git ssh authorisation error when accessing bitbucket repo multiple keys

Asked 12/12, 2017 at 0:50 Answered 18/3, 2022 at 0:15

I have multiple ssh keys, using one key for one project. I have successfully assigned the public ssh keys to the relevant repositories inside my bitbucket account.

They are stored in the following location:

~/.ssh/rsa_generic_repos
~/.ssh/rsa_generic_repos.pub
~/.ssh/rsa_project1
~/.ssh/rsa_project1.pub

I then add these keys to my ssh-agent before attempting any git access:

ssh-add ~/.ssh/rsa_generic_repos
ssh-add ~/.ssh/rsa_project1

ssh-add -l - Displays:

4096 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXX Generic Repo Key (RSA)
4096 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXX Project 1 Key (RSA)

My Problem:

This works correctly (clones the repo):

git clone [email protected]:Myusername/generic-repo.com.git

This does not work:

git clone [email protected]:Myusername/project1.com.git

Error:

Cloning into 'project1'...
repository access denied. deployment key is not associated with the requested repository.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.

Yet if I run:

ssh-add -D
ssh-add ~/.ssh/rsa_project1
git clone [email protected]:Myusername/project1.com.git

It successfully clones the repo which it previously wouldn't. This suggests firstly that the public key is set up on bitbucket correctly and that the ssh daemon is not attempting to use any ssh key other than the first entry therefore resulting in the above error.

If anyone could help me with a way to get ssh to go through all the keys stored in the ssh-agent session I would be tremendously grateful.

Thank you for your help and time.

Beldam answered 12/12, 2017 at 0:50 Comment(10)

Though the SSH protocol supports multiple keys, it also can be configured on the server side to only allow a limited number of login attempts. If bit bucket is configured that way, it should be changed. Maybe a support ticket? – Establishmentarian 12/12, 2017 at 1:4

Good idea, I've created a support ticket with Bitbucket. I will post back here with what they have to say. – Beldam 12/12, 2017 at 1:13

This is what you need gist.github.com/jexchan/2351996. Read the first comment. – Bunko 12/12, 2017 at 1:15

Why did you add these keys to specific repos instead of to your account? – Boiney 12/12, 2017 at 1:23

Because I want one key per project, no single key for account wide access. – Beldam 12/12, 2017 at 1:37

Access keys are read-only, though. If you ever want to push anything then those will not work. – Boiney 12/12, 2017 at 1:48

Thanks for letting me know Jim! Luckily I am only using this for provisioning and have no need for pushing. – Beldam 12/12, 2017 at 1:59

Good to know - lots of people seem to overlook that part of the config page. Anyway, you can either use the link @Bunko posted, or use GIT_SSH_COMMAND="ssh -i /path/to/specific/key" before the clone command (and don't start the ssh-agent on that tty). – Boiney 12/12, 2017 at 2:0

@GustavMahler, if you're going to put all the keys in the same place anyway, you may as well add one key to the three repos. With git, I create service accounts for least principle because of the limitation of each deploy key being globally unique ( a choice I do not begin to understand ) - but if at all possible, I combine entities with equivalent access. Your automation could always create a dedicated agent and set the ssh key for each project, too. – Establishmentarian 12/12, 2017 at 2:34

Thank you all for your input. After some consideration I will be simplifying the ssh key architecture to one single master key as there seem to be many pitfalls. I'm just beginning to learn devops, with ssh keys and the organisation management that comes with it! When I know more, I'm sure I will reorganise the structure, but I just don't know enough yet. – Beldam 12/12, 2017 at 2:39

The proper way to use multiple ssh keys would be to ~/.ssh/config file, as I describe here

Host bbgeneric
    Hostname bitbucket.org
    IdentityFile ~/.ssh/rsa_generic_repos
    User git

Host bbproject1
    Hostname bitbucket.org
    IdentityFile ~/.ssh/rsa_project1
    User git

And you would use ssh url like

bbgeneric:Myusername/generic-repo.com.git
bbproject1:Myusername/project1.com.git

Using one deployment key is indeed easier, but I wanted to illustrate the config ssh feature which allows you to use any number of keys.

Doerr answered 12/12, 2017 at 5:46 Comment(1)

Fantastic answer, thanks for showing me the .ssh/config! For others reading this you will find this page very helpful too: #7928250 – Beldam 6/8, 2018 at 12:54

Thanks to VonC's answer.
Here is the working solution I could have used:

~/.ssh/config

Host bitbucket-generic-repos
    HostName bitbucket.org
    IdentityFile ~/.ssh/rsa_generic_repos

Host bitbucket-project1
    HostName bitbucket.org
    IdentityFile ~/.ssh/rsa_project1

The following command gave me an error:

git clone [email protected]:<MyUsername>/project1.com.git

Replacing the bitbucket.org with the ssh alias defined in ~/.ssh/config in the git command results in the desired behaviour with no errors:

git clone git@bitbucket-project1:<MyUsername>/project1.com.git (works!)
git clone git@bitbucket-generic-repos:<MyUsername>/project1.com.git (also works!)

Beldam answered 6/8, 2018 at 12:42 Comment(1)

Well done. +1. Note that by adding User git in your ~/.ssh/config file, you can remove the git@ part in your URLs. – Doerr 6/8, 2018 at 12:59

This is how I resolved the issue for MacOS, It could help you: check this link.

Ectomere answered 18/3, 2022 at 0:15 Comment(0)

Recommended topics

Hot tags