can ssh-add be added globally

Question

Can I do ssh-add against the identifyFile that stay forever, currently it prevail only for the current active ssh session (i.e identityFile added using ssh-add get lost when a new ssh session is made with the server can be found by running ssh-add -L )

The problem is that our amazon server has various projects with repo resting in github.

Now each one of the repo has access right based on the users say user A has access right only for project A and B has an access right on project B only

With that access right set(in github) now each user can perform git operation(like git fetch, git push etc) only to there respective project (which is what we want)

Now all I want is when a user perform a git operation on there respective project I want ssh-agent to take all ssh-keys in accounts and look for the one that match to that specific users

Note

that each ssh-key has a phrases(a unique secret know to each user there own) associated with it, prompted to enter when perform git function.

to achieve this we do

ssh-add /root/.ssh/A

or

ssh-add /root/.ssh/B

But as mention earlier this only stay for the active ssh-session ,exit or make a new ssh session with the server the ssh-add info is lost. can be found by running ssh-add -L

I have also tried defining IdentityFile in .ssh/config like this describe in this question

something like this

Host github.com
        Hostname github.com
        User git
        IdentityFile /root/.ssh/A

Host github.com
        Hostname github.com
        User git
        IdentityFile /root/.ssh/B

This only work for one user (sometime it work for 'A' and sometime it doesnt ,same is with 'B' too)

Can this segregation be achieved or am I sounding a bit over ambitious

Thanks

Answer 1

You're very close with your edit of the IdentityFile. However, you need to have unique hostnames listed in the IdentityFile. Because you used github.com as the hostname both times, when you try to connect to github.com, it has no idea which one to use.

We have a similar setup. We have 5 users, all of whom log in to a single account. However, Github needs to see them each using their own ssh-key, so we have 5 keys. The trick to get around this is to make your file look like this

Host UserA_github
        Hostname github.com
        User git
        IdentityFile /root/.ssh/A

Host UserB_github
        Hostname github.com
        User git
        IdentityFile /root/.ssh/B

Whenever UserB wants to do something git related, (e.g. clone one of their repositories) they will run...

git clone UserB_github:UserB/MyRepo

or something similar. This will behave as if they had entered...

git clone github.com:UserB/MyRepo 

except that it will use the appropriate IdentityFile/private key.

I understand that my solution doesn't use a persistent ssh-add but I think this will give you the same performance that you want. Unfortunately, your users will need to enter their passphrase each time they perform a transaction.