Some colleagues and I wanted to be able to check out code onto a remote server using our local github ssh keys. And we should be able to do that as any user we please (for example, the deploy user). After a bit of research, I found that it's possible! In short, you use ssh-agent to pass your key credentials on to the remote server and set up sudo to pass those credentials along thru the environments. Let's do this!
I'm on a Mac, which has ssh-agent running by default. Yay! But, you still want to verify that your key is added to the agent:
laptop:~ n8foo$ ssh-add -l
2048 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
/Users/n8foo/.ssh/id_rsa (RSA)
Now, ssh into your remote server using the -A flag to ssh to pass auth along.
ssh -A remoteuser@remote.server.com
Test that ssh's agent auth worked:
[remoteuser@remote ~]$ ssh-add -l
2048 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
/Users/n8foo/.ssh/id_rsa (RSA)
Your keys should show up. Now, confirm that you can access github with your key from that remote server:
[remoteuser@remote ~]$ ssh -T git@github.com
Hi n8foo! You've successfully authenticated, but GitHub does not provide shell access.
OK, now let's enable this so we can switch users with sudo. Sudo needs to pass the SSH_AUTH_SOCK environment variable on through. To do that, add (or modify) the defaults line in /etc/sudoers to look something like this:
Defaults env_keep+=SSH_AUTH_SOCK
You can do this, if you have a default ubuntu sudo config:
# sed -i "s/^Defaults.*/Defaults env_keep+=SSH_AUTH_SOCK/g"
/etc/sudoers
Everything should be working now. Let's test...
[remoteuser@remote ~]$ sudo su - someotheruser
[someotheruser@remote ~]$ ssh -T git@github.com
Hi n8foo! You've successfully authenticated, but GitHub does not provide shell access.
You can now get your git on, directly on your remote machine, as another user. Done!