Saturday, 24 February 2018

ssh - Agent Forwarding Through Different Usernames (Git & Deployment)


This query isn't directly related to Git, but since one of Git's supported transports is SSH, and I'm trying to use agent-forwarding, I thought I would ask for clarification (the man pages have let me down)


I'm trying to automate a software deployment using Capistrano, I've managed to suspend some of the pain-points (pre-seeding the known hosts, before deployment, etc), but I'm left with the following situation.


My team log into the server as themselves, individual user accounts, everyone is in a developers group, and the umask is 002. None of the above is really relevant, except to say the purpose is to make sure my team can always work as themselves, without requiring super user privilieges.


We connect to the server example.com using the following ~/.ssh/config:


Host example.com
User beaks
ForwardAgent yes
IdentityFile ~/.ssh/id_rsa_business

The initial login works perfectly, ssh example.com opens a connection to my user account, and all is in order.


The problem comes at the next step,


git ls-remote git@github.com:project/repository.git

This is using the aforementioned Git+SSH transport layer (see link above) - and should typically use my forwarded-agent key (which I have verified present with env | grep SSH_AUTH_SOCK)


The response is a simple "authentication failed (public key) the other end hung up unexpectedly", I suspect because the agent for my user isn't being used when I approach github.com as their shared git user.


I also can't rule out EC2 weirdness (security policies, etc) - but in that case, I would have expected a timeout or connection failure. I feel pretty confident that I'm hitting github.com - and that they're not letting me in, because my agent isn't offering my beaks key for their git user.


Happy to add any additional information if I missed anything.



Answer



Simply seeing that ssh-agent is running is insufficient. Look to see if the key you want is present ssh-add -L Have you verified that this key works from some other host? What does ssh-add -L print on that system?


You can also run GIT_TRACE=1 git ls-remote ... and it will print the ssh command it runs. You can manually run the ssh command and get that working before bringing git into the picture.


No comments:

Post a Comment

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...