Verify your current identity
Load keys from
~/.sshinto the authentication agent
The GitHub set up guide has a good introduction to
ssh keys, if all goes well it looks like this:
doug@local:~$ ssh -T firstname.lastname@example.org Hi Douglas! You've successfully authenticated, but GitHub does not provide shell access.
ssh keys are on my local machine, connecting to GitHub is seamless. While setting up a remote server to demo a side project, I wanted to check out some code from GitHub, and here’s what happened:
doug@local:~$ ssh doug@remote doug@remote:~$ ssh -T email@example.com Permission denied (publickey).
To connect to GitHub I need to use my private key, but I don’t want to copy my key to the remote server. SSH Agent Forwarding to the rescue.
SSH Agent: Could not open a connection
The first problem was that I couldn’t access my local
ssh agent from the remote server. Here’s what the error looks like:
doug@remote:~$ ssh-add -l Could not open a connection to your authentication agent.
Agent forwarding needs to be enabled locally and on the remote server. On my local machine, I added this to my
Host remote ForwardAgent yes
Host section header accepts a wildcard, but make sure to only enable it for hosts you trust to act as if they have your private key. On the server,
AllowAgentForwarding yes should appear in
sshd_config, but this is the default on Ubuntu so I didn’t have to make a change.
SSH Agent: The agent has no identities
Once the remote machine could connect to the agent, I was surprised to find that it didn’t know my identity, even though I was already connected to the remote machine!
doug@remote:~$ ssh-add -l The agent has no identities.
This produced the same output on my local machine, so it looks like the
ssh connection was using the private key directly, skipping the agent. I ran
ssh-add to add the local keys in
~/.ssh to the agent:
doug@local:~$ ssh-add Identity added: /Users/doug/.ssh/id_dsa (/Users/doug/.ssh/id_dsa) doug@local:~$ ssh-add -l 1024 b6:dd:b7:1f:bc:25:31:d3:12:f4:92:1c:0b:93:5f:4b /Users/doug/.ssh/id_dsa (DSA)
ssh -v verbose flag produces lots of interesting output on authentication negotiation. Here’s the line which shows that GitHub requires publickey authentication:
doug@remote:~$ ssh -vT firstname.lastname@example.org ... debug1: Authentications that can continue: publickey ... Permission denied (publickey).