Github :

  1. Define a relevant title for that SSH key, for example "FirstName LastName - MacBook Pro".
  2. Copy the content of the public key to your clipboard.
    • pbcopy < ~/.ssh/id_rsa_github.pub
  3. Paste it to the content of the key on the Github interface.
  4. Save it clicking on "Add SSH key".

Github : Add SSH Key

2. Add the Organization SSH Key to Github:

  1. Define a relevant title for that SSH key, for example "FirstName LastName - MacBook Pro - Organization".
  2. Copy the content of the public key to your clipboard.
    • pbcopy < ~/.ssh/id_rsa_github_companyName.pub
  3. Paste it to the content of the key on the Github interface.
  4. Save it clicking on "Add SSH key".

Github : Add SSH Key

🦊 Gitlab

To be added

🗑️ Bitbucket

Let's log in to your Bitbucket account and go to the account's settings.

Bitbucket : Go to Settings

Select "Bitbucket Settings" and "SSH Keys".

Bitbucket : List SSH Keys

Click on the "Add key" button.

1. Add the Personal SSH Key to Bitbucket :

  1. Define a relevant title for that SSH key, for example "FirstName LastName - MacBook Pro".
  2. Copy the content of the public key to your clipboard.
    • pbcopy < ~/.ssh/id_rsa_bitbucket.pub
  3. Paste it to the content of the key on the Bitbucket interface.
  4. Save it clicking on "Add key".

Bitbucket : Add SSH Key

2. Add the Organization SSH Key to Bitbucket :

  1. Define a relevant title for that SSH key, for example "FirstName LastName - MacBook Pro - Organization".
  2. Copy the content of the public key to your clipboard.
    • pbcopy < ~/.ssh/id_rsa_bitbucket_companyName.pub
  3. Paste it to the content of the key on the Bitbucket interface.
  4. Save it clicking on "Add key".

Bitbucket : Add SSH Key


👨‍👦 Clone Repositories

Now that we have our Setup for all our environments, we can clone repositories from Github, Gitlab or Bitbucket with the proper identity.

👨‍💻 Personal Repositories

So we can clone the projects using a command you should have used numerous times.

git clone git@bitbucket.org:yourPersonalAccount/pet-project.git

With that command, git is using the "default" SSH key. It is the one that was defined for the Host "Host github.com" in the file ~/.ssh/config.

Then you can pullor push to the repository with that identity.

🏢 Professional Repositories

For your organization projects, you just have to clone the project replacing bitbucket.org to companyname.bitbucket.org (as defined in the ~/.ssh/config file).

git clone git@companyname.bitbucket.org:companyName/company-project.git

So it is the proper identity that is going to be used.
You can then pullor pushas many times as you want with the identity of your organization.


I hope that helps you.

Cheers 🍻

This post was inspired by the very good job from Fredrik Andersson on Medium.


Video produced by Wild & Secure, your consulting firm to all things security and real estate.
If you want to receive weekly quality content about security, subscribe to our newsletter on our website.

Top comments (29)

Collapse
 
cullylarson profile image
Cully Larson

Genuinely curious, why use multiple keys instead of using the same key for all services?

Collapse
 
dewofyouryouth_43 profile image
Jacob E. Shore

Bitbucket won't let me use the same key pub key for two different accounts

Collapse
 
shostarsson profile image
Rémi Lavedrine • Edited

That is bad practice indeed to have the same public key used for two different accounts.
Why don't you want to create 2 key pairs (private/public) and use them on the two different accounts?
Once it is set up, you just have to forget it. So it is not a lot of work to add.

Thread Thread
 
dewofyouryouth_43 profile image
Jacob E. Shore

I’m perfectly happy making multiple key pairs. I was just answering the comment question that in that circumstance it is not an option to use the same key.

Collapse
 
hmojicag profile image
Hazael Mojica

At least for me it's because I use the same computer for work and personal projects.
So I have 2 github accounts, one with email@work.com and the other with email@gmail.com...
Or something...

Collapse
 
cullylarson profile image
Cully Larson

Why not use the same key in that case as well? (Also, "or something" 😂)

Thread Thread
 
shostarsson profile image
Rémi Lavedrine • Edited

Same as Hazael.
And I don't use the same key because from time to time you will have to revoke the key (leaving the company)
In that case you will not have to redo it for all the other accounts. 😉

Thread Thread
 
hmojicag profile image
Hazael Mojica

Hahahaha your reply made my day

Thread Thread
 
cullylarson profile image
Cully Larson

You're only giving the service your public keys though. No need to "revoke" them. Your employer would likely want to remove your key so you no longer have access, but they would want to do that no matter what key you provided. And even if they left it in, it wouldn't be a security risk to you.

Thread Thread
 
shostarsson profile image
Rémi Lavedrine

Definitely right.
Nevertheless, for the purpose of that post, I think that it is good to explain things clearly and not to use "implicit" behavior. That is why I used so many keys in that example. When you are familiar with this you are indeed going to use less keys and not remove everything.
And then, I think that your comment would be of great benefit. :-)

Thread Thread
 
olistik profile image
olistik

@Cully Sometimes you want to use different accounts, in order to isolate the access to the repositories from different devices. In that case (my case) the platform (for example BitBucket) doesn't allow you to share the same public key across different accounts.

Thread Thread
 
edwrdtjustice profile image
Edwrd T

A byproduct of doing this is that it's really easy to identify which key does what.

Collapse
 
punit__d profile image
punit • Edited

Nice post. I've created a Node CLI last month for exact same purpose. It is used for generating ssh keys for using multiple github/bitbucket/gitlab accounts like you've mentioned in the post by answering few questions CLI asks you so you don't have to type those commands when setting this up.

Github repo url : github.com/punitda/ssh-git
npm package url : npmjs.com/package/ssh-git

Though after keys are generated you've to add those to account manually. Working on electron app which will make this process even much more easier.

Note : It(cli) works on Linux(though not thoroughly tested) and MacOS for now. Haven't looked into windows part yet but will soon add support for that.

Collapse
 
shostarsson profile image
Rémi Lavedrine

That is nice.
Nevertheless, I am not sure if I would let a third (untrusted) party app add my SSH keys to the services.
It is too sensitive information to leave it to a third party app and then potentially reduce my security. 😄

Collapse
 
punit__d profile image
punit

Agree. But, what if,

  1. It is open source?
  2. It doesn't stores anything locally. It generates ssh keys, obtains one time token for publishing keys to github/bitbucket/gitlab(doesn't stores it locally) and adds generated keys to your account?
Thread Thread
 
shostarsson profile image
Rémi Lavedrine

Yes, I am sure that it would be very legit and doesn't do anything wrong.
But as a Security person, I can't trust this kind of software. But it's just me. 😄
I am sure that this piece of software would be very useful to a a lot that can trust it. 😉

Collapse
 
akashshyam profile image
Akash Shyam

This was an absolute lifesaver for me..... thank you a lot

Collapse
 
ferricoxide profile image
Thomas H Jones II

If you're already doing commit-signing, then you've likely also got the problem of having multiple GPG keys. You could save yourself some key-management effort by switching from SSH-only keys to using GPG keys for SSH activities (see this article - one of many on the topic).

Collapse
 
shostarsson profile image
Rémi Lavedrine • Edited

Very interesting, one of my next article is to manage multiple GPG Keys to sign commits and tags. You can see it here :

I will definitely have a look at the article you mentionned.

Collapse
 
stanzilla profile image
Benjamin Staneck • Edited

Not sure what I am doing wrong but I always get ERROR: Repository not found. when I try the company version.

My SSH config:

Host company.github.com
  HostName github.com
  IdentityFile ~/.ssh/id_rsa_company
  PreferredAuthentications publickey

Host github.com
  HostName github.com
  IdentityFile ~/.ssh/id_rsa_gmail
  PreferredAuthentications publickey

And I clone with git clone git@company.github.com:company/repo.git

I've verified that both keys are loaded in the ssh agent.

EDIT: Fixed by the good 'ol turning it off and on again, perfect! Thanks for your guide :)

Collapse
 
shostarsson profile image
Rémi Lavedrine

Very happy that it worked.

Collapse
 
rodolphonetto profile image
Rodolpho Netto

Hey bro, you helped me to solve my problem, thank you so much :)

Collapse
 
shostarsson profile image
Rémi Lavedrine

So happy that helps.

Collapse
 
dewofyouryouth_43 profile image
Jacob E. Shore

Thanks!

Collapse
 
hmojicag profile image
Hazael Mojica

Awesome post!! Thanks
It's still a lot config though... :(

Btw, small typo in ~/.ssh/config.

You have github instead of gitlab for company keys.

:)

Collapse
 
shostarsson profile image
Rémi Lavedrine

Thank you for that. ❤️

Collapse
 
fedebabrauskas profile image
Federico Babrauskas

Thank you for this amazing post!
Now I'm able to use multiple SSH Keys in my computer :)

Collapse
 
kryptonian41 profile image
aapoorv41@gmail.com

Do we really need to add the ssh keys manuay to the ssh-agent?
As far as I know if you specify the IdentityFile line for any key in the config, its automatically added.

Collapse
 
shostarsson profile image
Rémi Lavedrine • Edited

It is indeed not mandatory.

But I prefer to do it. So that way, when you explain, you understand everything that happens. And nothing is done implicitly that could bring some question in the future (if something goes wrong).