Use different ssh keys for different github repos (per-url sshCommand)

Use different ssh keys for different github repos (per-url sshCommand)

[Basin Ilya]

Hi.

I have two github accounts, one is for my organization and I want git to automatically choose the correct ssh `IdentityFile` based on the clone URL:

    git@github.com:other/publicrepo.git
       ~/.ssh/id_rsa
    git@github.com:theorganization/privaterepo.git
       ~/.ssh/id_rsa.theorganization

Unfortunately, both URLs have same host name, therefore I can't configure this in the ssh client config. I could create a host alias there, but sometimes somebody else gives me the github URL and I want it to work out of the box.

I thought I could add a per-URL `core` section similar to `user` and `http`, but this section is ignored by git (2.18):

    [core "git@github.com:theorganization"]
        sshCommand = /bin/false
        #sshCommand = ssh -i ~/.ssh/id_rsa.theorganization

I thought of writing a wrapper script to deduce the key from the arguments:

    git@github.com git-upload-pack '/theorganization/privaterepo.git'

Is this the only option?

Re: Use different ssh keys for different github repos (per-url sshCommand)

[Ævar Arnfjörð Bjarmason]

On Thu, Jul 19 2018, Basin Ilya wrote:

> Hi.
>
> I have two github accounts, one is for my organization and I want git to automatically choose the correct ssh `IdentityFile` based on the clone URL:
>
>     git@github.com:other/publicrepo.git
>        ~/.ssh/id_rsa
>     git@github.com:theorganization/privaterepo.git
>        ~/.ssh/id_rsa.theorganization
>
> Unfortunately, both URLs have same host name, therefore I can't configure this in the ssh client config. I could create a host alias there, but sometimes somebody else gives me the github URL and I want it to work out of the box.
>
> I thought I could add a per-URL `core` section similar to `user` and `http`, but this section is ignored by git (2.18):
>
>     [core "git@github.com:theorganization"]
>         sshCommand = /bin/false
>         #sshCommand = ssh -i ~/.ssh/id_rsa.theorganization
>
> I thought of writing a wrapper script to deduce the key from the arguments:
>
>     git@github.com git-upload-pack '/theorganization/privaterepo.git'
>
> Is this the only option?

Yes, I had a similar problem a while ago (which I sent an RFC patch for)
which shows a script you can use:
https://public-inbox.org/git/20180103102840.27897-1-avarab@gmail.com/

It would be nice if this were configurable. Instead of the way you
suggested, it would be more general if we supported:

    [Include "remote:git@github.com:theorganization*"]
    path = theorganization.config

Although I'm sure we'd have some interesting chicken & egg problems
there when it comes to bootstrapping the config parsing.

Re: Use different ssh keys for different github repos (per-url sshCommand)

[Sitaram Chamarty]

On Thu, Jul 19, 2018 at 03:24:54PM +0300, Basin Ilya wrote:
> Hi.
> 
> I have two github accounts, one is for my organization and I want git to automatically choose the correct ssh `IdentityFile` based on the clone URL:
> 
>     git@github.com:other/publicrepo.git
>        ~/.ssh/id_rsa
>     git@github.com:theorganization/privaterepo.git
>        ~/.ssh/id_rsa.theorganization
> 
> Unfortunately, both URLs have same host name, therefore I can't configure this in the ssh client config. I could create a host alias there, but sometimes somebody else gives me the github URL and I want it to work out of the box.
> 
> I thought I could add a per-URL `core` section similar to `user` and `http`, but this section is ignored by git (2.18):
> 
>     [core "git@github.com:theorganization"]
>         sshCommand = /bin/false
>         #sshCommand = ssh -i ~/.ssh/id_rsa.theorganization
> 
> I thought of writing a wrapper script to deduce the key from the arguments:
> 
>     git@github.com git-upload-pack '/theorganization/privaterepo.git'
> 
> Is this the only option?

This is what I do (I don't have two accounts on github, but
elsewhere; same idea though)

    # this goes in ~/.ssh/config

    host gh1
        user                git
        hostname            github.com
        identityfile        ~/.ssh/id_rsa_1

    host gh2
        user                git
        hostname            github.com
        identityfile        ~/.ssh/id_rsa_2

Now use "gh1:username/reponame" and "gh2:username/reponame" as
URLs.  It all just works.

Re: Use different ssh keys for different github repos (per-url sshCommand)

[Sitaram Chamarty]

On 07/19/2018 06:52 PM, Sitaram Chamarty wrote:
> On Thu, Jul 19, 2018 at 03:24:54PM +0300, Basin Ilya wrote:
>> Hi.
>>
>> I have two github accounts, one is for my organization and I want git to automatically choose the correct ssh `IdentityFile` based on the clone URL:
>>
>>     git@github.com:other/publicrepo.git
>>        ~/.ssh/id_rsa
>>     git@github.com:theorganization/privaterepo.git
>>        ~/.ssh/id_rsa.theorganization
>>
>> Unfortunately, both URLs have same host name, therefore I can't configure this in the ssh client config. I could create a host alias there, but sometimes somebody else gives me the github URL and I want it to work out of the box.
>>
>> I thought I could add a per-URL `core` section similar to `user` and `http`, but this section is ignored by git (2.18):
>>
>>     [core "git@github.com:theorganization"]
>>         sshCommand = /bin/false
>>         #sshCommand = ssh -i ~/.ssh/id_rsa.theorganization
>>
>> I thought of writing a wrapper script to deduce the key from the arguments:
>>
>>     git@github.com git-upload-pack '/theorganization/privaterepo.git'
>>
>> Is this the only option?
> 
> This is what I do (I don't have two accounts on github, but
> elsewhere; same idea though)

my apologies; I did not read your email fully and went off half-cocked!
Looks like you already tried host aliases and they don't work for you.

Sorry for the noise!

Re: Use different ssh keys for different github repos (per-url sshCommand)

[Jeff King]

On Thu, Jul 19, 2018 at 03:24:54PM +0300, Basin Ilya wrote:

> I have two github accounts, one is for my organization and I want git
> to automatically choose the correct ssh `IdentityFile` based on the
> clone URL:
> 
>     git@github.com:other/publicrepo.git
>        ~/.ssh/id_rsa
>     git@github.com:theorganization/privaterepo.git
>        ~/.ssh/id_rsa.theorganization
> 
> Unfortunately, both URLs have same host name, therefore I can't
> configure this in the ssh client config. I could create a host alias
> there, but sometimes somebody else gives me the github URL and I want
> it to work out of the box.

I think you can hack around this using Git's URL rewriting.

For example, try this:

  git config --global \
    url.gh-other:other/.insteadOf \
    git@github.com:other/

  git config --global \
    url.gh-org:theorganization.insteadOf \
    git@github.com:theorganization/

And then:

  git clone git@github.com:other/publicrepo.git

will hit gh-other, which you can configure using an ssh host alias.

-Peff

Re: Use different ssh keys for different github repos (per-url sshCommand)

[Jeff King]

On Thu, Jul 19, 2018 at 02:50:16PM +0200, Ævar Arnfjörð Bjarmason wrote:

> > I thought of writing a wrapper script to deduce the key from the arguments:
> >
> >     git@github.com git-upload-pack '/theorganization/privaterepo.git'
> >
> > Is this the only option?
> 
> Yes, I had a similar problem a while ago (which I sent an RFC patch for)
> which shows a script you can use:
> https://public-inbox.org/git/20180103102840.27897-1-avarab@gmail.com/
> 
> It would be nice if this were configurable. Instead of the way you
> suggested, it would be more general if we supported:
> 
>     [Include "remote:git@github.com:theorganization*"]
>     path = theorganization.config
> 
> Although I'm sure we'd have some interesting chicken & egg problems
> there when it comes to bootstrapping the config parsing.

I don't think we'd ever support this via the include mechanism. The
idea of "which remote are we looking at" is specific to a particular
part of an operation. Whereas config parsing is generally process-wide,
so it has to be based on a property of the whole process (like "which
directory are we in"). Maybe that's what you meant by chicken and egg.

If we were to make this more configurable, it would probably be more
like existing http.* config, which loads all the config, but then does
URL-specific matching when applying the config to a particular
operation.

-Peff

Re: Use different ssh keys for different github repos (per-url sshCommand)

[Basin Ilya]

Wow, thanks.

For me it was enough to configure just one rewrite, because my public github account is associated with my default key. Note that I added the missing slash and the username:

    git config --global \
      url.git@gh-org:theorganization/.insteadOf \
      git@github.com:theorganization/



19.07.2018 19:42, Jeff King пишет:
> On Thu, Jul 19, 2018 at 03:24:54PM +0300, Basin Ilya wrote:
> 
>> I have two github accounts, one is for my organization and I want git
>> to automatically choose the correct ssh `IdentityFile` based on the
>> clone URL:
>>
>>     git@github.com:other/publicrepo.git
>>        ~/.ssh/id_rsa
>>     git@github.com:theorganization/privaterepo.git
>>        ~/.ssh/id_rsa.theorganization
>>
>> Unfortunately, both URLs have same host name, therefore I can't
>> configure this in the ssh client config. I could create a host alias
>> there, but sometimes somebody else gives me the github URL and I want
>> it to work out of the box.
> 
> I think you can hack around this using Git's URL rewriting.
> 
> For example, try this:
> 
>   git config --global \
>     url.gh-other:other/.insteadOf \
>     git@github.com:other/
> 
>   git config --global \
>     url.gh-org:theorganization.insteadOf \
>     git@github.com:theorganization/
> 
> And then:
> 
>   git clone git@github.com:other/publicrepo.git
> 
> will hit gh-other, which you can configure using an ssh host alias.
> 
> -Peff
>