2

I have multiple ssh keys, using one key for one project. I have successfully assigned the public ssh keys to the relevant repositories inside my bitbucket account.

They are stored in the following location:

~/.ssh/rsa_generic_repos
~/.ssh/rsa_generic_repos.pub
~/.ssh/rsa_project1
~/.ssh/rsa_project1.pub

I then add these keys to my ssh-agent before attempting any git access:

ssh-add ~/.ssh/rsa_generic_repos
ssh-add ~/.ssh/rsa_project1

ssh-add -l - Displays:

4096 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXX Generic Repo Key (RSA)
4096 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXX Project 1 Key (RSA)

My Problem:

This works correctly (clones the repo):

git clone git@bitbucket.org:Myusername/generic-repo.com.git

This does not work:

git clone git@bitbucket.org:Myusername/project1.com.git

Error:

Cloning into 'project1'...
repository access denied. deployment key is not associated with the requested repository.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.

Yet if I run:

ssh-add -D
ssh-add ~/.ssh/rsa_project1
git clone git@bitbucket.org:Myusername/project1.com.git

It successfully clones the repo which it previously wouldn't. This suggests firstly that the public key is set up on bitbucket correctly and that the ssh daemon is not attempting to use any ssh key other than the first entry therefore resulting in the above error.

If anyone could help me with a way to get ssh to go through all the keys stored in the ssh-agent session I would be tremendously grateful.

Thank you for your help and time.

GustavMahler
  • 657
  • 1
  • 6
  • 23
  • Though the SSH protocol supports multiple keys, it also can be configured on the server side to only allow a limited number of login attempts. If bit bucket is configured that way, it should be changed. Maybe a support ticket? – erik258 Dec 12 '17 at 01:04
  • Good idea, I've created a support ticket with Bitbucket. I will post back here with what they have to say. – GustavMahler Dec 12 '17 at 01:13
  • This is what you need https://gist.github.com/jexchan/2351996. Read the first comment. – alvits Dec 12 '17 at 01:15
  • Why did you add these keys to specific repos instead of to your account? – Jim Redmond Dec 12 '17 at 01:23
  • Because I want one key per project, no single key for account wide access. – GustavMahler Dec 12 '17 at 01:37
  • Access keys are read-only, though. If you ever want to push anything then those will not work. – Jim Redmond Dec 12 '17 at 01:48
  • Thanks for letting me know Jim! Luckily I am only using this for provisioning and have no need for pushing. – GustavMahler Dec 12 '17 at 01:59
  • Good to know - lots of people seem to overlook that part of the config page. Anyway, you can either use the link @alvits posted, or use `GIT_SSH_COMMAND="ssh -i /path/to/specific/key"` before the clone command (and don't start the ssh-agent on that tty). – Jim Redmond Dec 12 '17 at 02:00
  • 1
    @GustavMahler, if you're going to put all the keys in the same place anyway, you may as well add one key to the three repos. With git, I create service accounts for least principle because of the limitation of each deploy key being globally unique ( a choice I do not begin to understand ) - but if at all possible, I combine entities with equivalent access. Your automation could always create a dedicated agent and set the ssh key for each project, too. – erik258 Dec 12 '17 at 02:34
  • Thank you all for your input. After some consideration I will be simplifying the ssh key architecture to one single master key as there seem to be many pitfalls. I'm just beginning to learn devops, with ssh keys and the organisation management that comes with it! When I know more, I'm sure I will reorganise the structure, but I just don't know enough yet. – GustavMahler Dec 12 '17 at 02:39

3 Answers3

1

The proper way to use multiple ssh keys would be to ~/.ssh/config file, as I describe here

Host bbgeneric
    Hostname bitbucket.org
    IdentityFile ~/.ssh/rsa_generic_repos
    User git

Host bbproject1
    Hostname bitbucket.org
    IdentityFile ~/.ssh/rsa_project1
    User git

And you would use ssh url like

bbgeneric:Myusername/generic-repo.com.git
bbproject1:Myusername/project1.com.git

Using one deployment key is indeed easier, but I wanted to illustrate the config ssh feature which allows you to use any number of keys.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Fantastic answer, thanks for showing me the .ssh/config! For others reading this you will find this page very helpful too: https://stackoverflow.com/questions/7927750/specify-an-ssh-key-for-git-push-for-a-given-domain – GustavMahler Aug 06 '18 at 12:54
1

Thanks to VonC's answer.
Here is the working solution I could have used:

~/.ssh/config 

Host bitbucket-generic-repos
    HostName bitbucket.org
    IdentityFile ~/.ssh/rsa_generic_repos

Host bitbucket-project1
    HostName bitbucket.org
    IdentityFile ~/.ssh/rsa_project1

The following command gave me an error:

git clone git@bitbucket.org:<MyUsername>/project1.com.git

Replacing the bitbucket.org with the ssh alias defined in ~/.ssh/config in the git command results in the desired behaviour with no errors:

git clone git@bitbucket-project1:<MyUsername>/project1.com.git (works!)
git clone git@bitbucket-generic-repos:<MyUsername>/project1.com.git (also works!)
GustavMahler
  • 657
  • 1
  • 6
  • 23
  • 1
    Well done. +1. Note that by adding `User git` in your `~/.ssh/config` file, you can remove the `git@` part in your URLs. – VonC Aug 06 '18 at 12:59
0

This is how I resolved the issue for MacOS, It could help you: check this link.

Gastón Antonio Montes
  • 2,559
  • 2
  • 12
  • 15