IdentityFile ignored in ssh configuration

Question

My ssh configuration inside /root/.ssh/config :

Host *
  IdentityFile /root/.ssh/id_rsa_api
  IdentityFile /root/.ssh/id_rsa_ui

I use these keys to be able to clone GitHub repositories. However, only the first IdentityFile (API) works. For the second, it says Repository not found as I start cloning. When I swap the configuration like:

Host *
  IdentityFile /root/.ssh/id_rsa_ui
  IdentityFile /root/.ssh/id_rsa_api

This way I can clone the UI, but not the API. As a consequence, I see that the keys are correct, but the second IdentityFile is always ignored. What could the problem be?

I cannot use ssh-add because I configure ssh inside a Dockerfile and ssh-agent is not running when the container is build.

Answer 1

Do you have any other keys besides the two you've listed in the question? The OpenSSH server sshd will drop a client after too many failed authentication attempts. If you have enough keys, your client may be trying all of them and being dropped before it gets through all of the keys you've listed. Running ssh with the -v parameter will show which keys ssh tries to use to authenticate.

The sshd_config parameter MaxAuthTries determines how many times a client can attempt to authenticate. The default is 6.

If this is the problem, you may be able to avoid it by setting the ssh_config parameter IdentitiesOnly . This prevents your client from using identities that didn't come from the ssh configuration files. Another thing to consider is to use more specific Host or Match directives, so you only apply a key to the specific hosts where the key should be used.

Answer 2

https://developer.github.com/guides/managing-deploy-keys/#deploy-keys

Deploy keys only grant access to a single repository. More complex projects may have many repositories to pull to the same server

So I dropped using deploy keys. Instead I created an ssh key that allows access to all of my private repositories. This way I have a single IdentityFile.