David - Musings of an SRE

Properly using SSH Agent Forwarding in Capistrano

You’ve probably seen this in your capistrano deploy script.

# /config/deploy.rb
set :ssh_options, { :forward_agent => true }

SSH Agent Forwarding is a great way to keep SSH keys manageable as it allows the deployment server to use your own local private key to authenticate to the git repository, instead of having to give your deployment server access to your git repository.

Github has an awesome article explaining this.

My tl;dr version:

1. Check if your ssh-agent have access to your key

$ ssh-add -L

If it doesnt have it, add it

$ ssh-add

2. Check that your local SSH config allows Agent Forwarding

# /etc/ssh_config file
Host *
  SendEnv LANG LC_*
#  ForwardAgent no # make sure this is commented out or deleted.

3. Check that your remote server (your deployment machine) allows Agent Forwarding

# /etc/ssh/sshd_config
AllowAgentForwarding yes

4. Done!