All geek questions in one place

Capistrano fails in SSH public key authentication, but all commands still succeed

I'm having trouble deploying using Capistrano using public key authentication. On Windows, I configured the SSH agent to start automatically when the terminal opens.

Agent pid 4476 Enter passphrase for /c/Users/Lea/.ssh/id_rsa: Identity added: /c/Users/Lea/.ssh/id_rsa (/c/Users/Lea/.ssh/id_rsa)

id_rsa is in my authorized_keys file on the server and I use it all the time for ssh using ssh lea@web.3 .

My Capfile is as follows:

 require 'rubygems' require 'railsless-deploy' # application name set :application, "site.com" # multi-stage deploy task :production do set :branch, "master" set :app_environment, "production" role :web, "web.3", :primary => true set :deploy_to, "/var/www/vhosts/site/site.com/" end task :dev do set :branch, `git rev-parse HEAD` set :app_environment, "development" role :web, "web.3", :primary => true set :deploy_to, "/var/www/vhosts/site/dev.site.com/" end # deploys remotely on SSH using deploy only key set :repository, " git@bitbucket.org :us/site.git" set :scm, :git set :git_enable_submodules, 1 set :deploy_via, :remote_cache # release configuration set :use_sudo, false set :keep_releases, 2 after "deploy:update", "deploy:cleanup" # the web server user set :user, "lea" namespace :deploy do task :migrate do # do nothing end task :finalize_update, :except => { :no_release => true } do transaction do #run "chmod -R g+w #{release_path}" run "echo '#{app_environment}' > #{release_path}/ENVIRONMENT" end end task :restart, :except => { :no_release => true } do # don't need to restart end end

When I start the deployment, it again asks for my passphrase id_rsa. Why does he ask when my ssh agent is already running and the passphrase entered is?

The following is the cap dev deployment command log. You can see where he asks for my passphrase. Also note that when I ssh on the server, it also starts ssh-agent and loads the rsa deployment key used for git (you can see these messages in the log).

 $ cap dev deploy DL is deprecated, please use Fiddle * 2013-09-12 13:19:30 executing `dev' * 2013-09-12 13:19:30 executing `deploy' * 2013-09-12 13:19:30 executing `deploy:update' ** transaction: start * 2013-09-12 13:19:30 executing `deploy:update_code' updating the cached checkout on all servers * executing "if [ -d /var/www/vhosts/site/dev.site.com/shared/cache d-copy ]; then cd /var/www/vhosts/site/dev.site.com/shared/cached-cop y && git fetch -q origin && git fetch --tags -q origin && git reset -q --hard 33 09af4ac302a6c2dc46bcf36e877abbd8472988\\\n && git submodule -q init && git submo dule -q sync && export GIT_RECURSIVE=$([ ! \"`git --version`\" \\< \"git version 1.6.5\" ] && echo --recursive) && git submodule -q update --init $GIT_RECURSIVE && git clean -q -d -x -f; else git clone -q git@bitbucket.org :us/v entek.git /var/www/vhosts/site/dev.site.com/shared/cached-copy && cd /var/www/vhosts/site/dev.site.com/shared/cached-copy && git checkout -q -b deploy 3309af4ac302a6c2dc46bcf36e877abbd8472988 && git submodule -q init & & git submodule -q sync && export GIT_RECURSIVE=$([ ! \"`git --version`\" \\< \" git version 1.6.5\" ] && echo --recursive) && git submodule -q update --init $GI T_RECURSIVE; fi" servers: ["web.3"] Enter passphrase for c:/Users/Lea/.ssh/id_rsa: [web.3] executing command ** [web.3 :: out] Agent pid 11336 ** [web.3 :: err] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh /deployment_rsa) command finished in 2300ms copying the cached version to /var/www/vhosts/site/dev.site.com/r eleases/20130912191939 * executing "cp -RPp /var/www/vhosts/site/dev.site.com/shared/cache d-copy /var/www/vhosts/site/dev.site.com/releases/20130912191939 && ( echo 3309af4ac302a6c2dc46bcf36e877abbd8472988\\\n > /var/www/vhosts/us/dev.site.com/releases/20130912191939/REVISION)" servers: ["web.3"] [web.3] executing command ** [out :: web.3] Agent pid 11442 *** [err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh /deployment_rsa) command finished in 751ms * 2013-09-12 13:19:39 executing `deploy:finalize_update' * executing "echo 'development' > /var/www/vhosts/site/dev.site.com /releases/20130912191939/ENVIRONMENT" servers: ["web.3"] [web.3] executing command ** [out :: web.3] Agent pid 11451 *** [err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh /deployment_rsa) command finished in 610ms * 2013-09-12 13:19:40 executing `deploy:create_symlink' * executing "rm -f /var/www/vhosts/site/dev.site.com/current && ln -s /var/www/vhosts/site/dev.site.com/releases/20130912191939 /var/www /vhosts/site/dev.site.com/current" servers: ["web.3"] [web.3] executing command ** [out :: web.3] Agent pid 11460 *** [err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh /deployment_rsa) command finished in 621ms ** transaction: commit triggering after callbacks for `deploy:update' * 2013-09-12 13:19:41 executing `deploy:cleanup' * executing "ls -xt /var/www/vhosts/site/dev.site.com/releases" servers: ["web.3"] [web.3] executing command [err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh/dep loyment_rsa) command finished in 1186ms ** keeping 2 of 7 deployed releases * executing "rm -rf /var/www/vhosts/site/dev.site.com/releases/2013 0906181120 /var/www/vhosts/site/dev.site.com/releases/20130912185329 /var/www/vhosts/site/dev.site.com/releases/20130912185937 /var/www/vhosts/site/dev.site.com/releases/20130912191939 /var/www/vhosts/us/dev.site.com/releases/11469" servers: ["web.3"] [web.3] executing command ** [out :: web.3] Agent pid 11476 *** [err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh /deployment_rsa) command finished in 750ms $

Now my main problem is not with the passphrase. Each time I run capistrano, it cannot authenticate 2 times for each deployment. I see this in the ssh log on the server, but there is no indication in Capistrano:

 11:58:44 web3 sshd[1134]: Failed password for lea from [ip] port 42421 ssh2 11:58:56 web3 sshd[1134]: Failed password for lea from [ip] port 42421 ssh2

The server runs fail2ban, which blocks my IP (for 10 minutes) after 5 failed authentications, that is, I get blocked after starting capistrano 3 times. This is a huge unacceptable problem, and I have no idea why this will happen. Do you have any recommendations to fix this problem or solution?

Thanks!

+4
source share
2 answers

I decided to solve this problem myself. I was blocked from the server because Fail2ban was an old version.

When connecting to SSH, sshd performs a reverse DNS lookup. My reverse DNS in the Internet office did not work, and it printed an error in the file / var / logs / secure log.

 Address xxxx maps to server.domain.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Fail2ban recognized this as a failed connection and blocked my IP because of it. This has never been a problem when connecting manually, because it is rare, but when Capistrano makes several connections in a row, it starts it.

I used the information here: https://github.com/fail2ban/fail2ban/pull/64 to solve the problem by removing the regular expression from the fail2ban configuration file.

0
source

Step 1:

Do you really need a passphrase for your keys? This type of risk is mitigated today by using full disk encryption products or the use of highly secure USB drives. Less PITA, and still conveys the best recommendations of the security manager.

That said:

http://blog.blenderbox.com/2013/02/20/ssh-agent-forwarding-with-github/

Try to add

 ssh_options[:forward_agent] = true

to capfile, not Deploy.rb

0
source

Source: https://habr.com/ru/post/1501933/

More articles:


All Articles