ssh-agent forwarding

Neil_Young · October 11, 2021, 5:04pm

Hi,

Trying since hours, can’t make it work (although it worked already somewhen)…

OK.

Having a public ssh key, say ~/.ssh/id_rsa.pub. Configured it to Bitbucket. Able to checkout my project using public key authentication from bitbucket on my local machine.

Was going to try that on an ansible node using ssh-agent forwarding.

Running ssh-add ~/.ssh/id_rsa once. ssh-add -l shows

4096 SHA256:SpKY4tbbE7pkV5Ex3plKgu6X4nq6jtnM+Lss5Xk605A me@anywhere(RSA)

As said, the same key is configured to bitbucket.

My ./ansible.cfg:

[ssh_connection]
ssh_args=-o ForwardAgent=yes

The playbook:

sivel · October 11, 2021, 5:07pm

Are you using become? If so, sudo by default will not pass the env var used for SSH_AUTH_SOCK.

Neil_Young · October 11, 2021, 5:10pm

Oh, strange. Maybe I know why it works. I must have tried that earlier too.

On my node I tried to clone the project manually. Didn’t work of course. But on the way I was asked to add the bitbucket identity to the known hosts on my node.

The authenticity of host ‘bitbucket.org (104.192.141.1)’ can’t be established.

RSA key fingerprint is SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added ‘bitbucket.org,104.192.141.1’ (RSA) to the list of known hosts.

git@bitbucket.org: Permission denied (publickey).

In the end the local clone didn’t work, but after that step the above sequence worked from my control node… So I was able to clone the project from remote after having bitbucket as known host on the node… Makes sense?

Neil_Young · October 11, 2021, 5:11pm

No. become is not used

Neil_Young · October 11, 2021, 5:26pm

Interesting. I can achieve the same effect (it works from the outside) after having run

ssh -T git@bitbucket.org

Seems, I would need to add bitbucket as known host somehow before the clone attempt…

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/known_hosts_module.html

Neil_Young · October 11, 2021, 5:35pm

Same result with

ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts

on the remote node.

I think in order to make ssh-agent forwarding work with ansible (at least with bitbucket) one has to make sure the node knows about the public key of bitbucket beforehand.

Neil_Young · October 11, 2021, 5:44pm

Finally this works for me:

Joe_Vellella · June 28, 2023, 3:41pm

Moving become out of the main play only into the specific ones I needed to solve my issue. Thanks 2 years later!

Topic		Replies	Views
Issue with git module and ssh agent forwarding Ansible Project	7	1	May 12, 2014
git module with ssh Ansible Project	6	1	November 6, 2012
Getting "Permission denied (publickey)." when trying to clone Private Github repository, Public repo works Ansible Project	4	2	July 21, 2015
ansible connection using rsa key Ansible Project	3	6	September 14, 2018
Adding private key to remote host Ansible Project	3	5	July 19, 2015

ssh-agent forwarding

Related topics