The short answer is IT compliance. In theory SSH keys are more secure, but in practice most people don't use passwords with them, and it's impossible for an IT department to verify password standards on ssh keys. I'm on the engineering side and would much prefer to use ssh keys and ssh-agent, but I'm not sure I'll be able to get our IT department to sign off on that, and it would also require them to enable ssh keys for our LDAP server.
So for now I'm trying to work around using passwords while I lobby for ssh keys. - Kevin On Monday, November 18, 2013 8:51:02 AM UTC-8, Lee Hambley wrote: > > Of course the bigger question is why you're deploying with passwords in > the first place. SSH keys are easier, more secure, and can *also* be > passworded, and that'll be managed by your OS. It's clearly documented how > to do this > http://www.capistranorb.com/documentation/getting-started/authentication-and-authorisation/ > > The reason Capistrano doesn't include password prompt support is because > it's an amateurish trick to avoid setting things up "properly". For those > on the wayyyyy other side, who know it's a bad idea, they know that it's > easy to write something to prompt for input to bypass the built-in pain > barrier. > > Lee Hambley > -- > http://lee.hambley.name/ > +49 (0) 170 298 5667 > > > On 18 November 2013 17:40, Kevin Lochner <[email protected] > <javascript:>>wrote: > >> Thanks Lee, I was heading in that direction and it's helpful to focus the >> search to this approach. >> >> - Kevin >> >> On Monday, November 18, 2013 8:33:31 AM UTC-8, Lee Hambley wrote: >> >>> Password authentication works if I hard-code the password into the >>>> deploy/env.rb file, but otherwise it just runs through the password auth >>>> without prompting me: >>> >>> >>> This is expected behaviour. It's rather difficult to write an automation >>> tool that requires user input! >>> >>> If you need to read input, see `ask()` in the documentation, or write >>> your own method to do this using something like http://ruby. >>> learncodethehardway.org/book/ex14.html >>> >>> Lee Hambley >>> -- >>> http://lee.hambley.name/ >>> +49 (0) 170 298 5667 >>> >>> >>> On 18 November 2013 17:24, Kevin Lochner <[email protected]> wrote: >>> >>>> I'm trying to setup Capistrano where the deploying user is prompted >>>> for ssh password into app server. Password authentication works if I >>>> hard-code the password into the deploy/env.rb file, but otherwise it just >>>> runs through the password auth without prompting me: >>>> >>>> D, [2013-11-18T08:23:04.041167 #28602] DEBUG -- >>>> net.ssh.authentication.session[3fd3b58b158c]: >>>>> trying password >>>>> E, [2013-11-18T08:23:04.041273 #28602] ERROR -- >>>>> net.ssh.authentication.session[3fd3b58b158c]: >>>>> all authorization methods failed (tried password) >>>> >>>> >>>> ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-darwin11.4.2] >>>> Capistrano Version: 3.0.0 (Rake Version: 10.1.0) >>>> >>>> Here's staging.rb: >>>> >>>> set :stage, :staging >>>>> server "10.1.45.78", roles: %w{web app db} >>>>> set :ssh_options, { >>>>> verbose: :debug, >>>>> user: "klochner", >>>>> auth_methods: %w(password) >>>>> } >>>> >>>> >>>> and here's the output: >>>> >>>> >>>> INFO [0725887a] Running /usr/bin/env whoami on 10.1.45.78 >>>>> DEBUG [0725887a] Command: /usr/bin/env whoami >>>>> D, [2013-11-18T08:23:03.514730 #28602] DEBUG -- >>>>> net.ssh.transport.session[3fd3b5473380]: establishing connection to >>>>> 10.1.45.78:22 >>>>> D, [2013-11-18T08:23:03.570553 #28602] DEBUG -- >>>>> net.ssh.transport.session[3fd3b5473380]: connection established >>>>> I, [2013-11-18T08:23:03.570782 #28602] INFO -- >>>>> net.ssh.transport.server_version[3fd3b5472778]: negotiating protocol >>>>> version >>>>> D, [2013-11-18T08:23:03.633150 #28602] DEBUG -- >>>>> net.ssh.transport.server_version[3fd3b5472778]: remote is >>>>> `SSH-2.0-OpenSSH_5.3' >>>>> D, [2013-11-18T08:23:03.633271 #28602] DEBUG -- >>>>> net.ssh.transport.server_version[3fd3b5472778]: local is >>>>> `SSH-2.0-Ruby/Net::SSH_2.7.0 x86_64-darwin11.4.2' >>>>> D, [2013-11-18T08:23:03.697262 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: read 784 bytes >>>>> D, [2013-11-18T08:23:03.697407 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: received packet nr 0 type 20 len 780 >>>>> I, [2013-11-18T08:23:03.697502 #28602] INFO -- >>>>> net.ssh.transport.algorithms[3fd3b546edd0]: got KEXINIT from server >>>>> I, [2013-11-18T08:23:03.697745 #28602] INFO -- >>>>> net.ssh.transport.algorithms[3fd3b546edd0]: sending KEXINIT >>>>> D, [2013-11-18T08:23:03.697906 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: queueing packet nr 0 type 20 len 1620 >>>>> D, [2013-11-18T08:23:03.698069 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: sent 1624 bytes >>>>> I, [2013-11-18T08:23:03.698114 #28602] INFO -- >>>>> net.ssh.transport.algorithms[3fd3b546edd0]: negotiating algorithms >>>>> D, [2013-11-18T08:23:03.698223 #28602] DEBUG -- >>>>> net.ssh.transport.algorithms[3fd3b546edd0]: negotiated: >>>>> * kex: diffie-hellman-group-exchange-sha1 >>>>> * host_key: ssh-rsa >>>>> * encryption_server: aes128-cbc >>>>> * encryption_client: aes128-cbc >>>>> * hmac_client: hmac-sha1 >>>>> * hmac_server: hmac-sha1 >>>>> * compression_client: none >>>>> * compression_server: none >>>>> * language_client: >>>>> * language_server: >>>>> D, [2013-11-18T08:23:03.698253 #28602] DEBUG -- >>>>> net.ssh.transport.algorithms[3fd3b546edd0]: exchanging keys >>>>> D, [2013-11-18T08:23:03.698423 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: queueing packet nr 1 type 34 len 20 >>>>> D, [2013-11-18T08:23:03.698470 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: sent 24 bytes >>>>> D, [2013-11-18T08:23:03.816379 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: read 152 bytes >>>>> D, [2013-11-18T08:23:03.816631 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: received packet nr 1 type 31 len 148 >>>>> D, [2013-11-18T08:23:03.819843 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: queueing packet nr 2 type 32 len 140 >>>>> D, [2013-11-18T08:23:03.820096 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: sent 144 bytes >>>>> D, [2013-11-18T08:23:03.883696 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: read 720 bytes >>>>> D, [2013-11-18T08:23:03.883900 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: received packet nr 2 type 33 len 700 >>>>> D, [2013-11-18T08:23:03.886055 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: queueing packet nr 3 type 21 len 20 >>>>> D, [2013-11-18T08:23:03.886208 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: sent 24 bytes >>>>> D, [2013-11-18T08:23:03.886326 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: received packet nr 3 type 21 len 12 >>>>> D, [2013-11-18T08:23:03.886698 #28602] DEBUG -- >>>>> net.ssh.authentication.session[3fd3b58b158c]: >>>>> beginning authentication of `klochner' >>>>> D, [2013-11-18T08:23:03.886844 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: queueing packet nr 4 type 5 len 28 >>>>> D, [2013-11-18T08:23:03.886912 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: sent 52 bytes >>>>> D, [2013-11-18T08:23:04.040740 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: read 52 bytes >>>>> D, [2013-11-18T08:23:04.040978 #28602] DEBUG -- >>>>> tcpsocket[3fd3b5473880]: received packet nr 4 type 6 len 28 >>>>> D, [2013-11-18T08:23:04.041167 #28602] DEBUG -- >>>>> net.ssh.authentication.session[3fd3b58b158c]: >>>>> trying password >>>>> E, [2013-11-18T08:23:04.041273 #28602] ERROR -- >>>>> net.ssh.authentication.session[3fd3b58b158c]: >>>>> all authorization methods failed (tried password) >>>>> cap aborted! >>>>> klochner >>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/net-ssh-2.7.0/lib/net/ssh.rb:215:in >>>>> >>>>> `start' >>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1. >>>>> 1.0/lib/sshkit/backends/netssh.rb:156:in `ssh' >>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1. >>>>> 1.0/lib/sshkit/backends/netssh.rb:109:in `block in _execute' >>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1. >>>>> 1.0/lib/sshkit/backends/netssh.rb:106:in `tap' >>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1. >>>>> 1.0/lib/sshkit/backends/netssh.rb:106:in `_execute' >>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1. >>>>> 1.0/lib/sshkit/backends/netssh.rb:54:in `execute' >>>>> config/deploy.rb:20:in `block (3 levels) in <top (required)>' >>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1. >>>>> 1.0/lib/sshkit/backends/netssh.rb:42:in `instance_exec' >>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1. >>>>> 1.0/lib/sshkit/backends/netssh.rb:42:in `run' >>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1. >>>>> 1.0/lib/sshkit/runners/parallel.rb:12:in `block (2 levels) in execute' >>>>> Tasks: TOP => deploy:whoami >>>>> (See full trace by running task with --trace) >>>> >>>> -- >>>> -- >>>> * You received this message because you are subscribed to the Google >>>> Groups "Capistrano" group. >>>> * To post to this group, send email to [email protected] >>>> * To unsubscribe from this group, send email to capistrano+...@ >>>> googlegroups.com For more options, visit this group at >>>> http://groups.google.com/group/capistrano?hl=en >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "Capistrano" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>> >>> -- >> -- >> * You received this message because you are subscribed to the Google >> Groups "Capistrano" group. >> * To post to this group, send email to [email protected]<javascript:> >> * To unsubscribe from this group, send email to >> [email protected] <javascript:> For more options, visit >> this group at http://groups.google.com/group/capistrano?hl=en >> --- >> You received this message because you are subscribed to the Google Groups >> "Capistrano" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- -- * You received this message because you are subscribed to the Google Groups "Capistrano" group. * To post to this group, send email to [email protected] * To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/capistrano?hl=en --- You received this message because you are subscribed to the Google Groups "Capistrano" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
