By default, Git only uses you primary SSH key when cloning. While there’s no way to get git to try alternate keys if the first key fails, there are a few ways you can force it to use a particular key on a per-repository basis.

Via ssh-agent

ssh-agent bash -c "ssh-add $KEY_FILE && git $COMMAND"

Important

$KEY_FILE must be the full path of a private key (e.g., ~/.ssh/id_rsa or ~/.ssh/gpg_auth_key.pub).

This is useful for running multiple, one-off commands. Note that this method won’t work when used with GPG authentication subkeys.

Via GIT_SSH_COMMAND

With a secret SSH key:

GIT_SSH_COMMAND="ssh -i $KEY_FILE -F /dev/null -o IdentityAgent=none" git $COMMAND

Important

$KEY_FILE must be the full path of a private key (e.g., ~/.ssh/id_rsa or ~/.ssh/gpg_auth_key.pub).

Important

If you’re running ssh-agent, then setting the config directive IdentityAgent=none is important as otherwise the key(s) already stored in the agent will take precedence over $KEY_FILE.

With KeePassXC or a GPG authentication subkey referenced using a public $KEY_FILE, setting IdentityAgent=none is unnecessary:

GIT_SSH_COMMAND="ssh -i $KEY_FILE -F /dev/null" git $COMMAND

Via a config directive

With a secret SSH key:

git config core.sshCommand "ssh -i $PUBLIC_KEY_FILE -F /dev/null -o IdentityAgent=none"

Important

$KEY_FILE must be the full path of a private key (e.g., ~/.ssh/id_rsa or ~/.ssh/gpg_auth_key.pub).

Important

If you’re running ssh-agent, then setting the config directive IdentityAgent=none is important as otherwise the key(s) already stored in the agent will take precedence over $KEY_FILE.

With KeePassXC or a GPG authentication subkey referenced using a public $KEY_FILE, setting IdentityAgent=none is unnecessary:

git config core.sshCommand "ssh -i $PUBLIC_KEY_FILE -F /dev/null"

This is useful for ongoing work, but only works on existing repositories.