Spin the Moose

  • Code
  • Design
  • Process
  • Speaking
  • Random
  • Poetry

© Spin The Moose Media 2022

20 Nov 2022 how to: set up unique ssh keys per client

This post is part of a series on Git Fundamentals:

  1. git stores history as a graph
  2. how to: configure unique SSH keys per client

Git is everywhere these days, in use by a tremendous amount of people and organizations.

Sometimes when committing code you want to use a different identity for one set of repositories from another set of repositories. Think a consultant working for multiple clients or contributing to both client work and personal open-source work.

I have found the following pattern useful:

  • Configure Your Default Identity
  • Configure Client-Specific Git Settings
  • Create an Additional Github Account
  • Create a Client-Specific SSH Key Pair
  • Configure SSH to Respect Your Client-Specific KeyPair
  • Clone a Client-Specific Repo

Configure Your Default Identity

Put your default user.name and user.email in your ~/.gitconfig file:

[user]
  email = david@spinthemoose.com
  name = David Alpert

[includeIf "gitdir:~/projects/client1/"]
  path = ~/projects/client1/.gitconfig

This configures git such that:

  • my primary identity is personal david@spinthemoose.com.
  • for any subfolder under ~/projects/client1/... an additional .gitconfig specific to that client is imported

I use $HOME/projects/ as the root of my development work.

There is nothing special here about where you put your source code.

Make sure that your configuration matches how you have laid out source code on your machine.

Configure Client-Specific Git Settings

In ~/projects/client1/.gitconfig you can override user.name and user.email:

[user]
  name = "David Alpert"
  email = "david.alpert@client1.com"

[url "client1.github.com:client1/"]
  insteadOf = git@github.com:client1/

This will override user.name and user.email when making commits under this ~/projects/client1/... folder.

The [url] part also tells git to use a fake local DNS name when the remote url matchs git@github.com:client1/. This will be true for any repo owned by the client1 organization on github.

Create an Additional Github Account

Create a new github account using this client-specific email address as your identity.

Create a Client-Specific SSH Key Pair

  1. Follow github's instructions to create a new SSH Key pair.
  2. Give the SSH Key pair a unique name on your local system; I tend to append a suffix like id_rsa_client1
  3. Add your client-specific public key to your new client-specific github account.

Configure SSH to Respect Your Client-Specific KeyPair

Add a new client-specific host entry in ~/.ssh/config:

Host github.com
  Hostname github.com
  User git
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_ed25519

Host client1.github.com
  Hostname github.com
  User git
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_ed25519_client1

NOTE: the UseKeychain keyword is relevant only on MacOS; if you are on linux or windows remove that setting.

This tells ssh to match the fake local hostname that you configured as an alias in ~/projects/client and map that back to github.com but use the client-specific ItentityFile

Clone a Client-Specific Repo

Now when I change directory into that client-specific folder ~/projects/client1/ and clone a repo from the client-specific organization:

git clone https://github.com/client1/some-repo

git will

  • use an alias of client1.github.com and then ssh will map that alias back to github.com while using your client-specific SSH keys;
  • clone that repo into ~/projects/client1/some-repo;
  • use your client-specific user.name and user.email for each commit inside that repo.

Happy Coding!

This post is part of a series on Git Fundamentals:

  1. git stores history as a graph
  2. how to: configure unique SSH keys per client
back to top