43

I'm having an hard time trying to configure Capistrano 3.1 to deploy an app hosted on Github.

I'm following Capistrano Documentation and I have successfully completed the first step (SSH keys from workstation to servers) and on the second one (From our servers to the repository host) I'm able to successfully run ssh -A deploy@one-of-my-servers.com 'git ls-remote git@github.com:my_user/my_repo.git':

18f38afz261df35d462f7f4e2ca847d22f148a06    HEAD
18f38afz261df35d462f7f4e2ca847d22f148a06    refs/heads/master

however, ssh deploy@one-of-my-servers.com 'git ls-remote git@github.com:my_user/my_repo.git' fails:

Permission denied (publickey).

Capistrano docs suggests

If you get the error "host key verification failed." log in into your server and run as the deploy user the command ssh git@github.com to add github.com to the list of known hosts.

SO, I tried so but I get

ssh git@github.com
Warning: Permanently added the RSA host key for IP address '192.30.252.131' to the list of known hosts.
Permission denied (publickey).

And I'm basically not able to successfully access the Github repo.

SSH documentation states:

-A      Enables forwarding of the authentication agent connection.  This
         can also be specified on a per-host basis in a configuration
         file.

How can I specified on a per-host basis in a configuration file?

My local machine runs Mac OSX Mavericks. The VPS runs Ubuntu 12.04

Thanks.

Sig
  • 5,476
  • 10
  • 49
  • 89
  • See another possible cause (and solution): https://serverfault.com/questions/404447/why-is-ssh-agent-forwarding-not-working#answer-1032309 – Vincent Yin Sep 01 '20 at 18:10
  • > `ssh -A deploy@one-of-my-servers.com` Just FYI, the domain `example.com` is reserved exactly for use cases like this. So whenever you need an example domain, you can use `example.com` and rest assured you are not using an actual domain and you are following the ICANN guidelines. – Stijn de Witt Apr 29 '22 at 10:19

5 Answers5

85

Do you have your ssh key added to the list of agent identites ?

You can check with ssh-add -L , you should see the key your are using to connect to github :

$ ssh-add -L
ssh-rsa AAAAB3N.....0VmSiRvTzBrbU0ww== /Users/youruser/.ssh/id_rsa

If you don't see the ssh key you use for github or a message like

The agent has no identities.

Then you should add your key with :

ssh-add ~/.ssh/id_rsa

(replace with the path to the key you use for github)

See the ssh-add doc for more info

vdaubry
  • 11,369
  • 7
  • 54
  • 76
  • This solved my issue! Thanks! If it were my question I would accept your answer. – Andrew Apr 21 '14 at 23:18
  • 1
    Thanks, this worked! is it possible that i was getting this issues because i copy pasted the keys files instead of creating them using the bash commands? – pastullo Jun 03 '15 at 13:34
37

Add following lines to .ssh/config file on your local computer

  Host Server_Address
     ForwardAgent yes

Check your local key whether listed in ssh-add list or not with 

ssh-add -L

If not add key to SSH Agent

ssh-add -K

Connect to Remote Server

ssh -v username@Server_Address

Check SSH Agent forwarding is enabled by running following command. It should list a socket file

echo "$SSH_AUTH_SOCK"

Run connection test against GitHub

ssh -T git@github.com

Run ls remote test against targeted git repository

git ls-remote --heads git@github.com:account/repo.git

Finally logout and run following from your local machine

cap production git:check
Tahsin Turkoz
  • 4,356
  • 1
  • 27
  • 18
  • 3
    Nice detailed answer! Thanks – scaryguy Aug 17 '16 at 02:19
  • Hm, what if everything checks out (SSH key is added to agent and verified, agent forwarding is enabled and verified on the remote host) and I still get `Permission denied (publickey).` when testing `ssh -T git@github.com` (actually `gitlab.com` in my particular case)? It only does not work on a particular host though. – fritzmg Mar 06 '20 at 16:29
  • Take a look at https://gitlab.com/gitlab-com/support-forum/issues/171. There are some useful recommendations. Start with running `ssh -vT git@github.com` to see more details – Tahsin Turkoz Apr 24 '20 at 01:36
  • One side-note: per `ssh_config(5)`, "For each parameter, the first obtained value will be used."... I had a host-specific `ForwardAgent yes` in my ssh config, which I thought would override the `ForwardAgent no` I had up top, but that's not how it works! I moved `ForwardAgent no` to the bottom of `.ssh/config`, and I've confirmed it's still disabled by default, but now the per-host enabling works. Also, `ssh-add -K` is not only MacOS-specific, but may well be undesired. "When adding identities, each passphrase will also be stored in your keychain" -- I don't want that! YMMV. – lindes Dec 12 '21 at 03:41
8

Add the following to ~/.ssh/config

Host one-of-my-servers.com
    ForwardAgent yes
Brad Pitcher
  • 1,693
  • 17
  • 21
  • Thanks for your reply. Unfortunately I forgot to mention I added it already ```Host 111.222.222.44:24566 ForwardAgent yes``` – Sig Feb 06 '14 at 02:34
2

Yet another cause: If the target host's fingerprint doesn't match with your ~/.ssh/known_hosts, SSH automatically disables Agent Forwarding.

The solution is:

$ ssh -A -o UserKnownHostsFile=/dev/null  my-target-host
Vincent Yin
  • 1,196
  • 5
  • 13
  • 1
    You probably want to just add the host key with `ssh-keyscan` – Tamir Daniely Apr 18 '21 at 07:46
  • `ssh-keyscan` would be a good solution when you plan to manually execute `ssh` later. For an automated job (cron job, CI/CD pipeline script, etc.) which contains `ssh`, you wouldn't want to deal with `ssh-keyscan`. – Vincent Yin Sep 17 '21 at 16:04
  • 1
    For an automated job you want to verify the fingerprint, or use SSHFP / SSH certificates. Overriding security checks is never a good idea. – Tamir Daniely Sep 19 '21 at 10:42
0

I am not entirely sure why but previously using ForwardAgent yes was enough IIRC. I had to add AddKeysToAgent yes additionally to make this work. This basically automates what ssh-add does AFAICT. So a possibly better answer to this question than those so far might be:

Host Server_Address
   ForwardAgent yes
   AddKeysToAgent yes
stefanct
  • 2,503
  • 1
  • 28
  • 32