Skip to content

Instantly share code, notes, and snippets.

@scottjacobsen scottjacobsen/git+clone+ssh+agent+forward+sudo
Created Dec 14, 2012

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Git clone using ssh agent forwarding and sudo
Raw
git+clone+ssh+agent+forward+sudo
SSH agent forwarding is great. It allows you to ssh from one server to
another all the while using the ssh-agent running on your local
workstation. The benefit is you don't need to generate ssh key pairs
on the servers you are connecting to in order to hop around.
When you ssh to a remote machine the remote machine talks to your
local ssh-agent through the socket referenced by the SSH_AUTH_SOCK
environment variable.
So you the remote server you can do something like:
> git clone git@github.com:my-github-account/my-repo.git
And git will make use of the ssh-agent running on your local
workstation to authenticate with github and clone your repo.
This fails if you do
> sudo git clone git@github.com:my-github-account/my-repo.git
because your environment variables are not available to the
commands running under sudo.
However, you can set the SSH_AUTH_SOCK variable for the command by
passing it on the command line like so
> sudo SSH_AUTH_SOCK=$SSH_AUTH_SOCK git clone git@github.com:my-github-account/my-repo.git
and all is well.
@habibalamin

This comment has been minimized.

Sign in to view
Copy link

habibalamin commented Dec 21, 2013

This has been really helpful, I was almost starting to get frustrated.
@elephantum

This comment has been minimized.

Sign in to view
Copy link

elephantum commented Apr 13, 2014

Thanks, that helps a lot.
@AlekSi

This comment has been minimized.

Sign in to view
Copy link

AlekSi commented Jan 21, 2015

It's a hack, but helpful one. Thank you. 👍
@leifmadsen

This comment has been minimized.

Sign in to view
Copy link

leifmadsen commented Mar 17, 2015

Alternatively create a file in /etc/sudoers.d/99-keep-ssh-auth-sock-env with the following contents:

Defaults>root env_keep+=SSH_AUTH_SOCK

Use visudo -f to edit and validate the change is ok.
@timbunce

This comment has been minimized.

Sign in to view
Copy link

timbunce commented Oct 8, 2015

See also http://serverfault.com/questions/107187/ssh-agent-forwarding-and-sudo-to-another-user
@detailyang

This comment has been minimized.

Sign in to view
Copy link

detailyang commented Nov 19, 2016

sudo The -E (preserve environment) is good too:)
@natemacinnes

This comment has been minimized.

Sign in to view
Copy link

natemacinnes commented Jan 1, 2017

Thank you sir!
@altrofimov

This comment has been minimized.

Sign in to view
Copy link

altrofimov commented Jul 7, 2017

Had a problem to clone repository on ec2 machine, it helped. Thank you.
@mdawar

This comment has been minimized.

Sign in to view
Copy link

mdawar commented Aug 7, 2017

A better way to preserve the SSH_AUTH_SOCK variable is to add a file to /etc/sudoers.d/ directory containing:

Defaults env_keep += "SSH_AUTH_SOCK"

This file should be mode 0440, you can check out /etc/sudoers.d/README for more info.
@ghost

This comment has been minimized.

Sign in to view
Copy link

ghost commented Aug 1, 2018

Indeed, adding to sudoers Defaults env_keep += "SSH_AUTH_SOCK" (use $ sudo visudo command for that) solves the problem completely.

Btw, OS X has Defaults env_keep += "SSH_AUTH_SOCK" by default enabled.
@Microserf

This comment has been minimized.

Sign in to view
Copy link

Microserf commented Apr 26, 2019

This perfectly explained the cause of and solution to the problem I had just encountered. Thank you so much for making this helpful gist!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.