fabric password

D

8

42

Every time fabric runs, it asks for root password, can it be sent along same for automated proposes.

fab staging test

Deedradeeds answered 26/2, 2010 at 5:48 Comment(2)

I would consider very carefully before adopting any strategy that involved storing passwords in plaintext - as environment vars, saved in scripts, even entered at the command line - much as I hate to contradict a luminary like A.M. (really, man, you've given me a lot of information over the years) - it lives in your command history and presents a security risk. – Hopson 18/9, 2013 at 8:58

gomad, you are absolutely right regarding the dangers of plaintext passwords. The keychain module helps to store passwords securely, see https://mcmap.net/q/358067/-fabric-sudo-no-password-solution how to use it with Fabric 2. – Stalky 29/12, 2018 at 11:15

O

51

fab -h will show you all the options, you can also read them here.

In particular, and I quote,

-p PASSWORD, --password=PASSWORD

Sets env.password to the given string; it will then be used as the default password when making SSH connections or calling the sudo program.

Orientalize answered 26/2, 2010 at 5:58 Comment(0)

I

61

I know you've asked about password but wouldn't it better to configure the system so that you can doing fabric (i.e. SSH) without password?

For this, on local machine do:

ssh-keygen and agree with all defaults (if you have no reasons do otherwise)
cat ~/.ssh/id_rsa.pub and copy that key

On remote machine:

mkdir ~/.ssh && chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys2 && chmod 600 ~/.ssh/authorized_keys2
Paste copied key into authorized_keys2

From now your remote machine “trusts” your local machine and allows logging it in without password. Handy.

Isabellisabella answered 26/2, 2010 at 10:29 Comment(1)

use ssh-copy-id may be faster: ssh-copy-id Usage: /usr/bin/ssh-copy-id [-i [identity_file]] [user@]machine – Deutschland 4/1, 2013 at 10:45

O

51

fab -h will show you all the options, you can also read them here.

In particular, and I quote,

-p PASSWORD, --password=PASSWORD

Sets env.password to the given string; it will then be used as the default password when making SSH connections or calling the sudo program.

Orientalize answered 26/2, 2010 at 5:58 Comment(0)

C

51

You can also set passwords on a per host basis. It wasn't obvious to me, so here it goes for anyone looking for this:

from fabric import env
env.hosts = ['user1@host1:port1', '[email protected]']
env.passwords = {'user1@host1:port1': 'password1', '[email protected]': 'password2'}

Fabric caches used passwords in the env.passwords dictionary. It sets this cache using the full hosts string as key of that dictionary and the password as the value. If you set this dictionary yourself before executing any task, Fabric won't ask for them at all.

Copalite answered 6/4, 2011 at 14:40 Comment(1)

Note - you must include port 22 even if you didn't specify it in env.hosts. Got me – Othilie 17/7, 2018 at 10:55

D

21

It's also possible to set ssh password in connect_args

    conn = Connection(
    "{username}@{ip}:{port}".format(
        username=username,
        ip=ip,
        port=port,
    ),
    connect_kwargs={"password": password},
)

Dittography answered 4/12, 2018 at 16:53 Comment(1)

Thanks. The connect_kwargs.password notation in the docs was confusing me. – Carbaugh 21/10, 2021 at 23:0

A

8

Just to add for anyone who winds up here from a search, you can specify the -I option when running fab for it to prompt you for a default password to use. This way it won't be visible in your command history

example:

$ fab -I my_task
Initial value for env.password:

Aphis answered 16/10, 2013 at 16:1 Comment(0)

R

6

One way to do this without putting the password in the process list (commands show up in ps aux) is to put it in the fabfile.py like so:

from fabric.context_managers import env
env.password = 'PASSWORD'

Put that before anything that goes to the remote system and it won't ask for a password anymore.

Robyn answered 15/3, 2011 at 21:23 Comment(3)

Just a note, this generates an error in the latest Fabric 1.5.3 and Paramiko 1.9.0. – Swirl 1/3, 2013 at 11:51

Just remove the from fabric import env – Clarinda 25/8, 2013 at 7:59

New package is context_managers, from fabric.context_managers import env – Mcalpine 3/11, 2013 at 13:30

S

2

It is possible to store the password securely in the operating system keyring service with the keyring module, the password can then be automatically retrieved and used in fabfile.py.

You first need to store the password in the keyring, for example using the Python shell:

>>> import keyring
>>> keyring.set_password('some-host', 'some-user', 'passwd')

Then you can use it in fabfile.py, for example with Fabric 2:

from fabric import task
import keyring

@task
def restart_apache(connection):
    connection.config.sudo.password = keyring.get_password(connection.host, 'some-user')
    connection.sudo('service apache2 restart')

Stalky answered 29/12, 2018 at 11:58 Comment(0)

A

0

You can also pass a default password into a Connection or Group using connect_kwargs. For example:

group = ThreadingGroup(*servers, connect_kwargs={
  'password': getpass('SSH password: '),
})
group.run(command)

Astrograph answered 23/3, 2023 at 22:21 Comment(0)

Recommended topics

Hot tags