Connecting to SSH authentication agent when running commands with sudo
I use etckeeper to keep my various OS configurations under version control. Until now, I was content to just use a local Git repository to keep track of changes but it occurred to me that I wasn’t making the most of this feature and I decided that it would be useful to configure a remote repository to keep copies of these repositories so that the /etc configurations are available from other machines.
On the remote server, I created a bare repository (ensuring only the git user can access its contents):
sudo -u git -H git init --bare ~git/repos/anthony-etc.git
chmod -R 700 ~git/repos/anthony-etc.git/
The SSH daemon on the remote server was configured to allow users (including the git user) to use only keys for authentication – and I had already uploaded my personal public key to the .authorized_keys of the git user on the server.
On the local machine, I added this as remote repository:
sudo git remote add origin git@example.com:/home/git/repos/anthony-etc.git/
Since only a super user can modify files in the /etc directory (including its .git sub-directory), all the Git commands are run using sudo.
Before attempting to push using SSH, I checked to see if I could use my current SSH authentication agent:
$ sudo ssh-add -l
Could not open a connection to your authentication agent.
This failed when being run using sudo and I was wondering how I could configure sudo to work with the SSH authentication agent that I’m already using as a non-super user.
ssh sudo ssh-agent etckeeper
asked 1 hour ago
Anthony Geoghegan
7,57543954
add a comment |
I use etckeeper to keep my various OS configurations under version control. Until now, I was content to just use a local Git repository to keep track of changes but it occurred to me that I wasn’t making the most of this feature and I decided that it would be useful to configure a remote repository to keep copies of these repositories so that the /etc configurations are available from other machines.
On the remote server, I created a bare repository (ensuring only the git user can access its contents):
sudo -u git -H git init --bare ~git/repos/anthony-etc.git
chmod -R 700 ~git/repos/anthony-etc.git/
The SSH daemon on the remote server was configured to allow users (including the git user) to use only keys for authentication – and I had already uploaded my personal public key to the .authorized_keys of the git user on the server.
On the local machine, I added this as remote repository:
sudo git remote add origin git@example.com:/home/git/repos/anthony-etc.git/
Since only a super user can modify files in the /etc directory (including its .git sub-directory), all the Git commands are run using sudo.
Before attempting to push using SSH, I checked to see if I could use my current SSH authentication agent:
$ sudo ssh-add -l
Could not open a connection to your authentication agent.
This failed when being run using sudo and I was wondering how I could configure sudo to work with the SSH authentication agent that I’m already using as a non-super user.
ssh sudo ssh-agent etckeeper
asked 1 hour ago
Anthony Geoghegan
7,57543954
add a comment |
I use etckeeper to keep my various OS configurations under version control. Until now, I was content to just use a local Git repository to keep track of changes but it occurred to me that I wasn’t making the most of this feature and I decided that it would be useful to configure a remote repository to keep copies of these repositories so that the /etc configurations are available from other machines.
On the remote server, I created a bare repository (ensuring only the git user can access its contents):
sudo -u git -H git init --bare ~git/repos/anthony-etc.git
chmod -R 700 ~git/repos/anthony-etc.git/
The SSH daemon on the remote server was configured to allow users (including the git user) to use only keys for authentication – and I had already uploaded my personal public key to the .authorized_keys of the git user on the server.
On the local machine, I added this as remote repository:
sudo git remote add origin git@example.com:/home/git/repos/anthony-etc.git/
Since only a super user can modify files in the /etc directory (including its .git sub-directory), all the Git commands are run using sudo.
Before attempting to push using SSH, I checked to see if I could use my current SSH authentication agent:
$ sudo ssh-add -l
Could not open a connection to your authentication agent.
This failed when being run using sudo and I was wondering how I could configure sudo to work with the SSH authentication agent that I’m already using as a non-super user.
ssh sudo ssh-agent etckeeper
asked 1 hour ago
Anthony Geoghegan
7,57543954
I use etckeeper to keep my various OS configurations under version control. Until now, I was content to just use a local Git repository to keep track of changes but it occurred to me that I wasn’t making the most of this feature and I decided that it would be useful to configure a remote repository to keep copies of these repositories so that the /etc configurations are available from other machines.
On the remote server, I created a bare repository (ensuring only the git user can access its contents):
sudo -u git -H git init --bare ~git/repos/anthony-etc.git
chmod -R 700 ~git/repos/anthony-etc.git/
The SSH daemon on the remote server was configured to allow users (including the git user) to use only keys for authentication – and I had already uploaded my personal public key to the .authorized_keys of the git user on the server.
On the local machine, I added this as remote repository:
sudo git remote add origin git@example.com:/home/git/repos/anthony-etc.git/
Since only a super user can modify files in the /etc directory (including its .git sub-directory), all the Git commands are run using sudo.
Before attempting to push using SSH, I checked to see if I could use my current SSH authentication agent:
$ sudo ssh-add -l
Could not open a connection to your authentication agent.
This failed when being run using sudo and I was wondering how I could configure sudo to work with the SSH authentication agent that I’m already using as a non-super user.
ssh sudo ssh-agent etckeeper
ssh sudo ssh-agent etckeeper
asked 1 hour ago
Anthony Geoghegan
7,57543954
asked 1 hour ago
Anthony Geoghegan
7,57543954
edited 26 mins ago
asked 1 hour ago
Anthony Geoghegan
7,57543954
asked 1 hour ago
Anthony Geoghegan
7,57543954
asked 1 hour ago
Anthony Geoghegan
7,57543954
7,57543954
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The reason it did not work was because the SSH_AUTH_SOCK variable used to store the filename of the SSH agent’s Unix domain socket was not in the environment when running commands via sudo.
By default, the env_reset option is enabled in the sudo security policy and most GNU/Linux distributions ship with the following line in their /etc/sudoers configuration file:
Defaults env_reset
This ensures that commands are run in a minimal environment with most of the invoking user’s environment variables removed in the restricted environment.
Specific variables can be white-listed so that they are preserved in the environment. For safety, I use the visudo command to edit the sudoers configuration file. Also, rather than modifying /etc/sudoers directly, I add custom modifications to a separate file in the /etc/sudoers.d/ directory. To do this, I run sudo visudo -f /etc/sudoers.d/custom so that the configuration contains the following line:
Defaults env_keep += "SSH_AUTH_SOCK"
Now, running sudo ssh-add -l shows that I can connect to the authentication agent and I can go ahead and update the remote repository:
sudo git push --set-upstream origin master
answered 1 hour ago
Anthony Geoghegan
7,57543954
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f492523%2fconnecting-to-ssh-authentication-agent-when-running-commands-with-sudo%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The reason it did not work was because the SSH_AUTH_SOCK variable used to store the filename of the SSH agent’s Unix domain socket was not in the environment when running commands via sudo.
By default, the env_reset option is enabled in the sudo security policy and most GNU/Linux distributions ship with the following line in their /etc/sudoers configuration file:
Defaults env_reset
This ensures that commands are run in a minimal environment with most of the invoking user’s environment variables removed in the restricted environment.
Specific variables can be white-listed so that they are preserved in the environment. For safety, I use the visudo command to edit the sudoers configuration file. Also, rather than modifying /etc/sudoers directly, I add custom modifications to a separate file in the /etc/sudoers.d/ directory. To do this, I run sudo visudo -f /etc/sudoers.d/custom so that the configuration contains the following line:
Defaults env_keep += "SSH_AUTH_SOCK"
Now, running sudo ssh-add -l shows that I can connect to the authentication agent and I can go ahead and update the remote repository:
sudo git push --set-upstream origin master
answered 1 hour ago
Anthony Geoghegan
7,57543954
add a comment |
The reason it did not work was because the SSH_AUTH_SOCK variable used to store the filename of the SSH agent’s Unix domain socket was not in the environment when running commands via sudo.
By default, the env_reset option is enabled in the sudo security policy and most GNU/Linux distributions ship with the following line in their /etc/sudoers configuration file:
Defaults env_reset
This ensures that commands are run in a minimal environment with most of the invoking user’s environment variables removed in the restricted environment.
Specific variables can be white-listed so that they are preserved in the environment. For safety, I use the visudo command to edit the sudoers configuration file. Also, rather than modifying /etc/sudoers directly, I add custom modifications to a separate file in the /etc/sudoers.d/ directory. To do this, I run sudo visudo -f /etc/sudoers.d/custom so that the configuration contains the following line:
Defaults env_keep += "SSH_AUTH_SOCK"
Now, running sudo ssh-add -l shows that I can connect to the authentication agent and I can go ahead and update the remote repository:
sudo git push --set-upstream origin master
answered 1 hour ago
Anthony Geoghegan
7,57543954
add a comment |
The reason it did not work was because the SSH_AUTH_SOCK variable used to store the filename of the SSH agent’s Unix domain socket was not in the environment when running commands via sudo.
By default, the env_reset option is enabled in the sudo security policy and most GNU/Linux distributions ship with the following line in their /etc/sudoers configuration file:
Defaults env_reset
This ensures that commands are run in a minimal environment with most of the invoking user’s environment variables removed in the restricted environment.
Specific variables can be white-listed so that they are preserved in the environment. For safety, I use the visudo command to edit the sudoers configuration file. Also, rather than modifying /etc/sudoers directly, I add custom modifications to a separate file in the /etc/sudoers.d/ directory. To do this, I run sudo visudo -f /etc/sudoers.d/custom so that the configuration contains the following line:
Defaults env_keep += "SSH_AUTH_SOCK"
Now, running sudo ssh-add -l shows that I can connect to the authentication agent and I can go ahead and update the remote repository:
sudo git push --set-upstream origin master
answered 1 hour ago
Anthony Geoghegan
7,57543954
The reason it did not work was because the SSH_AUTH_SOCK variable used to store the filename of the SSH agent’s Unix domain socket was not in the environment when running commands via sudo.
By default, the env_reset option is enabled in the sudo security policy and most GNU/Linux distributions ship with the following line in their /etc/sudoers configuration file:
Defaults env_reset
This ensures that commands are run in a minimal environment with most of the invoking user’s environment variables removed in the restricted environment.
Specific variables can be white-listed so that they are preserved in the environment. For safety, I use the visudo command to edit the sudoers configuration file. Also, rather than modifying /etc/sudoers directly, I add custom modifications to a separate file in the /etc/sudoers.d/ directory. To do this, I run sudo visudo -f /etc/sudoers.d/custom so that the configuration contains the following line:
Defaults env_keep += "SSH_AUTH_SOCK"
Now, running sudo ssh-add -l shows that I can connect to the authentication agent and I can go ahead and update the remote repository:
sudo git push --set-upstream origin master
answered 1 hour ago
Anthony Geoghegan
7,57543954
answered 1 hour ago
Anthony Geoghegan
7,57543954
answered 1 hour ago
Anthony Geoghegan
7,57543954
answered 1 hour ago
Anthony Geoghegan
7,57543954
7,57543954
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f492523%2fconnecting-to-ssh-authentication-agent-when-running-commands-with-sudo%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
