views:

94

answers:

2

My ssh keys are definitely set up correctly, as I'm never prompted for the password when using ssh. But capistrano still asks for a password when deploying with cap deploy. It doesn't ask for the password when I setup with cap deploy:setup though, strangely enough. It would make the deployment cycle so much smoother without a password prompt.

Specifics: I'm deploying a Sinatra app to a Dreamhost shared account (which uses Passenger). I had followed a tutorial for doing so long back, which worked perfectly back then. Something broke since. I'm using capistrano (2.5.9) and git version 1.6.1.1. Here's my Capfile:

load 'deploy' if respond_to?(:namespace) # cap2 differentiator

set :user, 'ehsanul'
set :domain, 'jellly.com'

default_run_options[:pty] = true

# the rest should be good
set :repository,  "[email protected]:git/jellly.git"
set :deploy_to, "/home/ehsanul/jellly.com"
set :deploy_via, :remote_cache
set :scm, 'git'
set :branch, 'deploy'
set :git_shallow_clone, 1
set :scm_verbose, true
set :use_sudo, false

server domain, :app, :web

namespace :deploy do
  task :migrate do
    run "cd #{current_path}; /usr/bin/rake migrate environment=production"
  end
  task :restart do
    run "touch #{current_path}/tmp/restart.txt"
  end
end

after "deploy", "deploy:migrate"

And here's the output of what happens when I cap deploy, upto the password prompt:

$ cap deploy
  * executing `deploy'
  * executing `deploy:update'
 ** transaction: start
  * executing `deploy:update_code'
    updating the cached checkout on all servers
    executing locally: "git ls-remote [email protected]:git/jellly.git deploy"
/usr/local/bin/git
  * executing "if [ -d /home/ehsanul/jellly.com/shared/cached-copy ]; then cd /home/ehsanul/jellly.com/shared/cached-copy && git fetch  origin && git reset  --hard ea744c77b0b939d5355ba2dc50ef1ec85f918d66 && git clean  -d -x -f; else git clone  --depth 1 [email protected]:git/jellly.git /home/ehsanul/jellly.com/shared/cached-copy && cd /home/ehsanul/jellly.com/shared/cached-copy && git checkout  -b deploy ea744c77b0b939d5355ba2dc50ef1ec85f918d66; fi"
    servers: ["jellly.com"]
    [jellly.com] executing command
 ** [jellly.com :: out] [email protected]'s password:
Password:
 ** [jellly.com :: out]
 ** [jellly.com :: out] remote: Counting objects: 7, done.
remote: Compressing objects: 100% (4/4), done.

What could be broken?

+1  A: 

The logs show it prompted for a password after logging in via SSH to jellly.com, so it looks like the actual git update is prompting for a password.

I think this is because your repository setting specifies your git user, even though you can access it anonymously in this case.

You should create an anonymous git account and change your repo line like this:

set :repository,  "[email protected]:git/jellly.git"

Alternatively, you could put your SSH key ON your production server, but that doesn't sound useful. You also might be able to configure SSH to forward authentication requests back through the initial SSH connection. The anonymous read-only source control for deploy is likely easier, though.

Winfield
Thanks, that fixed it! Looks like setting up another user would work too, but I just went with making the server's own ssh key authorized with itself - easy and no security risk. Used this: `cat ~/.ssh/id_rsa.pub | ssh [email protected] 'cat >> .ssh/authorized_keys'`
ehsanul
Hmmm, actually, wouldn't just specifying `set :repository, /home/ehsanul/git/jellly.git` work as well, without the ssh? Edit: nope, doesn't work.
ehsanul
I'm glad you got this working. It's a security risk to keep your private key on the server, you should only store the public key there. At least this confirms the problem. I would recommend using the anonymous or limited access account instead of publishing your private key on the app server.
Winfield
Just to clarify, I didn't put my private key on the server. See my comment to the other answer for what I did.
ehsanul
+2  A: 

The password prompt is because the server you are deploying to is connecting to the git server and needs authentication. Since your local machine (where you are deploying from) already has a valid ssh-key, use that one by enabling forwarding in your Capfile:

set :ssh_options, {:forward_agent => true}

That forwards the authentication from your local machine through when the deployment server tries to connect to your git server.

This is much preferred to putting your private key out on the deployment server!

tobym
I didn't put my private key on the server. I just added the deployment server's public key to it's own list of `authorized_keys`. This is because the the deployment server is also my git server, and apparently it tries to ssh into itself due to how Capistrano works, causing a password login. So I basically just set up ssh keys between the server and itself. Much safer than putting my private key out there ;)I'll try the forward_agent thing though, looks like a cleaner solution. Thanks! :)
ehsanul