Git commits not using forwarded ssh agent?

Question

Setup:

We have several users with access to a Github repo. These users all have deploy privileges on various servers. The servers do not have access to the Github repo - they use ssh-agent forwarding to grab the users' credentials. Everything works as intended when transferring data from Github to the servers.

For accountability, deploys commit some data to the repo. This is all scripted and run server-side with no user intervention needed.

Problem:

Git commits set the committer name and email to whatever is set on the server (defaults to server username if not set explicitly). Is there a way to force Git (as the sender) or Github (as the receiver) to associate the commits with the forwarded user credentials?

Answer 1

For anyone with similar problems (fowarding user's configuration when commiting on a remote system) I would like to summarize the steps I took which were inspired by this useful post :

Ensure the following setting on the remote system in /etc/ssh/sshd_config :

# Allow client to pass locale environment variables
AcceptEnv LANG LC_* GIT_* EMAIL

Add to ~/.ssh/config on the user's system:

Host *
    # provide credentials for github push
    ForwardAgent yes
    # provide username/email for git commit
    SetEnv GIT_AUTHOR_NAME="your name" EMAIL="your email"

To use Visual Studio Code with remote-ssh set in vscode settings:

"git.requireGitUserConfig": false

Despite these steps my commits were still associated with the email address configured on the remote system. This was due to the email configuration of the git user on the remote system which can be checked with git config --global -l :

user@server:~/repo$ git config --global -l
user.email=user@domain.com
user.name=User name
...

If an email address is set for the git user on the remote system, you have to use GIT_AUTHOR_EMAIL instead of EMAIL in your ~/.ssh/config according to the Git documentation :

GIT_AUTHOR_EMAIL is the email for the “author” field.

EMAIL is the fallback email address in case the user.email configuration value isn't set. If this isn't set, Git falls back to the system user and host names.

So in my case EMAIL in my ~/.ssh/config did not have an effect because user.email on the remote system was set. It now works with this line:

SetEnv GIT_AUTHOR_NAME="your name" GIT_AUTHOR_EMAIL="your email"

One more note: I was also trying to solve the issue with ssh -T git@github.com . But the result of this check is not related to the forwarding issue. At first I saw "Permission denied", but when I solved this and authentication worked, the forwarding still didn't work.

Answer 2

You could try and have a hook on the server, triggered when receiving (like, for instance, this GitHubHook : a GitHub Post-Receive Deployment Hook ), which would:

• modify the local .git/config file
• adding a user.name and user.email in said config file

That would presume the deploys commits are done before the next push from GitHub to the server, otherwise, the wrong credential would be used.

If the previous point is a concern, then you can improve that by:

• storing those credentials elsewhere, in order of the deployments,
• and make sure the deploy commits are done with a git commit --author='AUserName <some@email.com> , with name and email extracted from the separate file, based on the recorded order.

In that last case, no need to modifying a local config: you build your git commit command with the right parameters, instead of relying on a local config file content.