Ruby-on-rails 尽管有 SSH 密钥,但 Capistrano 在部署时要求输入密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3269578/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Capistrano asks for password when deploying, despite SSH keys
提问by ehsanul
My ssh keys are definitely set up correctly, as I'm never prompted for the password when using ssh. But capistrano still asks for a password when deploying with cap deploy. It doesn't ask for the password when I setup with cap deploy:setupthough, strangely enough. It would make the deployment cycle so much smoother without a password prompt.
我的 ssh 密钥绝对设置正确,因为在使用 ssh 时从未提示我输入密码。但是在使用cap deploy. cap deploy:setup奇怪的是,当我使用它进行设置时,它并没有要求输入密码。如果没有密码提示,它会使部署周期更加顺畅。
Specifics: I'm deploying a Sinatra app to a Dreamhost shared account (which uses Passenger). I had followed a tutorial for doing so long back, which worked perfectly back then. Something broke since. I'm using capistrano (2.5.9) and git version 1.6.1.1. Here's my Capfile:
细节:我正在将 Sinatra 应用程序部署到 Dreamhost 共享帐户(使用Passenger)。很久以前我就按照教程进行了操作,当时效果很好。从那以后有些东西坏了。我正在使用 capistrano (2.5.9) 和 git 版本 1.6.1.1。这是我的 Capfile:
load 'deploy' if respond_to?(:namespace) # cap2 differentiator
set :user, 'ehsanul'
set :domain, 'jellly.com'
default_run_options[:pty] = true
# the rest should be good
set :repository, "[email protected]:git/jellly.git"
set :deploy_to, "/home/ehsanul/jellly.com"
set :deploy_via, :remote_cache
set :scm, 'git'
set :branch, 'deploy'
set :git_shallow_clone, 1
set :scm_verbose, true
set :use_sudo, false
server domain, :app, :web
namespace :deploy do
task :migrate do
run "cd #{current_path}; /usr/bin/rake migrate environment=production"
end
task :restart do
run "touch #{current_path}/tmp/restart.txt"
end
end
after "deploy", "deploy:migrate"
And here's the output of what happens when I cap deploy, upto the password prompt:
这是当 I 时发生的输出cap deploy,直到密码提示:
$ cap deploy
* executing `deploy'
* executing `deploy:update'
** transaction: start
* executing `deploy:update_code'
updating the cached checkout on all servers
executing locally: "git ls-remote [email protected]:git/jellly.git deploy"
/usr/local/bin/git
* executing "if [ -d /home/ehsanul/jellly.com/shared/cached-copy ]; then cd /home/ehsanul/jellly.com/shared/cached-copy && git fetch origin && git reset --hard ea744c77b0b939d5355ba2dc50ef1ec85f918d66 && git clean -d -x -f; else git clone --depth 1 [email protected]:git/jellly.git /home/ehsanul/jellly.com/shared/cached-copy && cd /home/ehsanul/jellly.com/shared/cached-copy && git checkout -b deploy ea744c77b0b939d5355ba2dc50ef1ec85f918d66; fi"
servers: ["jellly.com"]
[jellly.com] executing command
** [jellly.com :: out] [email protected]'s password:
Password:
** [jellly.com :: out]
** [jellly.com :: out] remote: Counting objects: 7, done.
remote: Compressing objects: 100% (4/4), done.
What could be broken?
什么可以破?
回答by Pablo Torrecilla
Executing ssh-add ~/.ssh/id_rsain my local machine fixed the issue for me. It seemed that the ssh command line tool wasn't detecting my identity when called with Capistrano.
ssh-add ~/.ssh/id_rsa在我的本地机器上执行为我解决了这个问题。当使用 Capistrano 调用时,ssh 命令行工具似乎没有检测到我的身份。
回答by tobym
The password prompt is because the server you are deploying to is connecting to the git server and needs authentication. Since your local machine (where you are deploying from) already has a valid ssh-key, use that one by enabling forwarding in your Capfile:
密码提示是因为你部署到的服务器正在连接git服务器,需要认证。由于您的本地机器(您从中部署)已经有一个有效的 ssh 密钥,请通过在您的 Capfile 中启用转发来使用该密钥:
set :ssh_options, {:forward_agent => true}
That forwards the authentication from your local machine through when the deployment server tries to connect to your git server.
当部署服务器尝试连接到您的 git 服务器时,它将从您的本地机器转发身份验证。
This is much preferred to putting your private key out on the deployment server!
这比将您的私钥放在部署服务器上更受欢迎!
Another way of getting around the password prompt when the server is ssh'ing back on itself is to tell capistrano not to do so. Thanks to the 'readme' section for Daniel Quimper's capistrano-site5github repo, we note the following:
当服务器重新使用 ssh 时,另一种绕过密码提示的方法是告诉 capistrano 不要这样做。感谢 Daniel Quimper 的capistrano-site5github 存储库的“自述”部分,我们注意到以下内容:
set :deploy_via, :copy
Obviously, this works for the case where both the app and git repository are being hosted on the same host. But I guess some of us are doing that :)
显然,这适用于应用程序和 git 存储库都托管在同一主机上的情况。但我想我们中的一些人正在这样做:)
回答by fetsh
I've had the same problem.
我遇到了同样的问题。
This line did'nt work:
这条线不起作用:
set :ssh_options, {:forward_agent => true}
Then I executed mentioned on Dreamhost wiki
然后我执行了 Dreamhost wiki 上提到的
[local ~]$ eval `ssh-agent`
[local ~]$ ssh-add ~/.ssh/yourpublickey # omit path if using default keyname
And now I can deploy without password.
现在我可以在没有密码的情况下进行部署。
回答by Winfield
The logs show it prompted for a password after logging in via SSH to jellly.com, so it looks like the actual git update is prompting for a password.
日志显示它在通过 SSH 登录到 jellly.com 后提示输入密码,因此看起来实际的 git 更新正在提示输入密码。
I think this is because your repository setting specifies your git user, even though you can access it anonymously in this case.
我认为这是因为您的存储库设置指定了您的 git 用户,即使在这种情况下您可以匿名访问它。
You should create an anonymous git account and change your repo line like this:
您应该创建一个匿名 git 帐户并像这样更改您的 repo 行:
set :repository, "[email protected]:git/jellly.git"
Alternatively, you could put your SSH key ON your production server, but that doesn't sound useful. You also might be able to configure SSH to forward authentication requests back through the initial SSH connection. The anonymous read-only source control for deploy is likely easier, though.
或者,您可以将 SSH 密钥放在生产服务器上,但这听起来没什么用。您还可以将 SSH 配置为通过初始 SSH 连接转发身份验证请求。不过,用于部署的匿名只读源代码控制可能更容易。
回答by Sanjay Salunkhe
I copy and paste my local machie id_rsa.pub key to remote server authorized_key file and it worked
我将本地机器 id_rsa.pub 密钥复制并粘贴到远程服务器 authorized_key 文件,并且它起作用了
回答by Amol Pujari
copying public key manually to authorized_keys did not work in my case but doing it via service worked, when I found service had simply added one more same key at the end
手动将公钥复制到 authorized_keys 在我的情况下不起作用,但通过服务进行操作时,当我发现服务在最后仅添加了一个相同的密钥时
ssh-copy-id ~/.ssh/id_rsa.pub user@remote
回答by Joel Wilson
If you're using a Windows workstation (portable) that you sometimes dock directly into an internal corporate network and sometimes connect via VPN, you may find that you get inconsistent behavior in running cap remote tasks asking you for a password.
如果您使用的 Windows 工作站(便携式)有时会直接连接到公司内部网络,有时会通过 VPN 连接,您可能会发现在运行 cap 远程任务时会出现不一致的行为,要求您输入密码。
In my situation, our company has login scripts that execute when you logged in while already connected to the company LAN that set your HOME directory to a network share location. If you login from cached credentials and then VPN in, your home directory isn't set by the login script. The .ssh directory that stores your private key may be in only one of those locations.
在我的情况下,我们公司有登录脚本,当您登录时已连接到公司 LAN,将您的 HOME 目录设置为网络共享位置。如果您从缓存的凭据登录,然后通过 VPN 登录,则登录脚本不会设置您的主目录。存储您的私钥的 .ssh 目录可能仅位于这些位置之一。
An easy fix in that situation is to just copy the .ssh directory from the HOME that has it to the one that doesn't.
在这种情况下,一个简单的解决方法是将 .ssh 目录从拥有它的 HOME 复制到没有它的 HOME。
