Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Git clone using ssh agent forwarding and sudo
SSH agent forwarding is great. It allows you to ssh from one server to
another all the while using the ssh-agent running on your local
workstation. The benefit is you don't need to generate ssh key pairs
on the servers you are connecting to in order to hop around.
When you ssh to a remote machine the remote machine talks to your
local ssh-agent through the socket referenced by the SSH_AUTH_SOCK
environment variable.
So you the remote server you can do something like:
> git clone
And git will make use of the ssh-agent running on your local
workstation to authenticate with github and clone your repo.
This fails if you do
> sudo git clone
because your environment variables are not available to the
commands running under sudo.
However, you can set the SSH_AUTH_SOCK variable for the command by
passing it on the command line like so
> sudo SSH_AUTH_SOCK=$SSH_AUTH_SOCK git clone
and all is well.
Copy link

altrofimov commented Jul 7, 2017

Had a problem to clone repository on ec2 machine, it helped. Thank you.

Copy link

mdawar commented Aug 7, 2017

A better way to preserve the SSH_AUTH_SOCK variable is to add a file to /etc/sudoers.d/ directory containing:

Defaults env_keep += "SSH_AUTH_SOCK"

This file should be mode 0440, you can check out /etc/sudoers.d/README for more info.

Copy link

ghost commented Aug 1, 2018

Indeed, adding to sudoers Defaults env_keep += "SSH_AUTH_SOCK" (use $ sudo visudo command for that) solves the problem completely.

Btw, OS X has Defaults env_keep += "SSH_AUTH_SOCK" by default enabled.

Copy link

Microserf commented Apr 26, 2019

This perfectly explained the cause of and solution to the problem I had just encountered. Thank you so much for making this helpful gist!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment