The policy at the company where I work is to add two factor auth to every
system, so I have not other choice than implementing it.
For now I just added a environment for server, so I can do cap server1
deploy, cap server2 deploy, etc. not a nice or effective way to deploy but
it works, I'll be looking at your advice and see if I can make it work with
all servers in one single deploy.
Thx
On Tuesday, July 21, 2015 at 5:06:41 AM UTC-3, Lee Hambley wrote:
>
> The canonical way to solve this is to pipe something into your command,
> for example the Linux command `yes` (at `/usr/bin/yes`) echos `y` followed
> by a carriage return indefinitely. This can be used to answer `(y/N)`
> prompts thusly:
>
> /usr/bin/yes | apt-get install something
>
> (most programs have a --assume-yet, or --force flag, which achieves the
> same thing)
>
> to answer your question, you could use ask() to get the totp code into a
> variable, and then do something like:
>
> echo "#{nyvariable}" | my-command-that-wants-the-totp code
>
> Note however that many things (passwd, sudo, etc) will refuse to read a
> password from stdin, because it's considered very, very poor practice.
> Also, you will have a very, very hard time to modify Capistrano to ask this
> when SSHing into a machine. Ask yourself what you are really gaining by
> adding a 6 byte TOTP token, plus a huge unverified PAM module, to what are
> already 2048+bit keys with a well proven system in SSH. It would be better,
> however impossible to have your server enforce that SSH keys are
> passphrased, which you can't solve with technology, just education and
> enforcement within your team.
>
> With all this said, you might be interested in a newish feature of
> Capistrano & SSHKit
> https://github.com/capistrano/sshkit#using-the-sshkitmappinginteractionhandler
>
> - note however, that needing something like this is a sign that your
> deployment environment is most likely poorly designed. TOTP in cases like
> this is pseudo security.
>
> Lee Hambley
> http://lee.hambley.name/
> +49 (0) 170 298 5667
>
> On 21 July 2015 at 08:51, Rodrigo Dominguez <[email protected]
> <javascript:>> wrote:
>
>> Versions:
>>
>> - Ruby 2.1.6
>> - Capistrano 3.4.0
>>
>> Platform:
>>
>> - Linux
>>
>> Files:
>>
>> - deploy.rb
>>
>>
>> I'm wondering if there is a way to automatic enter info on server when it
>> requests.
>>
>>
>> To give some background, I added Two Factor Auth with google
>> authenticator on some servers.
>>
>>
>> When I deploy just to one server, it asks me for:
>>
>>
>> Password:
>> Verification Code:
>>
>> Which I enter manually (a password for Password, a code for Verification
>> Code) and the deploy is made without major problems.
>>
>>
>> When I have to deploy to more than one server at the same time, it asks
>> me for:
>>
>>
>> Password: Password:
>>
>>
>> and whatever I enter it always break.
>>
>>
>> So I'm wondering if I can make the deploy scripts to automatic enter some
>> text when it seems "Password:" and "Verification Code:" automatically, by
>> doing that, I'm planing to ask for password and google token when the
>> deploy process start, and when the remote server asks for Password: and
>> Verification Code: to automatically enter the data I supplied for password
>> and verification code.
>>
>>
>> Thank you
>>
>>
>> Rod
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Capistrano" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To view this discussion on the web, visit
>> https://groups.google.com/d/msgid/capistrano/8fd0799f-90fe-4f22-a29b-1981a6071348%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/capistrano/8fd0799f-90fe-4f22-a29b-1981a6071348%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"Capistrano" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web, visit
https://groups.google.com/d/msgid/capistrano/c0a46c39-0577-4871-a52e-b591f5886c71%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
