When attempting SSH agent forwarding from an Ubuntu 22.04 server to GitHub, you might encounter authentication failures despite proper configuration. The debug output shows a critical error:
channel 1: chan_shutdown_read: shutdown() failed for fd 7 [i0 o0]: Not a socket
debug2: get_agent_identities: ssh_agent_bind_hostkey: communication with agent failedBefore proceeding with fixes, confirm these indicators:
# On your local machine (where keys are stored):
ssh-add -l
4096 SHA256:hvGuLtIuwYi2LAnQ0KdC/9IgdBUmlHZer0NyXUXd5aY C:\\Users\\user/.ssh/id_rsa (RSA)
# On the remote server:
echo "$SSH_AUTH_SOCK"
/tmp/ssh-XXXXPWEKZo/agent.1073The issue often stems from three specific changes in Ubuntu 22.04:
- Newer OpenSSH version (8.9p1) with stricter socket permissions
- Systemd changes affecting socket inheritance
- AppArmor policies restricting agent access
1. Socket Permissions Workaround
Create a custom SSH config entry:
Host remote
HostName SERVER_IP
User ubuntu
ForwardAgent yes
IdentityAgent ~/.ssh/agent.sock
SetEnv SSH_AUTH_SOCK=$SSH_AUTH_SOCK2. Systemd Service Fix
Create a systemd override for ssh.service:
sudo systemctl edit ssh.service
[Service]
Environment=SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
Restart=always3. AppArmor Adjustment
Modify AppArmor profiles:
sudo nano /etc/apparmor.d/local/usr.sbin.sshd
# Add these lines:
owner @{HOME}/.ssh/ r,
owner @{HOME}/.ssh/* rw,After applying fixes, test with:
ssh -T git@github.com -vvv
# Should show successful agent forwarding:
debug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:hvGuLtIuwYi2LAnQ0KdC/9IgdBUmlHZer0NyXUXd5aY
debug1: Server accepts key: /home/user/.ssh/id_rsa RSA SHA256:hvGuLtIuwYi2LAnQ0KdC/9IgdBUmlHZer0NyXUXd5aYFor complex environments, consider using ProxyJump:
Host github-proxy
HostName github.com
User git
ProxyJump remote
ForwardAgent yesWhen attempting to use SSH agent forwarding from an Ubuntu 22.04 server to authenticate with GitHub, despite proper configuration, users encounter:
debug2: get_agent_identities: ssh_agent_bind_hostkey: communication with agent failed
debug1: get_agent_identities: ssh_fetch_identitylist: communication with agent failed
git@github.com: Permission denied (publickey)
First confirm your agent forwarding appears to be set up correctly:
# On your local machine:
ssh-add -l
4096 SHA256:hvGuLtIuwYi2LAnQ0KdC/9IgdBUmlHZer0NyXUXd5aY (RSA)
# On the remote server after connecting:
echo "$SSH_AUTH_SOCK"
/tmp/ssh-XXXXPWEKZo/agent.1073
The root cause often stems from one of these Ubuntu 22.04 changes:
- OpenSSH 8.9 default security hardening
- New AppArmor profiles affecting socket communication
- Modified default sshd_config behaviors
1. Socket Permission Fix
Add this to your remote server's /etc/ssh/sshd_config:
StreamLocalBindUnlink yes
2. AppArmor Adjustment
Create or modify /etc/apparmor.d/local/usr.sbin.sshd:
owner /tmp/ssh-*/agent.* rw,
Then reload AppArmor:
sudo systemctl reload apparmor
3. Alternative Agent Forwarding Method
For persistent issues, try proxying the agent through a Unix socket:
# On your local .ssh/config:
Host remote
HostName SERVER_IP
User ubuntu
RemoteForward /tmp/ssh-agent.sock $SSH_AUTH_SOCK
ForwardAgent no
# On remote server after connecting:
export SSH_AUTH_SOCK=/tmp/ssh-agent.sock
These diagnostic commands help isolate the failure point:
# Check socket connectivity:
ss -l | grep ssh
# Verify AppArmor denials:
sudo aa-status | grep ssh
sudo dmesg | grep DENIED
# Test raw agent communication:
socat - UNIX-CONNECT:$SSH_AUTH_SOCK
If forwarding remains problematic, consider:
- Deploying a temporary key pair just for the remote server
- Using HTTPS authentication with a GitHub token
- Creating a persistent SSH multiplexing connection
# Example multiplex setup in ~/.ssh/config:
Host remote
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h:%p
ControlPersist 600