By default, Git only uses you primary SSH key when cloning. While there’s no way to get git to try alternate keys if the first key fails, there are a few ways you can force it to use a particular key on a per-repository basis.
Via ssh-agent
ssh-agent bash -c "ssh-add $KEY_FILE && git $COMMAND"Important
$KEY_FILEmust be the full path of a private key (e.g.,~/.ssh/id_rsaor~/.ssh/gpg_auth_key.pub).
This is useful for running multiple, one-off commands. Note that this method won’t work when used with GPG authentication subkeys.
Via GIT_SSH_COMMAND
With a secret SSH key:
GIT_SSH_COMMAND="ssh -i $KEY_FILE -F /dev/null -o IdentityAgent=none" git $COMMANDImportant
$KEY_FILEmust be the full path of a private key (e.g.,~/.ssh/id_rsaor~/.ssh/gpg_auth_key.pub).
Important
If you’re running ssh-agent, then setting the config directive
IdentityAgent=noneis important as otherwise the key(s) already stored in the agent will take precedence over$KEY_FILE.
With KeePassXC or a GPG authentication subkey referenced using a public $KEY_FILE, setting IdentityAgent=none is unnecessary:
GIT_SSH_COMMAND="ssh -i $KEY_FILE -F /dev/null" git $COMMANDVia a config directive
With a secret SSH key:
git config core.sshCommand "ssh -i $PUBLIC_KEY_FILE -F /dev/null -o IdentityAgent=none"Important
$KEY_FILEmust be the full path of a private key (e.g.,~/.ssh/id_rsaor~/.ssh/gpg_auth_key.pub).
Important
If you’re running ssh-agent, then setting the config directive
IdentityAgent=noneis important as otherwise the key(s) already stored in the agent will take precedence over$KEY_FILE.
With KeePassXC or a GPG authentication subkey referenced using a public $KEY_FILE, setting IdentityAgent=none is unnecessary:
git config core.sshCommand "ssh -i $PUBLIC_KEY_FILE -F /dev/null"This is useful for ongoing work, but only works on existing repositories.