SSH Multiple Git Accounts - Stop Fucking Up Your Identity

HTTPS authentication with tokens breaks when tokens expire. Switching Git configs manually means you'll eventually commit your side project to the company repo at 2am.

SSH keys work because each one is tied to exactly one account. GitHub knows which SSH key belongs to which account - no shared credentials, no expiring tokens.

Why This Actually Matters

Personal commits in work repositories trigger security audits. That's how I learned our InfoSec team has way too much time on their hands and will absolutely call you at 9pm about that side project commit. Git's global config doesn't give a shit which remote you're pushing to - it uses whatever user.email you have set globally, even if it's your "420blazeit@gmail.com" address.

SSH keys with host aliases fix this. git push to git@github-work:company/repo.git uses the work key. Push to git@github-personal:username/repo.git uses the personal key. Different keys = different accounts = different identities.

SSH authentication isn't just password replacement - it's identity isolation. Each key links to one account, preventing wrong-identity commits.

The Options That Don't Work

Git credential helpers: Store passwords and tokens that expire every 90 days and break your CI pipeline at 3am on a Friday. Tied to URLs, not identities, so you'll still commit your OnlyFans bot to the company repo.

Git conditional includes: Directory-based switching works until you clone that urgent hotfix to your Desktop instead of your ~/work folder because you're panicking. SSH doesn't give a shit where your repo lives on disk.

Separate machines: VMs consume half your RAM, Docker containers for SSH are engineering masturbation, GitHub Codespaces cost $18/month per workspace. SSH keys on one machine cost zero dollars and actually work.

The Configuration That Actually Works

Your SSH config file (~/.ssh/config) becomes a routing table. Here's mine:

Host github-work
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_ed25519_work
    IdentitiesOnly yes

Host github-personal
    HostName github.com  
    User git
    IdentityFile ~/.ssh/id_ed25519_personal
    IdentitiesOnly yes

git clone git@github-work:company/repo.git uses the work key. git clone git@github-personal:user/repo.git uses the personal key. `IdentitiesOnly yes` is critical - without it, SSH tries all your keys and GitHub rate-limits you with "too many authentication failures."

This pattern works across GitHub, GitLab, Bitbucket, and whatever Git server your company runs. Stack Overflow has more details if you need them.

Setup takes an hour the first time, 4 hours if you're me and keep forgetting that SSH config syntax is a pedantic asshole about indentation. After that it just works - no password prompts, no "why is my NSFW bot commit in the enterprise repo" Slack messages, no authentication failures when you're trying to push a hotfix at 3am and production is literally on fire.

This configuration avoids the common SSH pitfalls that cause authentication failures and wrong-identity commits.

Step 1: Generate Keys (And Avoid the Footgun)

ED25519 keys are faster and GitHub recommends them. All major platforms support ED25519 as of 2025. RSA keys still work but GitHub disabled RSA SHA-1 signatures in March 2022.

## Work account key - put it in a file you'll remember
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_work -C \"work@company.com\"

## Personal account key
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_personal -C \"personal@gmail.com\"

## Client key (if you're freelancing)
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_client -C \"freelance@client.com\"

Passphrase decision: SSH key passphrases add security but require typing every time the SSH agent dies (which happens every fucking Tuesday on Linux). For personal machines, skip them. For work laptops, use them because IT security will audit your shit. macOS Keychain integration breaks on every OS update - Monterey 12.3 completely fucked it, and Ventura 13.0 wasn't much better.

Step 2: Write the SSH Config That Doesn't Suck

Create or edit `~/.ssh/config`. This file might not exist yet - that's fine, just create it. Pay attention to the spacing - SSH config is picky about tabs vs spaces.

## Work GitHub - use this for company repos
Host github-work
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_ed25519_work
    IdentitiesOnly yes
    AddKeysToAgent yes

## Personal GitHub - use this for your side projects
Host github-personal
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_ed25519_personal
    IdentitiesOnly yes
    AddKeysToAgent yes

## If you use GitLab for work too
Host gitlab-work
    HostName gitlab.com
    User git
    IdentityFile ~/.ssh/id_ed25519_work
    IdentitiesOnly yes
    AddKeysToAgent yes

The magic is in the details:

• `IdentitiesOnly yes` is CRITICAL - without it, SSH tries all your keys and you get \"too many authentication failures\"
• `AddKeysToAgent yes` saves you from typing passphrases repeatedly
• File permissions matter: chmod 600 ~/.ssh/config or SSH will ignore it

SSH config gotchas that will ruin your entire fucking day:

• No tabs, only spaces for indentation (SSH config syntax is a Nazi) - one stray tab and SSH silently ignores your entire config
• File permissions must be 600 (`chmod 600 ~/.ssh/config`) - SSH throws a tantrum if anyone else can read it
• Comments start with # but inline comments break everything because SSH parser was written by sadists
• Host blocks don't inherit from each other like literally every other config format in existence

Step 3: Copy Your Public Keys Like a Human

Copy the public key contents to your clipboard and paste them into each Git service:

## Copy work key to clipboard (macOS)
pbcopy < ~/.ssh/id_ed25519_work.pub

## Linux version  
xclip -selection clipboard < ~/.ssh/id_ed25519_work.pub

## Windows (Git Bash)
clip < ~/.ssh/id_ed25519_work.pub

## Or just display it and copy manually
cat ~/.ssh/id_ed25519_work.pub

Where to paste them:

• GitHub: GitHub.com → Settings → SSH and GPG keys → New SSH key
• GitLab: User Settings → SSH Keys → Add new key
• Bitbucket: Personal settings → SSH keys → Add key

Title the keys something useful like "MacBook Pro Work" or "Personal Laptop" so you remember which machine they're from when you need to rotate them.

Step 4: Fix Your Repository URLs

Change your existing repositories to use the SSH host aliases. If you're still using HTTPS URLs (the https://github.com/... ones), this is why Git keeps asking for passwords.

## Check what you have now
git remote -v

## Fix work repositories to use work SSH alias
git remote set-url origin git@github-work:company/repo.git

## Fix personal repositories to use personal alias  
git remote set-url origin git@github-personal:username/repo.git

Pro tip: For new clones, copy the SSH URL from GitHub but modify the hostname:

• GitHub gives you: git@github.com:user/repo.git
• You want: git@github-work:user/repo.git or git@github-personal:user/repo.git

Step 5: Test It Before You Trust It

This is the step everyone skips and then wonders why nothing works:

## Test work connection - should show your work username
ssh -T git@github-work

## Test personal connection - should show your personal username
ssh -T git@github-personal

If you get "Permission denied (publickey)": This error message is about as helpful as a chocolate teapot. Run ssh -vT git@github-work to see what SSH is actually trying and why it's failing spectacularly.

If it shows the wrong username: Congratulations, you just uploaded your personal key to your work account. We've all done this. Delete the key from the wrong account and upload it to the right one.

Step 6: Stop Fucking Up New Repository Clones

When you clone new repositories, use your SSH aliases instead of the default URLs:

## For work projects
git clone git@github-work:company/new-repo.git

## For personal projects  
git clone git@github-personal:username/side-project.git

The gotcha: GitHub's clone button gives you git@github.com:... - you need to change the hostname to your alias.

The Missing Piece: Git User Configuration

SSH handles authentication, but Git still needs to know your name and email for commits. Either set these per repository:

## In each work repository
git config user.email \"professional@company.com\"
git config user.name \"Professional Name\"

## In each personal repository
git config user.email \"personal@gmail.com\"  
git config user.name \"Real Name\"

Or use Git conditional includes to automatically switch based on directory paths. But honestly, per-repo config is more reliable because you won't clone that emergency hotfix to the wrong folder at 2am when production is down.

When This Inevitably Breaks

Because SSH is SSH, here are the nuclear options for when nothing works:

SSH Agent Resurrection

If SSH stops working entirely, the agent probably died:

## Kill and restart ssh-agent
killall ssh-agent
eval \"$(ssh-agent -s)\"

## Re-add your keys
ssh-add ~/.ssh/id_ed25519_work
ssh-add ~/.ssh/id_ed25519_personal

## Check what's loaded
ssh-add -l

Connection Reuse (Performance Hack)

If SSH connections are slow, enable connection multiplexing:

## Add to ~/.ssh/config for faster connections
Host *
    ControlMaster auto
    ControlPath ~/.ssh/sockets/%r@%h-%p
    ControlPersist 5m

You need to create the sockets directory first: mkdir -p ~/.ssh/sockets

Corporate Firewall Bypass

If your company blocks SSH (port 22), GitHub supports SSH over HTTPS:

## Add this to your work SSH config
Host github-work
    HostName ssh.github.com
    Port 443
    User git
    IdentityFile ~/.ssh/id_ed25519_work
    IdentitiesOnly yes

This tunnels SSH through port 443, which corporate firewalls usually allow.

That's it. This setup works across macOS, Linux, and Windows (with Git Bash). It scales from 2 accounts to 20 accounts. Once it's working, you can forget about Git authentication entirely and focus on actually writing code.

That's the complete setup process. Once configured, this system handles multiple Git accounts automatically.

SSH keys are more secure than passwords, but they require proper management. Key compromise can lead to supply chain attacks and repository breaches.

Key Management Basics

One key per account, period: Don't reuse SSH keys across accounts on the same platform. GitHub blocks this with "Key is already in use" errors because they're not fucking idiots. GitLab and Bitbucket might let you do stupid things, but that doesn't mean you should.

Rotate keys like you rotate passwords: Every 6-12 months, or immediately when you leave a job. Enterprise policies often require quarterly rotation, which is annoying but reasonable. As of 2025, SOC 2 Type II compliance typically mandates 90-day SSH key rotation for production access.

File permissions matter: SSH is paranoid about file permissions and will ignore your keys if they're world-readable:

## Fix SSH key permissions (run this now)
chmod 600 ~/.ssh/id_ed25519_*       # Private keys: owner-only access
chmod 644 ~/.ssh/id_ed25519_*.pub   # Public keys: world-readable
chmod 600 ~/.ssh/config            # SSH config: owner-only access

Don't put private keys in cloud storage: Unencrypted SSH keys in cloud storage create security vulnerabilities. Use password managers or encrypted storage if you need backups.

SSH Agent: Convenience vs Security

Agent forwarding is risky: SSH agent forwarding exposes your local SSH keys to remote servers. If that server gets compromised, your keys are compromised too:

## Disable agent forwarding by default
Host *
    ForwardAgent no

Time-limited key loading: Don't leave SSH keys loaded in your agent forever:

## Load key with 1-hour timeout
ssh-add -t 3600 ~/.ssh/id_ed25519_work

## Check what's currently loaded
ssh-add -l

## Nuclear option: clear all keys
ssh-add -D

Production key protection: For high-value keys (production access, client work), enable confirmation prompts:

ssh-add -c ~/.ssh/id_ed25519_production
## Now SSH asks "use this key?" before each connection

Corporate Network Bullshit

Firewall bypass: Some companies block SSH port 22 because their security team read a blog post in 2010. GitHub supports SSH over port 443:

Host github-work
    HostName ssh.github.com
    Port 443
    User git
    IdentityFile ~/.ssh/id_ed25519_work

Port 443 is HTTPS, so corporate firewalls can't block it without breaking the entire internet.

VPN interference: Corporate VPNs sometimes break SSH routing. If SSH works at home but not at the office, the VPN is probably doing "deep packet inspection" or routing SSH through a proxy. Try the port 443 workaround above.

When You Leave Your Job

Key cleanup checklist: Don't be the person who still has access to their old company's repositories:

1. Remove work SSH public key from personal GitHub (if you added it there)
2. Delete work SSH private key from your machine: rm ~/.ssh/id_ed25519_work*
3. Clean up SSH config: Remove or comment out work host aliases
4. Clear SSH agent: ssh-add -D to remove loaded keys
5. Check repository access: Make sure you can't still push to company repos

The 2am security call from hell: My buddy got a panicked call at 2am because commits were still hitting production with his SSH key 6 months after he left the company. He had to explain to very angry security people why his personal porn scraper was somehow connected to their CI/CD pipeline. Don't be that person.

If Your SSH Key Gets Compromised

Immediate damage control:

1. Remove public key from all Git services immediately
2. Generate new SSH key pair: ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_work_new
3. Add new public key to services
4. Update SSH config: Point to new key file
5. Notify your team if it's a work key

How keys get compromised (real stories from the trenches):

• Malware scanning your ~/.ssh/ directory while you're mining crypto on company hardware
• Accidentally committing private keys to repositories (happened to my last company, exposed 200+ production servers)
• Laptop theft from coffee shops - especially unencrypted drives
• iCloud/Google Drive syncing your .ssh folder because you enabled "sync everything" like an idiot
• Screen sharing during code reviews with your SSH config file open showing all your key paths
• Docker container escape exposing host filesystem SSH keys (seen this twice in production)

Backup Strategy That Doesn't Suck

What to backup: Your SSH public keys and SSH config file. Private keys should never leave your machine unless encrypted.

How to backup: Most password managers can store SSH public keys and config files as secure notes. 1Password has SSH agent integration that's actually decent.

Don't backup: Private keys to cloud storage. Ever. If you need private key backup, use encrypted disk images or encrypted cloud storage that you control the keys for.

The bottom line: SSH keys are way more secure than passwords, but they're not fucking magic. Follow basic security hygiene and you'll be fine. Ignore security entirely and you'll be explaining to InfoSec at 3am why your furry roleplay bot's SSH key somehow had access to the customer database and why there are commits with the message "UwU fixed the payment processor OwO" in production code.

SSH security practices protect your keys and prevent unauthorized access. Professional-grade Git operations require proper key management and access controls.