Capistrano Deploy Failing on git:check - Permission denied (publickey)

Thanks to everyone who answered, I've managed to find a solution! The main culprit was Git Bash, which, for whatever reason, was not changing the permissions on my ~/.ssh directory to 0700 when I ran chmod 700 ~/.ssh. This prevented SSH agent forwarding from working when Capistrano was deploying but not when I manually SSH'd into my server. I decided to try using Bash on Ubuntu on Windows (BUW) instead of Git Bash, and sure enough, my deploy worked! I copied over the same exact configuration and keys from Git Bash over to BUW. The only difference is that I was able to change the permissions on BUW's ~/.ssh directory to 0700. With that said, here is the solution to my problem:

1. Create a deploy key and add it to GitLab

As @Onur and @grizzthedj, and @Gokul M indicated, I needed to create a deploy key for GitLab and authorize it on my server. Here's how I did that:

  1. Generate a new SSH key on my local machine: ssh-keygen -t rsa -b 4096
  2. Copy the output of the public key: cat ~/.ssh/id_rsa.pub
  3. SSH into my server
  4. Add the public key to the end of ~/.ssh/authorized_keys
  5. Back on my local machine, open up a browser, log into GitLab, go to my repository page, and paste the public key in Settings > Repository > Deploy Keys

2. Use BUW instead of Git Bash

  1. On my local machine, I set up BUW to start the SSH agent on session load using the instructions from this SO answer.
  2. Change the permissions on ~/.ssh: chmod 700 ~/.ssh
  3. Start the SSH agent and add my deploy key to it:

    eval $(ssh-agent -s)
    ssh-add ~/.ssh/id_rsa
    

I've removed the set :ssh_options line from my deploy.rb file because it works just fine without it.

And that's it! It looks like I'll be deploying using BUW from now on.


Add your public key to the list of deploy keys in your repository setting by following the below steps:

Local machine setup:

  1. Check if your local system has ~/.ssh/id_rsa.pub key file. If not, create a new one:

    $ ssh-keygen -t rsa
    
  2. Add the newly created public key ~/.ssh/id_rsa.pub to the repository's deployment(access) keys in settings:

    • Bitbucket :
      • https://confluence.atlassian.com/bitbucket/set-up-ssh-for-git-728138079.html#SetupSSHforGit-Step4.InstallthepublickeyonyourBitbucketaccount
    • Github :
      • https://developer.github.com/v3/guides/managing-deploy-keys/#deploy-keys
    • GitLab :
      • https://docs.gitlab.com/ce/ssh/README.html#deploy-keys
  3. Load the keys to ssh-agent:

    Check whether ssh-agent is running, If not, start the ssh agent

    $ ssh-agent /bin/bash
    

    Add the id_rsa key to the agent:

    $ ssh-add ~/.ssh/id_rsa
    

    Note: Sometimes, this step(Step - 3) needs to be done before each deployment if you receive "Access denied to the repository" error during deployment.

  4. Add your local SSH Key to deployment server Authorized Keys file (remember to replace the port number with your customized port number):

    $ cat ~/.ssh/id_rsa.pub | ssh -p port_num user@server_ip 'cat >> ~/.ssh/authorized_keys'
    

Ref: https://www.digitalocean.com/community/tutorials/deploying-a-rails-app-on-ubuntu-14-04-with-capistrano-nginx-and-puma

deploy.rb

Try to change the ssh_options in deploy.rb file as below:

set :ssh_options, { forward_agent: true, user: "deploy", auth_methods: ['publickey'], keys: %w(~/.ssh/privatekey.pem) }

Replace ~/.ssh/privatekey.pem with the path to your SSH private key file path.

Deploy:

Just run cap staging deploy to deploy to the server.

Replace staging in cap deploy command with the environment as needed.


Based on your cap deploy output, it looks like SSH connectivity from your laptop to your server is not the issue.

00:00 git:wrapper
      01 mkdir -p /tmp
    ✔ 01 [email protected] 0.286s
      Uploading /tmp/git-ssh-myapp-staging-localuser.sh 100.0%
      02 chmod 700 /tmp/git-ssh-myapp-staging-localuser.sh
    ✔ 02 [email protected] 0.277s 

This issue is when capistrano tries to run git ls-remote [email protected]:MyApp/myapp.git HEAD over SSH.

You need to add the public key to your SSH Keys in GitLab, since SSH agent forwarding requires installation of public keys on all target systems. Gitlab, in your case, is a target system.

cat ~/.ssh/id_rsa.pub    # Copy the contents of your public key(filename may be different)

Login to GitLab, and paste the public key into your repo's SSH Keys (found in repo settings) and you should be good.

You also need to specify the user that you created the SSH key with in ssh_options.

set :ssh_options, {
    forward_agent: true,
    user: 'deploy',
}