Skip to content
This repository has been archived by the owner on Dec 4, 2023. It is now read-only.
/ chef_root_ssh_agent Public archive
forked from dergachev/chef_root_ssh_agent

A chef cookbook that will allow "sudo su root" to maintain ssh agent forwarding.

0 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

monsterstrike/chef_root_ssh_agent

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
recipes
recipes
 
 
templates/default
templates/default
 
 
README.md
README.md
 
 
metadata.rb
metadata.rb
 
 

Repository files navigation

root-ssh-agent

Description

A chef recipe that will allow "sudo su root" to maintain the ssh agent. This is necessary for vagrant & chef-solo to work with ssh-agent forwarding.

Installation

Clone this repository into your CHEF-REPO/cookbooks/root_ssh_agent:

# Be sure to name the cookbook "root_ssh_agent", not "chef_root_ssh_agent"
git clone git@github.com:dergachev/chef_root_ssh_agent.git root_ssh_agent

Usage

Simply include recipe[root_ssh_agent::ppid] in your run_list, and subsequently chef-solo running as root (the behavior under vagrant) will have access to your SSH_AUTH_SOCK variable, and consequently will have access your running ssh-agent instance.

Recipes

env-keep

Adds the following to /etc/sudoers.d/root_ssh_agent:

Defaults env_keep += "SSH_AUTH_SOCK"

Because it works by changing /etc/sudoers.d, this recipe will not affect the current shell session within which chef-client/chef-solo are running. Use recipe[root_ssh_agent::ppid] if you need to allow agent forwarding during a chef run.

ppid

Uses the ppid (parent process id) to find the $SSH_AUTH_SOCK path associated with the parent process (which presumably has the forwarded keys), and sets that as $SSH_AUTH_SOCK.

Because it works by setting an environment variable, this recipe only affects the current chef-client/chef-solo shell session. Use recipe[root_ssh_agent::env_keep] for a permanent fix.

Caveats

Please note if a cookbook executes commands as a non-root user (eg chef-homesick), they will not have permission to access file referenced in $SSH_AUTH_SOCK, and forwarding will fail even with recipe[root-ssh-agent::ppid].

One work-around might be to modify your recipe to use ssh user@localhost instead of su otheruser. For an example of this, see https://github.com/dergachev/chef_homesick_agent

Of course, this only works if your private key allows you to log-in as that user.

Misc notes

See the following resources:

Vagrant boxes are supposed to include the following in sudoers, in practice they don't. See hashicorp/vagrant#1151 This can be fixed by including recipe[root_ssh_agent::env_keep] when building a base vagrant box.

Debugging tips:

  • sudo su - resets all env variables, no matter what /etc/sudoers env_keep specifies. "sudo su" or "sudo su root" doesn't.
  • fail @variable.to_yaml is a good way to debug a recipe from ruby
  • ssh-add -l && false is a good way to debug a recipe's command resource
  • `sudo VISUAL=vim visudo -f /etc/sudoers.d/env_keep_sshauth

About

A chef cookbook that will allow "sudo su root" to maintain ssh agent forwarding.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

55 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Ruby 97.2%
  • HTML 2.8%