christoph ender's

blog

wednesday the 15th of march, 2023

handling multiple ssh identities

Once you're using multiple identities for services like github or gitlab, along with multiple SSH keys for authentication with these systems, there's the need to tell SSH which of your keys should be used for a new connection. This can be achived using a combination of the IdentityFile and IdentitiesOnly statements, as in

IdentityFile ~/.ssh/id_ed25519-key02
IdentitiesOnly yes

While the former on it's own just adds another key to the set of identities that the SSH client will use for authentication, the latter ensures that only this specified key is used to connect to the given host and the other keys known to the ssh-agent should be ignored.

There's a little catch however: Once a key has been loaded by the local ssh-agent, it will be kept in the agent's memory until it is explicitely removed. This isn't a problem as long you're only initiating ssh connections from your local machine, but once you're using forwarding on a remote system the agent will use all the keys he has stored locally, not only the one you've specified using the IdentityFile for the remote machine you're using forwarding on. To resolve this, you can invoke ssh-add -D to clear the local agent's key storage.