There are a good number of answers out there on ssh agent forwarding, but I couldn't seem to find one that addresses my issue.
I am using packer.io to automate the provisioning of my servers. One of the builders I am using is the virtualbox-iso builder to allow me to create a Vagrant box for local testing.
My host machine is a Macbook Pro which I have added two ssh keys to ssh-agent with a command like: ssh-add -K ~/.ssh/id_rsa. I can verify they both exist with ssh-add -l and ssh-add -L.
One of the keys is my work bitbucket account and the other is my personal account. I would like to specifically target the work account on this particular VM. On my Host I created a config under ~/.ssh/config with the following contents:
Host work.bitbucket.org
User workuser
ForwardAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_rsa
Host bitbucket.org
User homeuser
ForwardAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_rsa_personal
I could then log in on my Host with my work key via:
ssh -T [email protected]
and my home key with
ssh -T [email protected].
Now for the VM...
Following instructions I had found from other answers I had added config.ssh.forward_agent = true to my Vagrantfile.
I also do the following in one of my provisioning scripts:
echo "updating known_hosts folder"
ssh-keyscan work.bitbucket.org >> ~/.ssh/known_hosts
echo "adding bitbucket key from file"
sudo cat /input/rsa.txt >> ~/.ssh/authorized_keys
The first command allows me to avoid any future prompts to add the key to my known_hosts file. The second command simply appends my work rsa key from a file that was uploaded in a previous step.
This seems to get my agent forwarding working on my VM to some degree, however, it always chooses the first entry in my ssh-agent.
If I try either: ssh -T [email protected] or ssh -T [email protected] I always get the first key listed in ssh-add -l. (I actually verified this by adding and removing keys to manipulate the order)
I assumed this was due to the fact that I am already in an ssh session while I am on the box. So I looked at this question to verify how vagrant ssh actually works. I tried to manipulate my Host machines config file with 127.0.0.1:PORT where PORT was the specific port my machine is on. I also tried adding a wild card config on my VM to allow the hop, but I had obviously not set something up correctly as it still doesn't work as expected.
For now I can just manually remove (ssh-add -d pathtokeytoremovehere) the extra keys and add them back when I need them, but this is obviously not ideal.
Any ideas?
You are forwarding the ssh-agent, but not the local configuration which is responsible for selecting the correct key for you. To make it working, you will also have to copy the configuration to the server.
But do not copy there the private keys. Referencing the public keys should do the job, since they will allow ssh to try that key and pick the correct one from the ssh-agent.