Login/Register
SSH key passphrase with git pull using Fabric
Asked Answered
Solved gitfabricssh-keyspassphrase
D

3

16

I'm trying to automate deployment of application using fabric.

The application code is hosted on GitHub and rolling out a new version is very straightforward - just do 'git pull' and that's it. The application is hosted on 100 servers, so I would like to automate deployment. Fabfile.py:

def deploy():
  code_path = '/home/myuser/myapp'
  with cd(code_path):
    run('git pull')
    run('git submodule update --init --recursive')

The problem is, on every git command I get a promt: Enter passphrase for key '/home/myuser/.ssh/id_rsa:

Is there a way to automatically input the passphrase? It's the same on every server and the same as sudo password

I've tried to fexpect library, but I'm wondering whether there is better (i.e. standard) way of doing it.

Daile answered 13/9, 2012 at 14:5 Comment(0)
T
13

You can also use a ssh key agent and use the agent forwarding. Always put a password on keys. Github has good docs on how to utilize this here.

Fabric should now also have agent forwarding ability. I've run into troubles with it in some corner cases, but gotten around them with an explicit local('ssh -A...) as a work around until the issue is resolved.

Tayyebeb answered 13/9, 2012 at 23:52 Comment(4)
ssh-aget forwarding workerd! That's brilliant. That actually solved so many other problems too. Thanks a lot!Daile
"always put passwords on keys" is not as good as "don't copy private keys". Generate a new key.Wideranging
Sure it is. I get a copy of your keys and i have access to your servers. Passworded keys make it two stage auth, regardless of the number of keys.Tayyebeb
See comment about agent hijacking. You have no control over that. You have some control of keeping your private keys secure.Wideranging
S
1

Although I consider ssh-aget forwarding described in the accepted answer to be a preferable solution (if you get it worked), but there is alternative to it, provided by Fabric itself:
Fabric has it's own "password" settings option (i.e. env.password entry). you can make fabric to automatically input the passphrase (and sudo passwod) if you set the env.password (see documentation):

password

Default: None

The default password used by the SSH layer when connecting to remote hosts, and/or when answering sudo prompts.

 

You can set password with it either of following options:

  • using env.password = 'PASSWORD' directly in code inside "fabfile.py",
  • in command line as an option to fab command, using -p PASSWORD or --password=PASSWORD (documentation).
  • As an another option you can put passwod=PASSWORD line in a ~/.fabricrc (documentation) which gets loaded before each fab command and neither command line option nor code change is required if you use this option.
Susannahsusanne answered 20/8, 2016 at 20:30 Comment(0)
W
-9

Don't use pass phrases when making a key. Simply press enter and then again to confirm. You can also have more than one key. Some with passwords, some without.

Wideranging answered 13/9, 2012 at 14:48 Comment(5)
If he's using his personal key it's best to use a password so as not to open up more than just the box he's deploying to to attack. Let alone his github page. With Robots I may be more inclined to agree a passwordless key is alright.Tayyebeb
multiple keys should be used. You shouldn't use one key for everything.Wideranging
That's what a .ssh/config is for. You can assign all that there and then still use agent forwarding.Tayyebeb
agent forwarding is susceptible to agent hijacking. Organizations disable agent forwarding. Better to just use a different key for github if you're not willing to use keys with no passwords.Wideranging
It's susceptible if you don't trust the box's root user. Where then that root user can impersonate said user. But keeping the private key on the box is just as susceptible to root (and anyone able to access the file) impersonation when it's passwordless. (from unixwiz.net/techtips/ssh-agent-forwarding.html)Tayyebeb

© 2022 - 2024 — McMap. All rights reserved.