Hacker News new | past | comments | ask | show | jobs | submit login

> Your Pubkey can be used to cross-match multiple identities. Example: You have different coding personae. One that is activist, one that is company-peon. Different accounts, same SSH pubkey in Github or other server with publicly listed pubkeys --> Same person confirmed.

Doesn’t GitHub only allow a key to be associated with a single account? After all, they use it to authenticate SSH pushes.

The privacy worry here is a little more esoteric —- your SSH public key could be used to cross match your GitHub user account with an account on a different system.




I am not sure actually because I do not have any persistent github accounts. I only do them in a throwaway fashion. (Of course Github is making that more annoying by the month, as every other bigcorp site.)


GitHub does require that SSH keys only be used by a single user account.

I shouldn’t have phrased my comment as a question: a former employer required that I use different GH accounts for different purposes, and it was a hassle to get local repositories to use the correct keypair. I recall being annoyed at GH at the time, but since your SSH key is used as an authentication mechanism on SSH pushes, they really can’t let a keypair be associated with multiple accounts.


> and it was a hassle to get local repositories to use the correct keypair

I agree. The way that I deal with this is as follows:

In my ~/.ssh/config I have content that looks like:

    Host gh-company-a
            User git
            HostName github.com
            IdentityFile ~/.ssh/id_ed25519_company_a

    Host gh-acme-inc
            User git
            HostName github.com
            IdentityFile ~/.ssh/id_ed25519_acme_inc

    Host gh-sponges-corp
            User git
            HostName github.com
            IdentityFile ~/.ssh/id_ed25519_sponges_corp
And then instead of

    git clone git@github.com:companya/foo.git
I'd type

    git clone gh-company-a:companya/foo.git
Likewise, instead of

    git clone git@github.com:acmeinc/baz.git
I do

    git clone gh-acme-com:acmeinc/baz.git
and so on.

With this way of doing it, the correct key pair gets used both for the initial clone and for subsequent pulls and pushes.

I suppose I could make a wrapper program that would take care of the substitution for me, to further reduce the amount of hassle. In fact I might end up doing that. I already have a few wrapper programs for various git commands.


I guess you also need

   IdentitiesOnly yes
in there.

Otherwise all your public keys will be tried regardless.


Another way is to set $GIT_SSH_COMMAND when cloning:

  GIT_SSH_COMMAND="ssh -i ~/.ssh/id_ed25519_company_a -o IdentitiesOnly=yes" git clone ...
and then set it in your checkout's .git/config for subsequent fetches & pushes:

  git config core.sshCommand "ssh -i ~/.ssh/id_ed25519_company_a -o IdentitiesOnly=yes"


Right. They always use git@ instead of account@ and there is no further meta in the git remote url. (gut remote url is a funny typo)




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: