On Aug 12, 2010, at 3:34 AM, Bradley wrote: >> Right, so I added in: >> >> Host heroku.com >> ForwardAgent yes >> >> to my Tomcat user's ~/.ssh/config. This is the user that checks out >> from Github then pushes to heroku. I still get the same error, >> Permission denied (publickey).
Hi, Brad -- I've just done an experiment here, pushing to Heroku (with and without ForwardAgent turned on) a small Rack app having a Gemfile specifying a dependency on a privately-accessible-over-ssh git repository. It didn't work. I see the same error you do. As I Google, I'm suspecting this is because of the way Heroku's ssh authorized_keys file is configured. It turns out there's a setting called "no-agent-forwarding" that keeps turning up in [people's][1] [examples][2] for how to configure git access over ssh. (See [sshd(8)][3] for more.) Heroku guys, would any of you be able to confirm that these "no-agent-forwarding" clauses are present in (the equivalent of) the ~/.ssh/authorized_keys file for g...@heroku.com? Do I understand correctly that removing them would enable Brad's use case here? On Aug 12, 2010, at 3:39 AM, David Balatero wrote: > If Bundler is running on Heroku, the Heroku UNIX user account needs to have > its public key in your Github repo as an authorized key. > > Each Heroku machine will have a different SSH key generated, and you > non-deterministically deploy to <some> machine in the Heroku cloud each time > you deploy. > > Even if you had a consistent SSH key, it would be insecure for you to add > that key to your public repo, as anyone else deploying to the same machine as > you would be able to download your code repo. Hi, David -- Yes, exactly -- this multiple-host inconsistency / insecurity is what I suspect we'd be able to overcome with ssh's agent forwarding. It would transitively allow (bundler running on) Heroku to connect to Brad's private repository using his local ssh keys. All the best, -- Matthew [1]: http://stackoverflow.com/questions/3224340/git-push-returns-fatal-protocol-error-bad-line-length-character [2]: http://eagain.net/blog/2007/03/22/howto-host-git.html [3]: http://www.manpagez.com/man/8/sshd/ Oy, that's an ugly page! -- You received this message because you are subscribed to the Google Groups "Heroku" group. To post to this group, send email to her...@googlegroups.com. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/heroku?hl=en.
