SSH agent forwarding not working

Hey there

I’m trying to get SSH agent forwarding to work.

My goal is to be able to deploy to my remote server via Github.

I’m on Windows 10 using WSL2 with Ubuntu. Lando for dev.

I’ve installed the SSH key and the connection to Github is working, as per

$ ssh -T
Hi decoycircuit! You've successfully authenticated, but GitHub does not provide shell access.

git clone to a local folder also works.

In ~/.ssh/config, I’ve set

Host server_IP/site_domain *(have tried both)*
    ForwardAgent yes

I unset any old/stale vars like so

❯ ssh-agent -k
echo Agent pid 1761 killed;

And re-set

❯ eval "$(ssh-agent -s)"
Agent pid 3260

Add the identity

❯ ssh-add ~/.ssh/id_ed25519
Identity added: /home/User/.ssh/id_ed25519 (email)

I’ve setup Trellis using, omitting trellis up

$ php .radicle-setup/trellis.php
$ cd trellis/
$ trellis init

On the server, I’ve set

AllowAgentForwarding yes in /etc/ssh/sshd_config and restarted the SSH daemon.

Remote server:

$ ssh-import-id-gh decoycircuit
2024-05-10 14:01:10,378 INFO Already authorized ['256', 'SHA256:oRUKupL [...]

Local machine – verifying key:

❯ ssh-add -l
256 SHA256:oRUKupL

(Identical keys locally and remote)

Running the auth sock check gives me

❯ echo "$SSH_AUTH_SOCK"

echo "$SSH_AGENT_PID" returns empty.

Testing the connection to Github from the server fails:

$ ssh -T
debug3: receive packet: type 90
debug1: client_input_channel_open: ctype rchan 2 win 65536 max 16384
debug1: client_request_agent: bound agent to hostkey
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 1: new [authentication agent connection]
debug1: confirm
debug3: send packet: type 91
debug3: receive packet: type 96
debug2: channel 1: rcvd eof
debug2: channel 1: output open -> drain
debug2: channel 1: obuf empty
debug2: chan_shutdown_write: channel 1: (i0 o1 sock 7 wfd 7 efd -1 [closed])
debug2: channel 1: output drain -> closed
debug1: channel 1: FORCE input drain
debug2: channel 1: ibuf empty
debug2: channel 1: send eof
debug3: send packet: type 96
debug2: channel 1: input drain -> closed
debug2: channel 1: send close
debug3: send packet: type 97
debug3: channel 1: will not send data after close
debug3: receive packet: type 97
debug2: channel 1: rcvd close
debug3: channel 1: will not send data after close
debug2: channel 1: is dead
debug2: channel 1: garbage collecting
debug1: channel 1: free: authentication agent connection, nchannels 2
debug3: channel 1: status: The following connections are open:
  #0 client-session (t4 r0 i0/0 o0/0 e[write]/0 fd 4/5/6 sock -1 cc -1 io 0x01/0x00)
  #1 authentication agent connection (t4 r2 i3/0 o3/0 e[closed]/0 fd 7/7/-1 sock 7 cc -1 io 0x00/0x00) Permission denied (publickey).

And finally – the trip down this rabbit hole came about because trellis deploy production failed at:

TASK [deploy : Add known_hosts] ************************************************
ok: [server_ip] => (
ok: [server_ip] => (
ok: [server_ip] => (
ok: [server_ip] => (
ok: [server_ip] => (
ok: [server_ip] => (

TASK [deploy : Clone project files] ********************************************
fatal: [server_ip]: FAILED! => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}

TASK [deploy : Failed connection to remote repo] *******************************
fatal: [server_ip]: FAILED! => {"changed": false, "msg": "Git repo on branch main cannot be accessed. Please verify the repository/branch are correct and you have SSH forwarding set up correctly.\nMore info:\n>\n>\n\nError:\nFailed to checkout main\n"}

PLAY RECAP *********************************************************************
[server_ip]               : ok=5    changed=0    unreachable=0    failed=1    skipped=15   rescued=0    ignored=1
localhost                  : ok=0    changed=0    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0

exit status 2

At a loss for what else to try. Any help is greatly appreciated.

Hi! Take a look at trellis-github-deployment which sets up exactly what you’re looking for here. The instructions should be pretty thorough.

You could either use this project, or use it as a working example to fix your own. Good luck!

@MWDelaney Thank you, that does look incredible if I can get it to work.

When it says

  • Provisioned remote servers for staging and production environments.

NOTE: This project presumes your Trellis-based website and its staging and production environments are provisioned and deploying successfully.

Does that mean server provisioned by Trellis?

Because I do already have the virtual server set up using Virtualmin (cPanel-like software)

Trellis expects to deploy to a server it provisioned (set up in the first place).

Trellis’s primary function is creating a local development environment for development (the excellent trellis up), and also to connect to and configures remote servers from providers like Digital Ocean or AWS, and set them up exactly the same way as it does your development environment, as your staging and/or production with trellis provision [staging / production].

Trellis can then deploy your site to these environments with one command: trellis deploy [staging / production].

There are some hosting providers like Kinsta which support Trellis deploys natively without first having Trellis provision the server, but that’s not typical.

If you’re using Trellis to deploy your code, you should also be using it to provision (configure) your servers.

1 Like