I'm trying to understand the GitHub ssh configuration with Ansible (I'm working on the Ansible: Up & Running book). I'm running into two issues.

Permission denied (publickey) - When I first ran the ansible-playbook mezzanine.yml playbook, I got a permission denied:

failed: [web] => {"cmd": "/usr/bin/git ls-remote '' -h refs/heads/HEAD", "failed": true, "rc": 128}
stderr: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

msg: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

FATAL: all hosts have already failed -- aborting

Ok, fair enough, I see several people have had this problem. So I jumped to appendix A on running Git with SSH and it said to run the ssh-agent and add the id_rsa public key:

eval `ssh-agent -s`
ssh-add ~/.ssh/id_rsa

Output: Identity AddedI ran ssh-agent -l to check and got the long string: 2048 e3:fb:... But I got the same output. So I checked the Github docs on ssh key generations and troubleshooting which recommended updating the ssh config file on my host machine:

Host github.com
    User git
    Port 22
    Hostname github.com
    IdentityFile ~/.ssh/id_rsa
    TCPKeepAlive yes
    IdentitiesOnly yes

But this still provides the same error. So at this point, I start thinking it's my rsa file, which leads me to my second problem.

Key Generation Issues - I tried to generate an additional cert to use, because the Github test threw another "Permission denied (publickey)" error.

Warning: Permanently added the RSA host key for IP address '' to the list of known hosts.
Permission denied (publickey).

I followed the Github instructions from scratch and generated a new key with a different name.

ssh-keygen -t rsa -b 4096 -C "me@example.com"

I didn't enter a passphrase and saved it to the .ssh folder with the name git_rsa.pub. I ran the same test and got the following:

$ ssh -i ~/.ssh/git_rsa.pub -T git@github.com
Permissions 0644 for '/Users/antonioalaniz1/.ssh/git_rsa.pub' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: ~/.ssh/github_rsa.pub
Permission denied (publickey).

I checked on the permissions and did a chmod 700 on the file and I still get Permission denied (publickey). I even attempted to enter the key into my Github account, but first got a message that the key file needs to start with ssh-rsa. So I started researching and hacking. Started with just entering the long string in the file (it started with --BEGIN PRIVATE KEY--, but I omitted that part after it failed); however, Github's not accepting it, saying it's invalid.

This is my Ansible command in the YAML file:

- name: check out the repository on the host
  git: repo={{ repo_url }} dest={{ proj_path }} accept_hostkey=yes

    repo_url: git@github.com:lorin/mezzanine-example.git

This is my ansible.cfg file with ForwardAgent configured:

hostfile = hosts
remote_user = vagrant
private_key_file = .vagrant/machines/default/virtualbox/private_key
host_key_checking = False

ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes

The box is an Ubuntu Trusty64 using Mac OS. If anyone could clue me into the file permissions and/or Github key generation, I would appreciate it.

Sandwich Heat
  • 131
  • 1
  • 4
  • `$ ssh -i ~/.ssh/git_rsa.pub -T git@github.com` I don't know about your other problems, but you're using the wrong key file here. `-i` takes the name of a _private_ key file, that is, the file without the _.pub_ extension. You most likely should run `ssh -i ~/.ssh/git_rsa ...` – Kenster Nov 11 '15 at 20:14
  • @Kenster Sorry for the confusion, I tried both, but they get permission denied (publickey). I'm relooking through the Github troubleshooting now and working through it again to hopefully find something. – Sandwich Heat Nov 11 '15 at 20:19

2 Answers2


I had transport = paramiko in my ansible.cfg to fix a different bug but seems to be causing issues with ForwardAgent=yes. Just removed the transport and it's working again.

  • 3,639
  • 10
  • 26
  • 36
  • 121
  • 4
  1. You need to reorder your ~/.ssh/ dir, the ~/.ssh/config file. IdentifyFile is not needed if your public keys are with the default name (ìd_rsa.pub, id_ed25519.pub, id_dsa.pub)
  2. Check if you have an ansible.cfg file inside the dir where is the playbook (your *.yml file), this one will have preference over your default /etc/ansible/ansible.cfg config.
  3. The permissions are for the file ~/.ssh/id_rsa private file (i have mine with 0x600).

offtopic: "The box is an Ubuntu Trusty64 using Mac OS" ?!?!

Yonsy Solis
  • 284
  • 1
  • 9