It’s a great idea to use specific ssh-key key pairs per service (or per repository even). Even if your keys are compromised, they don’t allow your attacker to access any other services. Unfortunately, these services often assume you’ll use the default key pair (id_rsa).
1. Get Organized
I like to make folders inside ~/.ssh for each service (Github, AWS, BitBucket, DigitalOcean, etc), and place various keypairs. EX:
~/.ssh/ | - id_rsa | - id_rsa.pub | | - github/ | | - workuser | | - workuser.pub | | - other | | - other.pub | | - bitbucket/ | - personaluser | - personaluser.pub
To actually create the key pairs, use
ssh-keygen in the terminal.
2. Upload your public key
All of these services have a settings page for adding SSH public keys. Add yours, and also include a descriptive label if you can. Usually, I describe which computer this public key came from so that I can revoke with confidence later on, if necessary.
3. Find the Git Push endpoint
For bitbucket and github, the endpoint is typically in this format:
Let’s break that down:
- git – everything before ‘@’ is the username for SSH
- github.com – the actual hostname
- brycefisher/defaulterrors.git – path to the git repository
4. Config all the things!
Open up ~/.ssh/config in your favorite text editor. At the end add a new entry (separated by a new line above):
Choose whatever you want for
Host – that’s an alias you can use in ssh. Notice how all the pieces from 3. above mapped to this new entry in ~/.ssh/config. In particular, we used everything except the path to the git repo.
5. Add a git remote
Under the hood, git is using SSH, and it can access the alias we created earlier (github) to reach github. Our git remote will have to know the SSH alias and the path to the git repo.
6. Make Sure it Works
If the above command succeeds, you’ll see something like this:
If instead you see:
Then re-check the steps above.