Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Git clone using ssh agent forwarding and sudo
SSH agent forwarding is great. It allows you to ssh from one server to
another all the while using the ssh-agent running on your local
workstation. The benefit is you don't need to generate ssh key pairs
on the servers you are connecting to in order to hop around.
When you ssh to a remote machine the remote machine talks to your
local ssh-agent through the socket referenced by the SSH_AUTH_SOCK
environment variable.
So you the remote server you can do something like:
> git clone
And git will make use of the ssh-agent running on your local
workstation to authenticate with github and clone your repo.
This fails if you do
> sudo git clone
because your environment variables are not available to the
commands running under sudo.
However, you can set the SSH_AUTH_SOCK variable for the command by
passing it on the command line like so
> sudo SSH_AUTH_SOCK=$SSH_AUTH_SOCK git clone
and all is well.
Copy link

This has been really helpful, I was almost starting to get frustrated.

Copy link

Thanks, that helps a lot.

Copy link

AlekSi commented Jan 21, 2015

It's a hack, but helpful one. Thank you. 👍

Copy link

Alternatively create a file in /etc/sudoers.d/99-keep-ssh-auth-sock-env with the following contents:

Defaults>root env_keep+=SSH_AUTH_SOCK

Use visudo -f to edit and validate the change is ok.

Copy link

sudo The -E (preserve environment) is good too:)

Copy link

Thank you sir!

Copy link

Had a problem to clone repository on ec2 machine, it helped. Thank you.

Copy link

mdawar commented Aug 7, 2017

A better way to preserve the SSH_AUTH_SOCK variable is to add a file to /etc/sudoers.d/ directory containing:

Defaults env_keep += "SSH_AUTH_SOCK"

This file should be mode 0440, you can check out /etc/sudoers.d/README for more info.

Copy link

ghost commented Aug 1, 2018

Indeed, adding to sudoers Defaults env_keep += "SSH_AUTH_SOCK" (use $ sudo visudo command for that) solves the problem completely.

Btw, OS X has Defaults env_keep += "SSH_AUTH_SOCK" by default enabled.

Copy link

This perfectly explained the cause of and solution to the problem I had just encountered. Thank you so much for making this helpful gist!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment