We use ssh agent forwarding to deploy our Symfony2 projects to our servers. This works fine and we have no issues performing git clone etc from github using capistrano.
But, for Symfony2 you need to do bin/vendors install to fetch the latest deps. This vendors script (https://github.com/symfony/symfony-standard/blob/2.0/bin/vendors) is a php script that performs "system()" commands like git pull.
In capifony (an addon for capistrano and symfony) the vendors command is implemented and we have modified it a little to use try_sudo, a change needed due to our own hosting platform. This works perfect for public https:// url's from github
try_sudo "sh -c 'cd #{latest_release} && #{php_bin} bin/vendors install'"
The problem we are facing is that when using the [email protected] format (needed for some private repo's and when we want to modify bundles and push the changes back) the ssh-agent is not available, so our forwarded key is missing and we get permission denied errors.
- Switching to https:// format sounded like an easy fix, but private repo's ask for a password.
- Starting the ssh-agent in the system() command worked, but then the key still isn't there.
So don't know what to look for any further. Some way to pass the ssh-agent into the php vendor script maybe?
UPDATE:
I found the answer, sudo drops all the environment variables, for security reasons so you can never attach to the existing ssh agent.
In https://serverfault.com/questions/107187/sudo-su-username-while-keeping-ssh-key-forwarding i found both the error and the solution. By adding Defaults env_keep+=SSH_AUTH_SOCK to /etc/sudoers and then chmodding the agent socket so the user you are sudoing to can access it, you can keep the ssh agent along.
But please read the thread carefully, it is not safe to do so. The agent is destroyed when you log out, so in our capistrano deploy sequence combined with a server with no untrusted user, i think it might be acceptable. Unless i'm mistaken?