I did figure it out. For some reason, a simple 'chmod go-w ~ ~/.ssh'
and 'chmod 600 ~/.ssh/authorized_keys' did the trick. The funny thing
about it is that those commands actually *revoked* privileges. Are
there security rules in ssh or sshd that require that the access to
certain files remain restricted? or is there something else I'm
missing?
The thing that threw me off in the first place was that it seemed to
be working on my other servers... just not that last one...
Thanks for the input.
On May 9, 9:59 am, "David Masover" <[EMAIL PROTECTED]> wrote:
> On Fri, May 9, 2008 at 10:46 AM, Chuck <[EMAIL PROTECTED]> wrote:
>
> > I know this is more of an ssh question, but I've set up the public/
> > private key to allow me to ssh to the machine i'm deploying from (it
> > would effectively be like ssh my.ip.address.)
>
> If that's actually "ssh my.ip.address", it will try to login as your local
> user. You might have to do something like "ssh [EMAIL PROTECTED]" instead.
> (And you can use hostnames, too.)
>
> This has bitten me before -- I didn't realize I was trying to authenticate
> as "dave" instead of, say, "deploy".
>
> > but it still prompts me
> > for a password. any ideas as to why it would still prompt for a
> > password?
>
> Other than that, there are the obvious ones:
>
> Are you sure it's actually using your public/private key? Check for your
> public key in ~/.ssh/authorized_keys on the server side, and make sure the
> permissions are set appropriately -- ~/.ssh should be mode 700, and
> authorized_keys probably mode 600.
>
> And check on your local end -- by default, ssh will check in ~/.ssh/id_rsa
> (or ~/.ssh/id_dsa). Similar rules apply.
>
> Check the config files -- on the remote end, sshd_config (on Debian/Ubuntu,
> that's /etc/ssh/sshd_config) should have PubkeyAuthentication on, and check
> AuthorizedKeysFile if it's set. On the local end, ssh_config
> (/etc/ssh/ssh_config) and ~/.ssh/config (if that exists?) may have something
> interesting, though I think the default is to try the ssh-agent first, then
> keys, and finally fallback to a password.
>
> Finally, if all else fails, learn how to run an ssh agent -- on Ubuntu,
> there's actually one running by default -- and then run ssh-add. Bonus is,
> if your ssh key has somehow gotten a passphrase on it, you can enter that
> once into ssh-add, and the key will then be kept decrypted in ssh-agent's
> RAM, so you'll be passwordless until next boot.
>
>
>
> > Chuck
>
> > On Apr 29, 4:44 pm, Chuck <[EMAIL PROTECTED]> wrote:
> > > Oh, ok. Thanks.
>
> > > On Apr 29, 4:20 pm, Jamis Buck <[EMAIL PROTECTED]> wrote:
>
> > > > Yeah. If you want to avoid a password prompt, you need to make sure
> > > > _all_ of the servers you are connecting to are configured for
> > > > passwordless authentication.
>
> > > > - Jamis
>
> > > > On Apr 29, 2008, at 4:06 PM, Chuck wrote:
>
> > > > > One of the machines I'm deploying to is the machine I'm deploying
> > > > > from. I set up the public/private key to get me into the other two
> > > > > machines, but when I ssh to the local machine, it prompts me for a
> > > > > password. Could that be causing the problem?
>
> > > > > On Apr 29, 3:36 pm, Chuck <[EMAIL PROTECTED]> wrote:
> > > > >> ok, test_without_sudo prompted for a password, so it looks like it's
> > > > >> trying to authenticate to the server with a password instead of
> > > > >> with a
> > > > >> public key.
>
> > > > >> On Apr 29, 3:26 pm, Jamis Buck <[EMAIL PROTECTED]> wrote:
>
> > > > >>> Have you verified that sudo is configured right? For instance, add
> > > > >>> the
> > > > >>> following two tasks and see if both work without password prompts:
>
> > > > >>> task :test_without_sudo do
> > > > >>> run "whoami"
> > > > >>> end
>
> > > > >>> task :test_with_sudo do
> > > > >>> run "sudo whoami"
> > > > >>> # I would generally recommend the following for sudo use:
> > > > >>> # sudo "whoami"
> > > > >>> # but you've got some complex commands that won't play nice
> > > > >>> with it
> > > > >>> end
>
> > > > >>> If :test_without_sudo throws up a prompt, then you know it's
> > > > >>> unrelated
> > > > >>> to sudo is more likely connection-related. If :test_without_sudo
> > > > >>> doesn't prompt, but :test_with_sudo does, then you've not
> > configured
> > > > >>> sudo correctly. If both execute without a prompt,
> > > > >>> but :umount_nfs_shares still does, then something else is wrong. :(
>
> > > > >>> - Jamis
>
> > > > >>> On Apr 29, 2008, at 3:05 PM, Chuck wrote:
>
> > > > >>>> task :umount_nfs_shares do
> > > > >>>> run "if [ `/sbin/ifconfig eth0 | grep inet | cut -d ' ' -f 12 |
> > > > >>>> cut -
> > > > >>>> d ':' -f
> > > > >>>> 2` != #{internal_db} ]; then sudo umount `mount | grep
> > > > >>>> blackbookmobile
> > > > >>>> | grep us
> > > > >>>> er | cut -d ' ' -f 3`; fi"
> > > > >>>> run "if [ `/sbin/ifconfig eth0 | grep inet | cut -d ' ' -f 12 |
> > > > >>>> cut -
> > > > >>>> d ':' -f
> > > > >>>> 2` != #{internal_db} ]; then sudo umount `mount | grep
> > > > >>>> blackbookmobile
> > > > >>>> | grep co
> > > > >>>> ntact | cut -d ' ' -f 3`; fi"
> > > > >>>> run "if [ `/sbin/ifconfig eth0 | grep inet | cut -d ' ' -f 12 |
> > > > >>>> cut -
> > > > >>>> d ':' -f
> > > > >>>> 2` = #{internal_db} ]; then sudo chown -R sms:mongrel /public; fi"
> > > > >>>> run "sudo chown -R user:group /var/www/blackbookmobile/"
> > > > >>>> run "sudo chmod -R g+w /var/www/blackbookmobile/"
> > > > >>>> end
>
> > > > >>>> - Chuck
>
> > > > >>>> On Apr 29, 2:56 pm, Jamis Buck <[EMAIL PROTECTED]> wrote:
> > > > >>>>> Any chance you could share the definition of the
> > > > >>>>> "umount_nfs_shares"
> > > > >>>>> task?
>
> > > > >>>>> - Jamis
>
> > > > >>>>> On Apr 29, 2008, at 2:16 PM, Chuck wrote:
>
> > > > >>>>>> Yes, but I've configured the group I'm a member of so that it
> > > > >>>>>> doesn't
> > > > >>>>>> require a password when I use sudo with a "NOPASSWD: ALL".
>
> > > > >>>>>> On Apr 29, 8:57 am, Jamis Buck <[EMAIL PROTECTED]> wrote:
> > > > >>>>>>> Is anything trying to execute via sudo?
>
> > > > >>>>>>> - Jamis
>
> > > > >>>>>>> On Apr 29, 2008, at 8:37 AM, Chuck wrote:
>
> > > > >>>>>>>> I was going to set up a cron job (under my own crontab, so
> > > > >>>>>>>> it'd
> > > > >>>>>>>> be
> > > > >>>>>>>> running as my user).
>
> > > > >>>>>>>> Here's what I get when I attempt to deploy: (cap staging
> > > > >>>>>>>> deploy)
>
> > > > >>>>>>>> * executing `staging'
> > > > >>>>>>>> triggering start callbacks for `deploy'
> > > > >>>>>>>> * executing `multistage:ensure'
> > > > >>>>>>>> triggering before callbacks for `deploy'
> > > > >>>>>>>> * executing `umount_nfs_shares'
> > > > >>>>>>>> * executing "umount command that's the first thing under
> > > > >>>>>>>> umount_nfs_shares"
> > > > >>>>>>>> servers: ["X.X.X.X", "X.X.X.X", "X.X.X.X"]
> > > > >>>>>>>> Password:
>
> > > > >>>>>>>> I didn't put a password on the SSH certificate, so I'm certain
> > > > >>>>>>>> that's
> > > > >>>>>>>> not it.
>
> > > > >>>>>>>> Thanks,
> > > > >>>>>>>> Chuck
>
> > > > >>>>>>>> On Apr 28, 4:37 pm, Jamis Buck <[EMAIL PROTECTED]> wrote:
> > > > >>>>>>>>> How is your deployment script being run automatically? Is it
> > > > >>>>>>>>> being
> > > > >>>>>>>>> run
> > > > >>>>>>>>> as you, or a different user? When does it prompt for a
> > > > >>>>>>>>> password?
> > > > >>>>>>>>> (Might it be prompting for an SSH certificate passphrase,
> > > > >>>>>>>>> which
> > > > >>>>>>>>> is
> > > > >>>>>>>>> not
> > > > >>>>>>>>> the same as the password?)
>
> > > > >>>>>>>>> - Jamis
>
> > > > >>>>>>>>> On Apr 28, 2008, at 3:55 PM, Chuck wrote:
>
> > > > >>>>>>>>>> I'm trying to set up a deployment script that will run on a
> > > > >>>>>>>>>> regular
> > > > >>>>>>>>>> basis, but it continuously prompts me for a password.
>
> > > > >>>>>>>>>> I set up a public/private key and can now log into the
> > > > >>>>>>>>>> machines
> > > > >>>>>>>>>> i'm
> > > > >>>>>>>>>> deploying to from my deployment machine without a password,
> > > > >>>>>>>>>> but
> > > > >>>>>>>>>> cannot
> > > > >>>>>>>>>> for the life of me figure out how to get capistrano to drop
> > > > >>>>>>>>>> the
> > > > >>>>>>>>>> password prompt.
>
> > > > >>>>>>>>>> Any ideas/input?
>
> > > > >>>>>>>>> smime.p7s
> > > > >>>>>>>>> 3KDownload
>
> > > > >>>>>>> smime.p7s
> > > > >>>>>>> 3KDownload
>
> > > > >>>>> smime.p7s
> > > > >>>>> 3KDownload
>
> > > > >>> smime.p7s
> > > > >>> 3KDownload
>
> > > > smime.p7s
> > > > 3KDownload
--~--~---------~--~----~------------~-------~--~----~
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/capistrano
-~----------~----~----~----~------~----~------~--~---
