SSH agent forwarding not working

trellis
,
1

Hey there

I’m trying to get SSH agent forwarding to work.

My goal is to be able to deploy to my remote server via Github.

I’m on Windows 10 using WSL2 with Ubuntu. Lando for dev.

I’ve installed the SSH key and the connection to Github is working, as per

$ ssh -T git@github.com
Hi decoycircuit! You've successfully authenticated, but GitHub does not provide shell access.

git clone to a local folder also works.

In ~/.ssh/config, I’ve set

Host server_IP/site_domain *(have tried both)*
    ForwardAgent yes

I unset any old/stale vars like so

❯ ssh-agent -k
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 1761 killed;

And re-set

❯ eval "$(ssh-agent -s)"
Agent pid 3260
❯ echo $SSH_AGENT_PID
3260
❯ echo $SSH_AUTH_SOCK
/tmp/ssh-XXXXXXAGGo/agent.3259

Add the identity

❯ ssh-add ~/.ssh/id_ed25519
Identity added: /home/User/.ssh/id_ed25519 (email)

I’ve setup Trellis using, omitting trellis up

$ php .radicle-setup/trellis.php
$ cd trellis/
$ trellis init

On the server, I’ve set

AllowAgentForwarding yes in /etc/ssh/sshd_config and restarted the SSH daemon.

Remote server:

$ ssh-import-id-gh decoycircuit
2024-05-10 14:01:10,378 INFO Already authorized ['256', 'SHA256:oRUKupL [...]

Local machine – verifying key:

❯ ssh-add -l
256 SHA256:oRUKupL

(Identical keys locally and remote)

Running the auth sock check gives me

❯ echo "$SSH_AUTH_SOCK"
/tmp/ssh-XXXXXX1f2sep/agent.12568

echo "$SSH_AGENT_PID" returns empty.

Testing the connection to Github from the server fails:

$ ssh -T git@github.com
debug3: receive packet: type 90
debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 2 win 65536 max 16384
debug1: client_request_agent: bound agent to hostkey
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 1: new [authentication agent connection]
debug1: confirm auth-agent@openssh.com
debug3: send packet: type 91
debug3: receive packet: type 96
debug2: channel 1: rcvd eof
debug2: channel 1: output open -> drain
debug2: channel 1: obuf empty
debug2: chan_shutdown_write: channel 1: (i0 o1 sock 7 wfd 7 efd -1 [closed])
debug2: channel 1: output drain -> closed
debug1: channel 1: FORCE input drain
debug2: channel 1: ibuf empty
debug2: channel 1: send eof
debug3: send packet: type 96
debug2: channel 1: input drain -> closed
debug2: channel 1: send close
debug3: send packet: type 97
debug3: channel 1: will not send data after close
debug3: receive packet: type 97
debug2: channel 1: rcvd close
debug3: channel 1: will not send data after close
debug2: channel 1: is dead
debug2: channel 1: garbage collecting
debug1: channel 1: free: authentication agent connection, nchannels 2
debug3: channel 1: status: The following connections are open:
  #0 client-session (t4 r0 i0/0 o0/0 e[write]/0 fd 4/5/6 sock -1 cc -1 io 0x01/0x00)
  #1 authentication agent connection (t4 r2 i3/0 o3/0 e[closed]/0 fd 7/7/-1 sock 7 cc -1 io 0x00/0x00)

git@github.com: Permission denied (publickey).

And finally – the trip down this rabbit hole came about because trellis deploy production failed at:

TASK [deploy : Add known_hosts] ************************************************
ok: [server_ip] => (item=github.com)
ok: [server_ip] => (item=github.com)
ok: [server_ip] => (item=bitbucket.org)
ok: [server_ip] => (item=bitbucket.org)
ok: [server_ip] => (item=gitlab.com)
ok: [server_ip] => (item=gitlab.com)

TASK [deploy : Clone project files] ********************************************
fatal: [server_ip]: FAILED! => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
...ignoring

TASK [deploy : Failed connection to remote repo] *******************************
fatal: [server_ip]: FAILED! => {"changed": false, "msg": "Git repo git@github.com:decoycircuit/repo_name.git on branch main cannot be accessed. Please verify the repository/branch are correct and you have SSH forwarding set up correctly.\nMore info:\n> https://roots.io/trellis/docs/deploys/#ssh-keys\n> https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding\n\nError:\nFailed to checkout main\n"}

PLAY RECAP *********************************************************************
[server_ip]               : ok=5    changed=0    unreachable=0    failed=1    skipped=15   rescued=0    ignored=1
localhost                  : ok=0    changed=0    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0

exit status 2

At a loss for what else to try. Any help is greatly appreciated.

2

Hi! Take a look at trellis-github-deployment which sets up exactly what you’re looking for here. The instructions should be pretty thorough.

You could either use this project, or use it as a working example to fix your own. Good luck!

3

@MWDelaney Thank you, that does look incredible if I can get it to work.

When it says

  • Provisioned remote servers for staging and production environments.

NOTE: This project presumes your Trellis-based website and its staging and production environments are provisioned and deploying successfully.

Does that mean server provisioned by Trellis?

Because I do already have the virtual server set up using Virtualmin (cPanel-like software)

4

Trellis expects to deploy to a server it provisioned (set up in the first place).

Trellis’s primary function is creating a local development environment for development (the excellent trellis up), and also to connect to and configures remote servers from providers like Digital Ocean or AWS, and set them up exactly the same way as it does your development environment, as your staging and/or production with trellis provision [staging / production].

Trellis can then deploy your site to these environments with one command: trellis deploy [staging / production].

There are some hosting providers like Kinsta which support Trellis deploys natively without first having Trellis provision the server, but that’s not typical.

If you’re using Trellis to deploy your code, you should also be using it to provision (configure) your servers.

1 Like