Using a Custom SSH Key to Access a Private Git Repo
This is useful if you have a handful of repos using a different SSH key than your usual default key.
If you have access to a private repo and set up your SSH key with a git provider such as GitHub, GitLab or Bitbucket you can interact with that repo using your SSH key instead of entering your username and password. That’s considered a best practice.
For example with GitHub you can clone a private repo by running:
git clone git@github.com:demo-account/example-repo.git
By default that’s going to use your default SSH key which is probably located
at ~/.ssh/id_ed25519 or ~/.ssh/id_rsa depending on what key type you have.
But what if you’re doing isolated contract work with a custom key or you want
to use a different SSH key for different repos on the same host such as
github.com?
One of the easiest ways to do that is to configure your local git repo to use a custom key. This can be done with an environment variable or a git config option. We’ll cover both ways.
As an alternative you can customize your ~/.ssh/config but I’ve found that
strategy to be more complicated for the use case of using different keys for a
common host like github.com that you might be using personally too. We won’t
be covering this method.
# Using a Custom SSH Key
The demo video goes over creating a local repo and pushing it to a private GitHub repo along with configuring a few SSH keys to test things out but let’s say you have all of that done already.
This will work for cloning, pulling, pushing or whatever you need to do.
Setting an Environment Variable
GIT_SSH_COMMAND="ssh -i /tmp/custom_key_ed25519 -o IdentitiesOnly=yes" git pull
This is nice for 1 off commands since you don’t need to customize a config file. The downside is you’ll likely need to resort to using your shell’s history if you were to run it later.
But still, maybe for your use case you only plan to run the command once. This method is really nice for that.
-ilets you set the path to a custom private key-o IdentitiesOnly=yesensures the custom key gets used even if you have an ssh key agent running which stores any identities you have loaded in it
Configuring Git Just for This Repo
git config core.sshCommand "ssh -i /tmp/custom_key_ed25519 -o IdentitiesOnly=yes"
As a quick aside, if you set GIT_SSH_COMMAND it will override the git config
option.
This works the same as the environment variable approach except it’s tucked away as a git config option. This requires git 2.10+ which was released in 2016 so chances are you have it.
That will modify the .git/config file for this repo so that when you run
commands like git clone, git pull, git push and others you don’t need to
set an environment variable or do anything extra.
You can use any git command normally and your custom identity will be used. This is ideal if you plan to interact with this repo more than once since you can set it and forget it.
You can see an end to end example of how everything works in the video below.
# Demo Video
Timestamps
- 0:07 – A few use cases
- 1:18 – Creating a local test repo
- 1:40 – Creating 2 different ssh keys
- 2:20 – Creating a private repo on GitHub and pushing our code to it
- 3:29 – Things work initially due to how I have GitHub configured with my SSH key
- 4:08 – Method 1: Setting the GIT_SSH_COMMAND environment variable
- 6:01 – Adding one of the ssh keys as a deploy key on GitHub so we can use it
- 7:47 – Method 2: Setting a local git config option
- 9:11 – Overriding the config option with the environment variable approach
Code
# Set up a local test repo
mkdir -p /tmp/custom-ssh-key \
&& cd $_ \
&& touch demo \
&& git init \
&& git add -A \
&& git commit -m "Initial commit"
# Create a few SSH key pairs
ssh-keygen -t ed25519 -N "" -f /tmp/allowed_ed25519
ssh-keygen -t ed25519 -N "" -f /tmp/disallowed_ed25519
# Clean up
rm -rf /tmp/custom-ssh-key /tmp/allowed_ed25519 tmp/disallowed_ed25519
What’s your favorite way to use a custom SSH key? Let us know below!