The problem is that your local ssh is still offering your “old” SSH key to GitHub. This often comes up when you have one GitHub-recognized key (i.e. your “old” key) loaded in an ssh-agent but want to use a different GitHub-recognized key (i.e. your “new” key).
ssh offers keys in this order:
- specified keys that have been loaded into the agent
- other keys that have been loaded into the agent
- specified keys that have not been loaded into the agent
By “specified keys” I mean those keys specified by the -i
command line option or the IdentityFile
configuration option (which can be given through ~/.ssh/config
or the -o
command line option).
If your “old” key is loaded into the agent, but your “new” key is not, then ssh will always offer your “old” key (from the first or second categories) before your “new” key (only ever in the last category since it is not loaded), even when you specify your “new” key with -i
/IdentitiesOnly
.
You can check which keys are loaded in your ssh-agent with ssh-add -l
. If your “old” key is listed, then you can fix the problem by unloading it from your agent (be sure to also unload any other GitHub-recognized keys, except perhaps your “new” key):
ssh-add -d ~/.ssh/old_key_file
If you are using Mac OS X, the system may be automatically loading your “old” key if you checked “Remember password in my keychain” when prompted for the password at one point; you can disable this automatic loading by deleting the Keychain entry for the key with the command
/usr/bin/ssh-add -K -d ~/.ssh/old_key_file
. Other systems may do something similar, but the commands to tell them to “stop that” will be different.
Instead of unloading the “old” key from your agent, you can set the IdentitiesOnly
configuration option to yes
, to tell ssh to skip the second category of keys (non-specified agent-loaded keys). Your ~/.ssh/config
might include a section like this:
Host github.com
User git
IdentityFile ~/.ssh/id_rsa # wherever your "new" key lives
IdentitiesOnly yes
This way, it will not matter whether any other GitHub-recognized keys are loaded into your agent; ssh will always offer only your “new” key.
If you anticipate needing to access the repositories of both GitHub accounts and you do not want to have to edit the configuration file whenever you want to switch between GitHub accounts, then you might setup your ~/.ssh/config
like this:
Host clientname.github.com
HostName github.com
IdentityFile ~/.ssh/client_id_rsa # or wherever your "old" client key lives
Host github.com
IdentityFile ~/.ssh/id_rsa # or wherever your "new" key lives
Host github.com *.github.com
User git
Hostname github.com
IdentitiesOnly yes
Then use URLs like github.com:GitHubAccount/repository
for your repositories and URLs like clientname.github.com:GitHubAccount/repository
for your client’s repositories (you can put the git@
prefix back in if you like, but it is not necessary since the above entries set the User
configuration variable).