Skip to content

Multiple SSH keys for Commercial and Community work

Thoughts for the week

Its easy to go down a rabbit hole of your own making when trying to make something complex work. Taking a step back allows for a much simpler approach to be considered.

I realised there was a much simpler approach to managing multiple SSH keys, especially when one of those keys is for commercial work that requires Single Sign-On authorisation.

SSH Keys & Git clientλ︎

There advantages to using separate SSH keys for work on commercial projects and open source projects.

  • Increased security as only the SSH key with Single Sign-on (SSO) authorisation can send or receive data from the GitHub commercial Organisation. SSO authorisation should always be require for commercial projects.
  • Increased tracability as signing commits with SSH keys has identity, the generated key and email address attached to the key via a comment when created, e.g. ssh-keygen -t ed25519 -C "email@domain.com"

Using multiple keys only requires a little extra configuration and helps keep a good separation between commercial and community work.

Multiple Git Identities

Configuration of a Git client for Multiple Git Identities can define a specific SSH key for a subset of projects, e.g. all projects under a company-name directory

Practicalli recommends SSH keys for commit & tag signing as the configuration is simpler than PGP key signing

SSH Keys & GitHubλ︎

Multiple SSH keys can be used to push commits to a GitHub account by defining a host for each key in $HOME/.ssh/config.

A host can have a name expressing its purpose, e.g. Host practicalli, Host company-name. Or a host can match all SSH calls with Host *

A host definition can be for the same service, e.g. HostName github.com

The URL in the git remote url should use the Host name rather than the service URL

SSH Configuration with Multiple SSH keys

$HOME/.ssh/config
# ------------------------------------------ 
# SSH Configuration - Practicalli
#
# - Remote Clojure Server nREPL connection
# - Multiple SSH Keys for GitHub
# ------------------------------------------ 

# ------------------------------------------ 
# Host Aliases for GitHub Multiple SSH keys
# - HostName is used as connection domain

Host community
  HostName github.com
  IdentityFile ~/.ssh/community

Host commercial
  HostName github.com
  IdentityFile ~/.ssh/commercial

Host engineering
  HostName github.com
  IdentityFile ~/.ssh/practicalli-engineering

Host personal
  HostName github.com
  IdentityFile ~/.ssh/practicalli-johnny
# ------------------------------------------ 

# ------------------------------------------ 
# MacOSX additional configuration

# `UseKeyChain` required for MacOSX keychain access
# Host company-name
    HostName github.com
#   AddKeysToAgent yes
#   UseKeychain yes
#   IdentityFile ~/.ssh/id_ed25519
# ------------------------------------------

SSO sign-onλ︎

Using multiple Host definitions with SSH keys failed when a GitHub Organisation containing the repository requires Single Sign-on (SSO) authorisation.

Setting the default host, Host * with the key that has SSO authorisation resolves this issue.

SSH Configuration with Default Host

$HOME/.ssh/config
# ------------------------------------------ 
# SSH Configuration - Practicalli
# ------------------------------------------ 

# ------------------------------------------ 
Host *
  HostName github.com
  IdentityFile ~/.ssh/commercial

# Host for Community key commented
# Host engineering
#   HostName github.com
#   IdentityFile ~/.ssh/practicalli-engineering
# ------------------------------------------

Assumption: Pushing can be done with any SSH Key added to GitHub account

Once a commit has been signed by the relevant key, the identity is part of that commit.

Using a different SSH key than was used to signed a commit does not change the commit. As long as an SSH key has been added to the GitHub account that has access, any key can be used.

A specific key is only requred when the GitHub Organisation owning a repository requires a key to be SSO authorisation.

Project library dependency updatesλ︎

  • Practicalli Sustainable Life
  • Megalinter update-artifacts v4
  • Practicalli Project Templates
  • add outdated Makefile task from Clojure CLI Config project
  • DeLaGuardo/setup-clojure 12.5
  • actions/cache v4.0.2
  • clj-kondo/clj-kondo 2024.05.24
  • clojure/brew-install 1.11.3.1463
  • greglook/cljstyle 0.16.626
  • io.github.seancorfield/deps-new .7.1
  • lambdaisland/kaocha 1.91.1392
  • org.clojure/clojure 1.11.3
  • org.clojure/clojure 1.11.3

Thank you.

🌐 Practical.li Website

Practical.li GitHub Org practicalli-johnny profile

@practicalli@clj.social @practical_li