Reputation: 2396
Git uses SSH-Key configured for another domain
I have 2 github accounts. One is my personal and the other one is my work account. For both, I want to use ssh authentication when working with the git cli.
My ~/.ssh/config looks like this:
Host private.github.com
HostName github.com
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_ed25519_personal
Host github.com
HostName github.com
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_ed25519
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
For all of my work repos I use the "normal" git ssh reference, such as [email protected]:openjdk/jdk.git. This works fine, github authenticates me as my work account.
For my private repos I use the domain private.github.com as an alias, which should just be a "marker" to use another ssh-key. As you can see in my ~/.ssh/config, I configured the correct HostName for it.
But when I try to access one of my private git repos, git (ssh) uses my work key for the authentication, sees that theres an github account with that ssh-key configured and continues with that key. But since my work account is not authorized to access my private git repos, it fails after this.
This is the verbose output when doing a git-pull on a private repo: (I added the line numbers myself to refer to them)
1. myuser@somemachine private-project % git pull
2. OpenSSH_8.1p1, LibreSSL 2.7.3
3. debug1: Reading configuration data /Users/myuser/.ssh/config
4. debug1: /Users/myuser/.ssh/config line 1: Applying options for private.github.com
5. debug1: /Users/myuser/.ssh/config line 13: Applying options for *
6. debug1: Reading configuration data /etc/ssh/ssh_config
7. debug1: /etc/ssh/ssh_config line 47: Applying options for *
8. debug1: Connecting to github.com port 22.
9. debug1: Connection established.
10. debug1: identity file /Users/myuser/.ssh/id_ed25519_personal type 3
11. debug1: identity file /Users/myuser/.ssh/id_ed25519_personal-cert type -1
12. debug1: identity file /Users/myuser/.ssh/id_rsa type 0
13. debug1: identity file /Users/myuser/.ssh/id_rsa-cert type -1
14. debug1: Local version string SSH-2.0-OpenSSH_8.1
15. debug1: Remote protocol version 2.0, remote software version babeld-7bdc42c4
16. debug1: no match: babeld-7bdc42c4
17. debug1: Authenticating to github.com:22 as 'git'
18. debug1: SSH2_MSG_KEXINIT sent
19. debug1: SSH2_MSG_KEXINIT received
20. debug1: kex: algorithm: curve25519-sha256
21. debug1: kex: host key algorithm: rsa-sha2-512
22. debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
23. debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
24. debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
25. debug1: Server host key: ssh-rsa SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
26. debug1: Host 'github.com' is known and matches the RSA host key.
27. debug1: Found key in /Users/myuser/.ssh/known_hosts:2
28. debug1: rekey out after 134217728 blocks
29. debug1: SSH2_MSG_NEWKEYS sent
30. debug1: expecting SSH2_MSG_NEWKEYS
31. debug1: SSH2_MSG_NEWKEYS received
32. debug1: rekey in after 134217728 blocks
33. debug1: Will attempt key: /Users/myuser/.ssh/id_rsa RSA SHA256:HASH_OF_GLOBAL_KEY explicit agent
34. debug1: Will attempt key: my-work-email ED25519 SHA256:HASH_OF_GITHUB_WORK_KEY agent
35. debug1: Will attempt key: RSA SHA256:HASH_OF_ANOTHER_KEY agent
36. debug1: Will attempt key: /Users/myuser/.ssh/id_ed25519_personal ED25519 SHA256:HASH_OF_GITHUB_PRIVATE_KEY explicit
37. debug1: SSH2_MSG_EXT_INFO received
38. debug1: kex_input_ext_info: server-sig-algs=<[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
39. debug1: SSH2_MSG_SERVICE_ACCEPT received
40. debug1: Authentications that can continue: publickey
41. debug1: Next authentication method: publickey
42. debug1: Offering public key: /Users/myuser/.ssh/id_rsa RSA SHA256:HASH_OF_GLOBAL_KEY explicit agent
43. debug1: Authentications that can continue: publickey
44. debug1: Offering public key: my-work-email ED25519 SHA256:HASH_OF_GITHUB_WORK_KEY agent
45. debug1: Server accepts key: my-work-email ED25519 SHA256:HASH_OF_GITHUB_WORK_KEY agent
46. debug1: Authentication succeeded (publickey).
47. Authenticated to github.com ([140.82.121.3]:22).
48. debug1: channel 0: new [client-session]
49. debug1: Entering interactive session.
50. debug1: pledge: network
51. debug1: Sending environment.
52. debug1: Sending env LANG = de_DE.UTF-8
53. debug1: Sending command: git-upload-pack 'my-private-github-acc/private-project.git'
54. debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
55. ERROR: Repository not found.
56. debug1: channel 0: free: client-session, nchannels 1
57. fatal: Could not read from remote repository.
58.
59. Please make sure you have the correct access rights
60. and the repository exists.
61. debug1: fd 0 clearing O_NONBLOCK
62. Transferred: sent 2696, received 2208 bytes, in 0.4 seconds
63. Bytes per second: sent 7193.5, received 5891.4
64. debug1: Exit status 1
- Line 3-5: SSH uses the correct configuration file and applies to options for the expected hosts (
*andprivate.github.com) - Line 8: SSH opens a connection to
github.com(notprivate.github.com), which means the option in my configuration forprivate.github.comworks as expected - Line 10-13: SSH prints the expected keys it will use (the ones for
private.github.comand*) - Line 33: SSH will use my "global" ssh-key (the
*in my config)(expected) - Line 34: SSH will use my github-work ssh-key (not expected! why does it want to try this key?)
- Line 35: Dont know which key this is (though it is present in
ssh-add -l) - Line 36: SSH will use my github-private ssh-key (but in the chain after it tries to use my github-work ssh-key)
- Line 42,43: SSH offers my global ssh-key, is declined by github (expected)
- Line 44,45: SSH offers my github-work ssh-key, is accepted by github (makes sense, this is only authentication, not authorization)
From now on, I'm in a trap. My ssh client offers my github-work ssh-key to github, which github accepts since it is attached to an account, but this account can't access my private repos.
Why does my ssh client try to use my github-work ssh-key in the first place? I would expect it to use my github-private ssh-key before it uses my github-work ssh-key at least. What can I change to make this work? Anyone with the same problem and maybe a workaround?
Upvotes: 0
Views: 1862
Answers (1)
Reputation: 52196
The issue could come from the fact that the IdentityFile option adds an extra key to try, but does not exclude the other ones,
and that either your work key has one of the default names (id_ed25519), or you have an ssh-agent running which will present that key when contacting github.com.
Try adding IdentitiesOnly = yes to your private.github.com section
(forwarding suggestion from this answer on SuperUser)
(note : you should probably add this option to both sections)
Upvotes: 3
Related Questions
- Specify an SSH key for git push for a given domain
- Possible DNS spoofing detected. Remote host identification has changed
- Git isn't using the right ssh key but ssh -T is correct
- Git does not use SSH key for Github (Mac OS)
- Change which ssh key github uses to clone and access repos on GitHub
- Git not using the right SSH key when pushing to github
- Git ignore SSH key and prompt for credential
- Git is looking for a wrong SSH key
- How to set git config to use specific key for domain?
- git - issue with ssh keys