The IT department should learn that the threat model of SSH keys is way easier to manage than passwords, easier to revoke, and proper training of how to use a proper caching key agent/etc would go a long way.
Good luck anyway, I don't envy you working in such a draconian environment. On 18 Nov 2013 17:58, "Kevin Lochner" <[email protected]> wrote: > The short answer is IT compliance. > > In theory SSH keys are more secure, but in practice most people don't use > passwords with them, and it's impossible for an IT department to verify > password standards on ssh keys. > > I'm on the engineering side and would much prefer to use ssh keys and > ssh-agent, but I'm not sure I'll be able to get our IT department to sign > off on that, and it would also require them to enable ssh keys for our LDAP > server. > > So for now I'm trying to work around using passwords while I lobby for ssh > keys. > > - Kevin > > On Monday, November 18, 2013 8:51:02 AM UTC-8, Lee Hambley wrote: >> >> Of course the bigger question is why you're deploying with passwords in >> the first place. SSH keys are easier, more secure, and can *also* be >> passworded, and that'll be managed by your OS. It's clearly documented how >> to do this http://www.capistranorb.com/documentation/getting- >> started/authentication-and-authorisation/ >> >> The reason Capistrano doesn't include password prompt support is because >> it's an amateurish trick to avoid setting things up "properly". For those >> on the wayyyyy other side, who know it's a bad idea, they know that it's >> easy to write something to prompt for input to bypass the built-in pain >> barrier. >> >> Lee Hambley >> -- >> http://lee.hambley.name/ >> +49 (0) 170 298 5667 >> >> >> On 18 November 2013 17:40, Kevin Lochner <[email protected]> wrote: >> >>> Thanks Lee, I was heading in that direction and it's helpful to focus >>> the search to this approach. >>> >>> - Kevin >>> >>> On Monday, November 18, 2013 8:33:31 AM UTC-8, Lee Hambley wrote: >>> >>>> Password authentication works if I hard-code the password into the >>>>> deploy/env.rb file, but otherwise it just runs through the password auth >>>>> without prompting me: >>>> >>>> >>>> This is expected behaviour. It's rather difficult to write an >>>> automation tool that requires user input! >>>> >>>> If you need to read input, see `ask()` in the documentation, or write >>>> your own method to do this using something like http://ruby. >>>> learncodethehardway.org/book/ex14.html >>>> >>>> Lee Hambley >>>> -- >>>> http://lee.hambley.name/ >>>> +49 (0) 170 298 5667 >>>> >>>> >>>> On 18 November 2013 17:24, Kevin Lochner <[email protected]> wrote: >>>> >>>>> I'm trying to setup Capistrano where the deploying user is prompted >>>>> for ssh password into app server. Password authentication works if I >>>>> hard-code the password into the deploy/env.rb file, but otherwise it just >>>>> runs through the password auth without prompting me: >>>>> >>>>> D, [2013-11-18T08:23:04.041167 #28602] DEBUG -- net.ssh.authentication. >>>>>> session[3fd3b58b158c]: trying password >>>>>> E, [2013-11-18T08:23:04.041273 #28602] ERROR -- >>>>>> net.ssh.authentication.session[3fd3b58b158c]: all authorization >>>>>> methods failed (tried password) >>>>> >>>>> >>>>> ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-darwin11.4.2] >>>>> Capistrano Version: 3.0.0 (Rake Version: 10.1.0) >>>>> >>>>> Here's staging.rb: >>>>> >>>>> set :stage, :staging >>>>>> server "10.1.45.78", roles: %w{web app db} >>>>>> set :ssh_options, { >>>>>> verbose: :debug, >>>>>> user: "klochner", >>>>>> auth_methods: %w(password) >>>>>> } >>>>> >>>>> >>>>> and here's the output: >>>>> >>>>> >>>>> INFO [0725887a] Running /usr/bin/env whoami on 10.1.45.78 >>>>>> DEBUG [0725887a] Command: /usr/bin/env whoami >>>>>> D, [2013-11-18T08:23:03.514730 #28602] DEBUG -- >>>>>> net.ssh.transport.session[3fd3b5473380]: establishing connection to >>>>>> 10.1.45.78:22 >>>>>> D, [2013-11-18T08:23:03.570553 #28602] DEBUG -- >>>>>> net.ssh.transport.session[3fd3b5473380]: connection established >>>>>> I, [2013-11-18T08:23:03.570782 #28602] INFO -- >>>>>> net.ssh.transport.server_version[3fd3b5472778]: negotiating protocol >>>>>> version >>>>>> D, [2013-11-18T08:23:03.633150 #28602] DEBUG -- >>>>>> net.ssh.transport.server_version[3fd3b5472778]: remote is >>>>>> `SSH-2.0-OpenSSH_5.3' >>>>>> D, [2013-11-18T08:23:03.633271 #28602] DEBUG -- >>>>>> net.ssh.transport.server_version[3fd3b5472778]: local is >>>>>> `SSH-2.0-Ruby/Net::SSH_2.7.0 x86_64-darwin11.4.2' >>>>>> D, [2013-11-18T08:23:03.697262 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: read 784 bytes >>>>>> D, [2013-11-18T08:23:03.697407 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: received packet nr 0 type 20 len 780 >>>>>> I, [2013-11-18T08:23:03.697502 #28602] INFO -- >>>>>> net.ssh.transport.algorithms[3fd3b546edd0]: got KEXINIT from server >>>>>> I, [2013-11-18T08:23:03.697745 #28602] INFO -- >>>>>> net.ssh.transport.algorithms[3fd3b546edd0]: sending KEXINIT >>>>>> D, [2013-11-18T08:23:03.697906 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: queueing packet nr 0 type 20 len 1620 >>>>>> D, [2013-11-18T08:23:03.698069 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: sent 1624 bytes >>>>>> I, [2013-11-18T08:23:03.698114 #28602] INFO -- >>>>>> net.ssh.transport.algorithms[3fd3b546edd0]: negotiating algorithms >>>>>> D, [2013-11-18T08:23:03.698223 #28602] DEBUG -- >>>>>> net.ssh.transport.algorithms[3fd3b546edd0]: negotiated: >>>>>> * kex: diffie-hellman-group-exchange-sha1 >>>>>> * host_key: ssh-rsa >>>>>> * encryption_server: aes128-cbc >>>>>> * encryption_client: aes128-cbc >>>>>> * hmac_client: hmac-sha1 >>>>>> * hmac_server: hmac-sha1 >>>>>> * compression_client: none >>>>>> * compression_server: none >>>>>> * language_client: >>>>>> * language_server: >>>>>> D, [2013-11-18T08:23:03.698253 #28602] DEBUG -- >>>>>> net.ssh.transport.algorithms[3fd3b546edd0]: exchanging keys >>>>>> D, [2013-11-18T08:23:03.698423 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: queueing packet nr 1 type 34 len 20 >>>>>> D, [2013-11-18T08:23:03.698470 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: sent 24 bytes >>>>>> D, [2013-11-18T08:23:03.816379 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: read 152 bytes >>>>>> D, [2013-11-18T08:23:03.816631 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: received packet nr 1 type 31 len 148 >>>>>> D, [2013-11-18T08:23:03.819843 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: queueing packet nr 2 type 32 len 140 >>>>>> D, [2013-11-18T08:23:03.820096 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: sent 144 bytes >>>>>> D, [2013-11-18T08:23:03.883696 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: read 720 bytes >>>>>> D, [2013-11-18T08:23:03.883900 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: received packet nr 2 type 33 len 700 >>>>>> D, [2013-11-18T08:23:03.886055 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: queueing packet nr 3 type 21 len 20 >>>>>> D, [2013-11-18T08:23:03.886208 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: sent 24 bytes >>>>>> D, [2013-11-18T08:23:03.886326 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: received packet nr 3 type 21 len 12 >>>>>> D, [2013-11-18T08:23:03.886698 #28602] DEBUG -- >>>>>> net.ssh.authentication.session[3fd3b58b158c]: beginning >>>>>> authentication of `klochner' >>>>>> D, [2013-11-18T08:23:03.886844 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: queueing packet nr 4 type 5 len 28 >>>>>> D, [2013-11-18T08:23:03.886912 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: sent 52 bytes >>>>>> D, [2013-11-18T08:23:04.040740 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: read 52 bytes >>>>>> D, [2013-11-18T08:23:04.040978 #28602] DEBUG -- >>>>>> tcpsocket[3fd3b5473880]: received packet nr 4 type 6 len 28 >>>>>> D, [2013-11-18T08:23:04.041167 #28602] DEBUG -- >>>>>> net.ssh.authentication.session[3fd3b58b158c]: trying password >>>>>> E, [2013-11-18T08:23:04.041273 #28602] ERROR -- >>>>>> net.ssh.authentication.session[3fd3b58b158c]: all authorization >>>>>> methods failed (tried password) >>>>>> cap aborted! >>>>>> klochner >>>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/net-ssh-2.7.0/lib/net/ssh.rb:215:in >>>>>> `start' >>>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1.1.0/ >>>>>> lib/sshkit/backends/netssh.rb:156:in `ssh' >>>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1.1.0/ >>>>>> lib/sshkit/backends/netssh.rb:109:in `block in _execute' >>>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1.1.0/ >>>>>> lib/sshkit/backends/netssh.rb:106:in `tap' >>>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1.1.0/ >>>>>> lib/sshkit/backends/netssh.rb:106:in `_execute' >>>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1.1.0/ >>>>>> lib/sshkit/backends/netssh.rb:54:in `execute' >>>>>> config/deploy.rb:20:in `block (3 levels) in <top (required)>' >>>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1.1.0/ >>>>>> lib/sshkit/backends/netssh.rb:42:in `instance_exec' >>>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1.1.0/ >>>>>> lib/sshkit/backends/netssh.rb:42:in `run' >>>>>> /Users/klochner/.rvm/gems/ruby-2.0.0-p247/gems/sshkit-1.1.0/ >>>>>> lib/sshkit/runners/parallel.rb:12:in `block (2 levels) in execute' >>>>>> Tasks: TOP => deploy:whoami >>>>>> (See full trace by running task with --trace) >>>>> >>>>> -- >>>>> -- >>>>> * You received this message because you are subscribed to the Google >>>>> Groups "Capistrano" group. >>>>> * To post to this group, send email to [email protected] >>>>> * To unsubscribe from this group, send email to capistrano+...@ >>>>> googlegroups.com For more options, visit this group at >>>>> http://groups.google.com/group/capistrano?hl=en >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Capistrano" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>> >>>> -- >>> -- >>> * You received this message because you are subscribed to the Google >>> Groups "Capistrano" group. >>> * To post to this group, send email to [email protected] >>> * To unsubscribe from this group, send email to capistrano+...@ >>> googlegroups.com For more options, visit this group at >>> http://groups.google.com/group/capistrano?hl=en >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Capistrano" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> -- > -- > * You received this message because you are subscribed to the Google > Groups "Capistrano" group. > * To post to this group, send email to [email protected] > * To unsubscribe from this group, send email to > [email protected] For more options, visit this > group at http://groups.google.com/group/capistrano?hl=en > --- > You received this message because you are subscribed to the Google Groups > "Capistrano" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- -- * You received this message because you are subscribed to the Google Groups "Capistrano" group. * To post to this group, send email to [email protected] * To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/capistrano?hl=en --- You received this message because you are subscribed to the Google Groups "Capistrano" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
