Capistrano Asks for Password When Deploying, Despite Ssh Keys

Capistrano asks for password when deploying, despite SSH keys

The password prompt is because the server you are deploying to is connecting to the git server and needs authentication. Since your local machine (where you are deploying from) already has a valid ssh-key, use that one by enabling forwarding in your Capfile:

set :ssh_options, {:forward_agent => true}

That forwards the authentication from your local machine through when the deployment server tries to connect to your git server.

This is much preferred to putting your private key out on the deployment server!

Another way of getting around the password prompt when the server is ssh'ing back on itself is to tell capistrano not to do so. Thanks to the 'readme' section for Daniel Quimper's capistrano-site5 github repo, we note the following:

set :deploy_via, :copy

Obviously, this works for the case where both the app and git repository are being hosted on the same host. But I guess some of us are doing that :)

Cap deploy asks for password even though ssh key is present in server

I got the issue, there was staging.rb, development.rb files which were overriding my cap script credentials whenever tried to deploy the application in different env.

Capistrano asks for SSH password when deploying from local machine to server

You need to specify both the SSH user and the private key for authentication:

ie:

 set :user,    "deploy"
 set :ssh_key, "deploy.pem"

If you're using capistrano multistage, which it appears you are, in your stages.yml file for this environment, add the keys:

 user:     "deploy"
 ssh_key:  "deploy.pem"

Capistrano deployment fails when server ssh key has a passphrase

You can use SSH Agent Forwarding. So there's no need to enter a passphrase on the server.

This way you just preload your ssh key/s locally ssh-add keyname_rsa and have them automatically forward to your host, then from your host to the Github servers as necessary.

So you only enter your passphrase once locally like this:

And the rest happens "automagically" during deployment. It's worth setting up.

From the docs:

1.2.1 SSH Agent Forwarding

As we’ve already set up an SSH agent, we can use the agent forwarding
feature of SSH to make this key agent available to further hops. In
short, we can use our own ssh key to authenticate ourselves from the
server to Github.

Capistrano: Supply password from local variable for ssh sign-in so that there is no prompt

Answer turned out to be in https://github.com/capistrano/sshkit/blob/master/EXAMPLES.md

host = SSHKit::Host.new('user@example.com')
host.password = "hackme"

on host do |host|
  puts capture(:echo, "I don't care about security!")
end

Capistrano local git repository cloning to remote asks for password despite SSH keys

First of all: Capistrano always executes it's commands on the remote server you are deploying to.
This means that all paths you use like in set :deploy_to are local paths on the server.

In my case the config looks something like this:

set :scm, 'git'
set :repository,  "<repo url>"
set :branch, 'master'
set :git_shallow_clone, 1
set :scm_verbose, true

set :deploy_to, '/var/www/app'
set :deploy_via, :remote_cache

The important part here is the :deploy_to that is a local path on the server not a SSH path. This is where your config is wrong!

This gets even more important if you look at the commands capistrano then runs. It for example will usually do things like bash cd /var/www/app && bundle instal ....
If the path is not local the command will most likely fail.

Secondly this also means that Capistrano will deploy to your Git Server from your Remote Server, so you have to make sure the remote server has access to the Git Server.
The ssh_options[:keys] therefore specifies the local SSH key used to connect to that remote_server, while on the server the default key from ~/.ssh/id_rsa.pub will be used.

You can avoid having to set up your SSH key on the Server by using SSH Agent forwarding by including ssh_options[:forward_agent] = true. This will simply forward your local SSH agent socket to the server and use that (good because your key never leaves your machine)

More info on SSH Agent forwarding can be found here

Force capistrano to ask for password immediately

If you're running most commands via sudo (that is, you have set :use_sudo, true) you can probably do this by hooking before "deploy", "ask_for_password", and create a task "ask_for_password" and immediately using it to perform any command with sudo, such as sudo date. Sudo will prompt the first time only, then presumably has a long enough timeout to get through the deploy.

If that doesn't work...

...we're talking about capistrano -- ain't nothin' simple with capistrano. It's an incredibly powerful tool, and I don't know anyone who finds it "simple".

Instead of setting up everyone to be able to deploy, maybe set up a host that you can let people ssh into as a user like "deployer", then have that execute the deploys.

But deploying is a pretty significant task -- not everyone should be able to do it, especially to production. I think you're better off installing passwordless public keys of users having authority to deploy on servers they are permitted to deploy to (e.g. more to test than to staging, or production).

capistrano insisting on password

Do you have to specify user@server.com to SSH to your server successfully (i.e., do you have a different username on your remote server from your local machine)?

You might just need to tell Capistrano what username it should be using to connect with by adding it to your deploy.rb:

set :user, "your-username"

You could also change the default username SSH will pick for that server by using ~/.ssh/config:

Host your.server.name
User your-username

---

Related Topics