Agent forwarding allows repos to be cloned from github without needing an explicit deploy key for the vm being provisioned. It can be enabled in Net::SSH by passing :forward_agent => true to the Net::SSH.start options. I added it manually to lib/vagrant/ssh.rb:55, and it works as expected.
Should probably add a Vagrantfile config ssh option, and have it available in Vagrant::SSH#execute.
Nevermind. This change makes it so that agent forwarding is available in vagrant ssh -e cmd. Still investigating how to make it work in vagrant provision.
vagrant ssh -e cmd
Ok, the above solution does, in fact, work. My issue with provisioning is that sudo chef-client ... sanitizes the environment.
sudo chef-client ...
Ah, I see. So this is a fairly simple change, I just want to verify:
Is this correct?
Agent forwarding works fine right now, with vagrant ssh, because it shells out to ssh, and reads my ~/.ssh/config that has it set up.
In Net::SSH, it needs :forward_agent => true in the options. It does not work in sudo in any case, because sudo by default sanitizes the environment. This can be fixed by adding Defaults env_keep+=SSH_AUTH_SOCK to /etc/sudoers.
:forward_agent => true
Ah, interesting. I think I'll add the forward agent option anyways since its good to have. But at least this issue will exist for future googlers.
config.ssh.forward_agent option added [closed by c82308f]
I've added the config.ssh.forward_agent option (as you can see in the commit message above). This enables agent forwarding on both vagrant ssh and Vagrant::SSH#execute.
Should it be added to templates/ssh_config.erb as well?
Yes, it should. Reopening so I find this.
I've added this data to ssh_config now. I will push shortly. Closing again!
Forward agent and forward X11 properly appear in `ssh_config` output.…
… [closes GH-105]
the shell provisioner automatically runs everything through sudo so without the sudoers mod you still can't get agent forwarding while provisioning
@donovanbray This is indeed a problem. I think the solution going forward should be to run the shell provisioning as the SSH user (i.e. without sudo), with it being up to the script to be able to sudo if need be.
@donovanbray I think this will have to be a feature in 0.9.0. It is too late in this release cycle to bring in such a backwards incompatible change. Thanks
Shell should by default use the regular non-sudo user, then you could do like capistrano to make a sudo helper, that way it's use is more explicit.
Yep, I've created a separate issue for it and marked it in the 0.9.0 milestone. :)
for future googlers, looks like @garethr has a solution to the provisioner sudo-ing here: