110

Rather than create a new SSH key pair on a vagrant box, I would like to re-use the key pair I have on my host machine, using agent forwarding. I've tried setting config.ssh.forward_agent to TRUE in the Vagrantfile, then rebooted the VM, and tried using:

vagrant ssh -- -A

...but I'm still getting prompted for a password when I try to do a git checkout. Any idea what I'm missing?

Matt V.
  • 9,703
  • 10
  • 35
  • 56
  • if you don't have your ssh keys properly, git should not ask a password, but tell you that you have denied permissions. I guess you're being asked for a password because you're clonning from https instead of git@github.com (ssh). my 2 cents. – alexserver Oct 27 '15 at 05:04

9 Answers9

90

I'm using vagrant 2 on OS X Mountain Lion.

Vagrant.configure("2") do |config|
  config.ssh.private_key_path = "~/.ssh/id_rsa"
  config.ssh.forward_agent = true
end
  1. config.ssh.private_key_path is your local private key
  2. Your private key must be available to the local ssh-agent. You can check with ssh-add -L, if it's not listed add it with ssh-add ~/.ssh/id_rsa
  3. Don't forget to add you public key to ~/.ssh/authorized_keys on the Vagrant VM. You can do it copy-and-pasting or using a tool like ssh-copy-id
LuizSignorelli
  • 1,411
  • 11
  • 9
  • 8
    I noticed that after I set up above, I can use "vagrant" user to "git clone" but I can not use "root" user to "git clone". Do you know what seem to be the issue? Thanks – Nam Nguyen Jan 20 '14 at 08:31
  • I happened to get errors with vm's coming up when I added '.private_key_path = "~/.ssh/id_rsa"'. Forward Agent seemed to work --Vagrant 1.4.2, VirtualBox 4.3.6, on Fedora 3.12.10-300.fc20.x86_64 – Zachary Moshansky Feb 14 '14 at 22:13
  • 7
    `config.ssh.private_key_path = "~/.ssh/id_rsa"` makes Vagrant hang on `Waiting for VM to boot`. – apennebaker Mar 04 '14 at 15:39
  • 16
    You need to also keep the vagrant insercure key `config.ssh.private_key_path = [ '~/.vagrant.d/insecure_private_key', '~/.ssh/id_rsa' ]` – Calin Jan 23 '15 at 19:54
  • 3
    On OS X, I found adding the private keys to the OS X key chain with `ssh-add -K` worked (as well as `config.ssh.forward_agent = true`). [See this answer](http://stackoverflow.com/a/11673152/247696) – Flimm Apr 24 '15 at 09:00
  • ssh-add ~/.ssh/id_rsa also did the trick for me on OSX. user -K if you want to add permanently to keychan. – Eric Saboia Aug 12 '15 at 12:25
  • 2
    I got the same error as @apennebaker . and following the steps that Calin suggested didn't help... What worked for me was adding keys to keychain from my host OS and disabling config.ssh.private_key_path assignment. – alexserver Oct 27 '15 at 05:06
  • @NamNguyen Did you figure out how to clone as "root"? – Usha Jul 06 '16 at 21:24
  • @Usha, I haven't figured that out yet – Nam Nguyen Jul 07 '16 at 06:09
  • @NamNguyen I figured it out yesterday,. vagrant ssh , would ssh as vagrant user and then doing a sudo to root made it and took away the public key forwarding. But directly sshing into the node as the required user (root or diffuser) like, ssh -p 2222 diffuser@localhost would forward the public keys. – Usha Jul 08 '16 at 14:15
  • 1
    ssh-add was the missing part for me. Super helpful. – fregas Dec 19 '16 at 22:50
84

Add it to the Vagrantfile

Vagrant::Config.run do |config|
   # stuff
   config.ssh.forward_agent = true
end

See the docs

A1rPun
  • 16,287
  • 7
  • 57
  • 90
EnabrenTane
  • 7,428
  • 2
  • 26
  • 44
  • 12
    Make sure you ssh-add on the underlying host and the key is decrypted. – EnabrenTane Aug 23 '12 at 06:15
  • 1
    Note that Windows does not auto-start ssh-agent, which you need to have running to forward your ssh keys. Follow [this guide](https://help.github.com/articles/working-with-ssh-key-passphrases]) to setup ssh-agent autostarting on Windows. – nebffa Jun 07 '14 at 02:27
  • 64
    This answer probably doesn't deserve so many votes. OP clearly states they added `config.ssh.forward_agent` to their config file, so what new information is this answer providing? Even the link is already in the question. – Trindaz Nov 07 '14 at 21:00
  • 7
    @Trindaz you're complete right. I can't explain why this is one of my most popular answers. Yet this seemingly helped at least 52 people, so I have to call that a win. – EnabrenTane Nov 07 '14 at 23:43
  • 1
    This answer indeed does not bring any new information, but on the other hand it is everything that needs to be configured for a Vagrant-provisioned machine. At least provided you have agent forwarding set up correctly on the connecting machine (ie. forwarding works for other, non-vagrant machines). – techraf Nov 04 '15 at 13:26
20

In addition to adding "config.ssh.forward_agent = true" to the vagrant file make sure the host computer is set up for agent forwarding. Github provides a good guide for this. (Check out the troubleshooting section).

the
  • 21,007
  • 11
  • 68
  • 101
HipsterHobo
  • 201
  • 2
  • 3
7

I had this working with the above replies on 1.4.3, but stopped working on 1.5. I now have to run ssh-add to work fully with 1.5.

For now I add the following line to my ansible provisioning script. - name: Make sure ssk keys are passed to guest. local_action: command ssh-add

I've also created a gist of my setup: https://gist.github.com/KyleJamesWalker/9538912

Kyle James Walker
  • 1,238
  • 14
  • 16
  • I've always had to use ssh-add with 1.4 and 1.5 as otherwise there was no agent running to be forwarded – iheggie Mar 18 '14 at 08:41
5

If you are on Windows, SSH Forwarding in Vagrant does not work properly by default (because of a bug in net-ssh). See this particular Vagrant bug report: https://github.com/mitchellh/vagrant/issues/1735

However, there is a workaround! Simply auto-copy your local SSH key to the Vagrant VM via a simple provisioning script in your VagrantFile. Here's an example: https://github.com/mitchellh/vagrant/issues/1735#issuecomment-25640783

Tim Donohue
  • 542
  • 4
  • 14
2

When we recently tried out the vagrant-aws plugin with Vagrant 1.1.5, we ran into an issue with SSH agent forwarding. It turned out that Vagrant was forcing IdentitiesOnly=yes without an option to change it to no. This forced Vagrant to only look at the private key we listed in the Vagrantfile for the AWS provider.

I wrote up our experiences in a blog post. It may turn into a pull request at some point.

Benjamin Oakes
  • 12,262
  • 12
  • 65
  • 83
  • 2
    Is there a way to automate copying the underlaying public key on the host machine to the Vagrant VM on creation with `Vagrant up`? Right now I have to create the machine, manually log in and then add my public key to /home/vagrant/.ssh/authorized_keys – Noah Jun 28 '13 at 16:29
1

Make sure that the VM does not launch its own SSH agent. I had this line in my ~/.profile

eval `ssh-agent`

After removing it, SSH agent forwarding worked.

Fabian Schmengler
  • 24,155
  • 9
  • 79
  • 111
0

The real problem is Vagrant using 127.0.0.1:2222 as default port-forward. You can add one (not 2222, 2222 is already occupied by default)

config.vm.network "forwarded_port", guest: 22, host:2333, host_ip: "0.0.0.0"

"0.0.0.0" is way take request from external connection. then ssh -p 2333 vagrant@192.168.2.101 (change to your own host ip address, dud) will working just fine. Do thank me, Just call me Leifeng!

Leifeng
  • 17
  • 1
0

On Windows, the problem is that Vagrant doesn't know how to communicate with git-bash's ssh-agent. It does, however, know how to use PuTTY's Pageant. So, as long as Pageant is running and has loaded your SSH key, and as long as you've set config.ssh.forward_agent, this should work.

See this comment for details.

If you use Pageant, then the workaround of updating the Vagrantfile to copy SSH keys on Windows is no longer necessary.

Josh Kelley
  • 56,064
  • 19
  • 146
  • 246