Forward agent support #105

Closed
paul opened this Issue Jul 8, 2010 · 16 comments

Projects

None yet

5 participants

@paul

Agent forwarding allows repos to be cloned from github without needing an explicit deploy key for the vm being provisioned. It can be enabled in Net::SSH by passing :forward_agent => true to the Net::SSH.start options. I added it manually to lib/vagrant/ssh.rb:55, and it works as expected.

Should probably add a Vagrantfile config ssh option, and have it available in Vagrant::SSH#execute.

@paul

Nevermind. This change makes it so that agent forwarding is available in vagrant ssh -e cmd. Still investigating how to make it work in vagrant provision.

@paul

Ok, the above solution does, in fact, work. My issue with provisioning is that sudo chef-client ... sanitizes the environment.

@mitchellh
Owner

Ah, I see. So this is a fairly simple change, I just want to verify:

  • Agent forwarding works fine already with vagrant ssh?
  • Agent forwarding in Net::SSH won't do anything because of the sudo?

Is this correct?

@paul

Agent forwarding works fine right now, with vagrant ssh, because it shells out to ssh, and reads my ~/.ssh/config that has it set up.

In Net::SSH, it needs :forward_agent => true in the options. It does not work in sudo in any case, because sudo by default sanitizes the environment. This can be fixed by adding Defaults env_keep+=SSH_AUTH_SOCK to /etc/sudoers.

@mitchellh
Owner

Ah, interesting. I think I'll add the forward agent option anyways since its good to have. But at least this issue will exist for future googlers.

@mitchellh
Owner

config.ssh.forward_agent option added [closed by c82308f]

@mitchellh
Owner

Paul,

I've added the config.ssh.forward_agent option (as you can see in the commit message above). This enables agent forwarding on both vagrant ssh and Vagrant::SSH#execute.

Mitchell

@eugenebolshakov

Should it be added to templates/ssh_config.erb as well?

@mitchellh mitchellh reopened this Jun 10, 2011
@mitchellh
Owner

Yes, it should. Reopening so I find this.

@mitchellh
Owner

I've added this data to ssh_config now. I will push shortly. Closing again!

@mitchellh mitchellh closed this in c2bccdc Jul 6, 2011
@donovanbray

the shell provisioner automatically runs everything through sudo so without the sudoers mod you still can't get agent forwarding while provisioning

@mitchellh
Owner

@donovanbray This is indeed a problem. I think the solution going forward should be to run the shell provisioning as the SSH user (i.e. without sudo), with it being up to the script to be able to sudo if need be.

@mitchellh
Owner

@donovanbray I think this will have to be a feature in 0.9.0. It is too late in this release cycle to bring in such a backwards incompatible change. Thanks

@donovanbray

Shell should by default use the regular non-sudo user, then you could do like capistrano to make a sudo helper, that way it's use is more explicit.

@mitchellh
Owner

Yep, I've created a separate issue for it and marked it in the 0.9.0 milestone. :)

@patcon

for future googlers, looks like @garethr has a solution to the provisioner sudo-ing here:
http://stackoverflow.com/a/8191279/504018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment