A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.

How to use different SSH Keys to access the same Server

This is a fairly esoteric problem; however, after not finding other succinct explanations and spending many hours figuring it out, I thought it worth sharing…

The Problem

When using multiple ssh keys on MacOS 10.6.3, it was using the first one configured, and ignoring the other identities if going to the same server.  I wanted a key for subversion access and a separate key for interactive Admin access.

I finally discovered that this was client problem due to ssh agent caching of the keys.  The agent will ‘try’ an existing key in cache for the same host before asking for a new key, even if you specify an –I or IdentityFile option on the command line, or specify an Identity file in the .ssh/config file.

The Problem Scenario Setup

I wanted to install my own Subversion Repository in my ISP account (bluehost.com).

I installed Subversion on bluehost.com using these instructions.  This would enable me to use Subversion through an SSH tunnel, as I did not have access to create an HTTP connection. My Client is MacOS 10.6.3.

My test command:

svn list svn+ssh://myserver.com/my-repository-name

The first challenge was overcoming the following error:

bash: svnserve: command not found

The above error occurs when the remote tunnel command, ‘svnserve –t’ in this case, is not found in the path on the server.  Due to limitations of bluehost.com, I can only have one ssh login, and they do not allow .ssh/environment configuration or have a default path to ~/bin for non-interactive logins.   My first attempt to fix this was a solution to modify the command that is being sent by the svn client.  This worked on the command line; however, subversion SCM access in Xcode failed with the following error:

Error: 210002 (Network connection closed unexpectedly) Description: Connection closed unexpectedly

This made me realize I needed a server solution, not a client fix.  I proceeded with the only other known solution I could find, which called for creating ssh key pairs, and prepending a custom command to the authorized_key entry on the server, similar to the following, potentially with more security options:

command=”~/bin/svnserve -t” ssh-rsa <key…>

Finally, the root problem for creating this blog entry…was that only the first ssh key created would be recognized and used, and it would be used regardless of what id or subdomain I wanted on the server, even when configuring a client side .ssh/config file.

Now we’re back to the problem at the top of the page…when I login with ssh using the subversion key, it overrides the the admin key, and I’m not able to do an interactive login, and vica-versa.

The Solution

The solution has to do with a special option (-k) on the MacOS agent command ssh-add, which enables all keys in the keychain to put in the cache for use.

Assuming multiple keys are setup on the client in ~/.ssh and the public counter parts on the server in ~/.ssh/authorized_keys or authorized_keys2 if your server requires ssh Protocol 2, then the following MacOS command will enable multiple keys to be used on the same server:

ssh-add  -k

That’s it, everything works now, including command-line svn and Xcode Repository access using Xcode 3.2 and Xcode 4.

1 comment to How to use different SSH Keys to access the same Server