Skip to content

Instantly share code, notes, and snippets.

@scottjacobsen

scottjacobsen/git+clone+ssh+agent+forward+sudo

Created December 14, 2012 00:07
Show Gist options
  • Save scottjacobsen/4281310 to your computer and use it in GitHub Desktop.
Save scottjacobsen/4281310 to your computer and use it in GitHub Desktop.
Download ZIP
Git clone using ssh agent forwarding and sudo
Raw
git+clone+ssh+agent+forward+sudo
SSH agent forwarding is great. It allows you to ssh from one server to
another all the while using the ssh-agent running on your local
workstation. The benefit is you don't need to generate ssh key pairs
on the servers you are connecting to in order to hop around.
When you ssh to a remote machine the remote machine talks to your
local ssh-agent through the socket referenced by the SSH_AUTH_SOCK
environment variable.
So you the remote server you can do something like:
> git clone [email protected]:my-github-account/my-repo.git
And git will make use of the ssh-agent running on your local
workstation to authenticate with github and clone your repo.
This fails if you do
> sudo git clone [email protected]:my-github-account/my-repo.git
because your environment variables are not available to the
commands running under sudo.
However, you can set the SSH_AUTH_SOCK variable for the command by
passing it on the command line like so
> sudo SSH_AUTH_SOCK=$SSH_AUTH_SOCK git clone [email protected]:my-github-account/my-repo.git
and all is well.
@habibalamin
Copy link

This has been really helpful, I was almost starting to get frustrated.

@elephantum
Copy link

Thanks, that helps a lot.

@AlekSi
Copy link

AlekSi commented Jan 21, 2015

It's a hack, but helpful one. Thank you. 👍

@leifmadsen
Copy link

Alternatively create a file in /etc/sudoers.d/99-keep-ssh-auth-sock-env with the following contents:

Defaults>root env_keep+=SSH_AUTH_SOCK

Use visudo -f to edit and validate the change is ok.

@timbunce
Copy link

timbunce commented Oct 8, 2015

See also http://serverfault.com/questions/107187/ssh-agent-forwarding-and-sudo-to-another-user

@detailyang
Copy link

sudo The -E (preserve environment) is good too:)

@natemacinnes
Copy link

Thank you sir!

@altrofimov
Copy link

Had a problem to clone repository on ec2 machine, it helped. Thank you.

@mdawar
Copy link

mdawar commented Aug 7, 2017

A better way to preserve the SSH_AUTH_SOCK variable is to add a file to /etc/sudoers.d/ directory containing:

Defaults env_keep += "SSH_AUTH_SOCK"

This file should be mode 0440, you can check out /etc/sudoers.d/README for more info.

Copy link

ghost commented Aug 1, 2018

Indeed, adding to sudoers Defaults env_keep += "SSH_AUTH_SOCK" (use $ sudo visudo command for that) solves the problem completely.

Btw, OS X has Defaults env_keep += "SSH_AUTH_SOCK" by default enabled.

@Microserf
Copy link

This perfectly explained the cause of and solution to the problem I had just encountered. Thank you so much for making this helpful gist!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment