Tools: ssh-add -lVerify your current identity ssh-addLoad keys from ~/.sshinto the authentication agent
The GitHub set up guide has a good introduction to ssh keys, if all goes well it looks like this:
doug@local:~$ ssh -T git@github.com
Hi Douglas! You've successfully authenticated, but GitHub does not provide shell access. |
Since my ssh keys are on my local machine, connecting to GitHub is seamless. While setting up a remote server to demo a side project, I wanted to check out some code from GitHub, and here’s what happened:
doug@local:~$ ssh doug@remote
doug@remote:~$ ssh -T git@github.com
Permission denied (publickey). |
To connect to GitHub I need to use my private key, but I don’t want to copy my key to the remote server. SSH Agent Forwarding to the rescue.
SSH Agent: Could not open a connection
The first problem was that I couldn’t access my local ssh agent from the remote server. Here’s what the error looks like:
doug@remote:~$ ssh-add -l
Could not open a connection to your authentication agent. |
Agent forwarding needs to be enabled locally and on the remote server. On my local machine, I added this to my ~/.ssh/config:
Host remote
ForwardAgent yes |
The Host section header accepts a wildcard, but make sure to only enable it for hosts you trust to act as if they have your private key. On the server, AllowAgentForwarding yes should appear in sshd_config, but this is the default on Ubuntu so I didn’t have to make a change.
SSH Agent: The agent has no identities
Once the remote machine could connect to the agent, I was surprised to find that it didn’t know my identity, even though I was already connected to the remote machine!
doug@remote:~$ ssh-add -l
The agent has no identities. |
This produced the same output on my local machine, so it looks like the ssh connection was using the private key directly, skipping the agent. I ran ssh-add to add the local keys in ~/.ssh to the agent:
doug@local:~$ ssh-add
Identity added: /Users/doug/.ssh/id_dsa (/Users/doug/.ssh/id_dsa)
doug@local:~$ ssh-add -l
1024 b6:dd:b7:1f:bc:25:31:d3:12:f4:92:1c:0b:93:5f:4b /Users/doug/.ssh/id_dsa (DSA) |
This isn’t something I would want to have to run after every restart, so here is how to make it happen automatically on OS X and Windows.
Digging Deeper
The ssh -v verbose flag produces lots of interesting output on authentication negotiation. Here’s the line which shows that GitHub requires publickey authentication:
doug@remote:~$ ssh -vT git@github.com
...
debug1: Authentications that can continue: publickey
...
Permission denied (publickey). |