Capistrano未通过SSH公钥身份验证,但所有命令仍然成功

时间:2013-09-12 19:48:26

标签: ssh capistrano

我无法使用公共密钥身份验证使用Capistrano进行部署。在Windows上,我将其配置为在打开终端时自动启动SSH代理。

Agent pid 4476
Enter passphrase for /c/Users/Lea/.ssh/id_rsa:
Identity added: /c/Users/Lea/.ssh/id_rsa (/c/Users/Lea/.ssh/id_rsa)

id_rsa位于服务器上的authorized_keys文件中,我使用ssh lea@web.3一直使用它进行搜索。

我的Capfile如下:

require 'rubygems'
require 'railsless-deploy'

# application name
set :application, "site.com"

# multi-stage deploy
task :production do
    set :branch, "master"
    set :app_environment, "production"
    role :web, "web.3", :primary => true
    set :deploy_to, "/var/www/vhosts/site/site.com/"
end

task :dev do
    set :branch, `git rev-parse HEAD`
    set :app_environment, "development"
    role :web, "web.3", :primary => true
    set :deploy_to, "/var/www/vhosts/site/dev.site.com/"
end

# deploys remotely on SSH using deploy only key
set :repository,  "git@bitbucket.org:us/site.git"
set :scm, :git
set :git_enable_submodules, 1
set :deploy_via, :remote_cache

# release configuration
set :use_sudo, false
set :keep_releases, 2
after "deploy:update", "deploy:cleanup"

# the web server user
set :user, "lea"

namespace :deploy do

    task :migrate do
        # do nothing
    end

    task :finalize_update, :except => { :no_release => true } do
        transaction do
            #run "chmod -R g+w #{release_path}"
            run "echo '#{app_environment}' > #{release_path}/ENVIRONMENT"
        end
    end

    task :restart, :except => { :no_release => true } do
        # don't need to restart
    end
end

当我运行部署时,它再次询问我的id_rsa密码​​。当我已经运行ssh代理并输入密码时,为什么会问?

以下是cap dev deploy命令的日志。你可以看到它询问我的密码。还要注意当我进入服务器时,它也会在那里启动一个ssh-agent并加载用于git的deployment_rsa密钥(你可以在日志中看到这些消息)。

$ cap dev deploy
DL is deprecated, please use Fiddle
  * 2013-09-12 13:19:30 executing `dev'
  * 2013-09-12 13:19:30 executing `deploy'
  * 2013-09-12 13:19:30 executing `deploy:update'
 ** transaction: start
  * 2013-09-12 13:19:30 executing `deploy:update_code'
    updating the cached checkout on all servers
  * executing "if [ -d /var/www/vhosts/site/dev.site.com/shared/cache
d-copy ]; then cd /var/www/vhosts/site/dev.site.com/shared/cached-cop
y && git fetch -q origin && git fetch --tags -q origin && git reset -q --hard 33
09af4ac302a6c2dc46bcf36e877abbd8472988\\\n && git submodule -q init && git submo
dule -q sync && export GIT_RECURSIVE=$([ ! \"`git --version`\" \\< \"git version
 1.6.5\" ] && echo --recursive) && git submodule -q update --init $GIT_RECURSIVE
 && git clean -q -d -x -f; else git clone -q git@bitbucket.org:us/v
entek.git /var/www/vhosts/site/dev.site.com/shared/cached-copy && cd
/var/www/vhosts/site/dev.site.com/shared/cached-copy && git checkout
-q -b deploy 3309af4ac302a6c2dc46bcf36e877abbd8472988 && git submodule -q init &
& git submodule -q sync && export GIT_RECURSIVE=$([ ! \"`git --version`\" \\< \"
git version 1.6.5\" ] && echo --recursive) && git submodule -q update --init $GI
T_RECURSIVE; fi"
    servers: ["web.3"]
Enter passphrase for c:/Users/Lea/.ssh/id_rsa:
    [web.3] executing command
 ** [web.3 :: out] Agent pid 11336
 ** [web.3 :: err] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh
/deployment_rsa)
    command finished in 2300ms
    copying the cached version to /var/www/vhosts/site/dev.site.com/r
eleases/20130912191939
  * executing "cp -RPp /var/www/vhosts/site/dev.site.com/shared/cache
d-copy /var/www/vhosts/site/dev.site.com/releases/20130912191939 && (
echo 3309af4ac302a6c2dc46bcf36e877abbd8472988\\\n > /var/www/vhosts/us/dev.site.com/releases/20130912191939/REVISION)"
    servers: ["web.3"]
    [web.3] executing command
 ** [out :: web.3] Agent pid 11442
*** [err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh
/deployment_rsa)
    command finished in 751ms
  * 2013-09-12 13:19:39 executing `deploy:finalize_update'
  * executing "echo 'development' > /var/www/vhosts/site/dev.site.com
/releases/20130912191939/ENVIRONMENT"
    servers: ["web.3"]
    [web.3] executing command
 ** [out :: web.3] Agent pid 11451
*** [err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh
/deployment_rsa)
    command finished in 610ms
  * 2013-09-12 13:19:40 executing `deploy:create_symlink'
  * executing "rm -f /var/www/vhosts/site/dev.site.com/current && ln
-s /var/www/vhosts/site/dev.site.com/releases/20130912191939 /var/www
/vhosts/site/dev.site.com/current"
    servers: ["web.3"]
    [web.3] executing command
 ** [out :: web.3] Agent pid 11460
*** [err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh
/deployment_rsa)
    command finished in 621ms
 ** transaction: commit
    triggering after callbacks for `deploy:update'
  * 2013-09-12 13:19:41 executing `deploy:cleanup'
  * executing "ls -xt /var/www/vhosts/site/dev.site.com/releases"
    servers: ["web.3"]
    [web.3] executing command
[err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh/dep
loyment_rsa)
    command finished in 1186ms
 ** keeping 2 of 7 deployed releases
  * executing "rm -rf /var/www/vhosts/site/dev.site.com/releases/2013
0906181120 /var/www/vhosts/site/dev.site.com/releases/20130912185329
/var/www/vhosts/site/dev.site.com/releases/20130912185937 /var/www/vhosts/site/dev.site.com/releases/20130912191939 /var/www/vhosts/us/dev.site.com/releases/11469"
    servers: ["web.3"]
    [web.3] executing command
 ** [out :: web.3] Agent pid 11476
*** [err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh
/deployment_rsa)
    command finished in 750ms

$

现在,我的主要问题不在于密码短语。每次运行capistrano时,每次部署都无法进行2次身份验证。我在服务器上的ssh日志中看到了这一点,但在Capistrano中没有给出任何指示:

11:58:44 web3 sshd[1134]: Failed password for lea from [ip] port 42421 ssh2
11:58:56 web3 sshd[1134]: Failed password for lea from [ip] port 42421 ssh2

服务器正在运行fail2ban,它在5次失败的身份验证后阻止了我的IP(10分钟),这意味着在运行capistrano 3次后我被阻止了。这是一个巨大的不可接受的问题,我不知道为什么会这样。您对如何解决此问题或解决方案有任何建议吗?

谢谢!

2 个答案:

答案 0 :(得分:0)

第1步:

你真的需要密钥的密码吗?今天的这种风险可通过全盘加密产品或使用真正加密的USB记忆棒来缓解。减少PITA,仍然通过安全经理的最佳实践。

那说:

http://blog.blenderbox.com/2013/02/20/ssh-agent-forwarding-with-github/

尝试添加

ssh_options[:forward_agent] = true

到capfile,而不是Deploy.rb

答案 1 :(得分:0)

我自己最终解决了这个问题。我被锁在了服务器之外,因为Fail2ban是旧版本。

连接到SSH时,sshd会进行反向DNS查找。办公室互联网上的反向DNS失败了,它在/ var / logs / secure日志文件中打印错误。 

Address x.x.x.x maps to server.domain.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Fail2ban将此视为失败的连接,并因此阻止了我的IP。手动连接时从来没有问题,因为这种情况并不常见,但是当Capistrano连续连接多个连接时,它就会触发它。

我使用了这里的信息:https://github.com/fail2ban/fail2ban/pull/64通过从fail2ban配置文件中删除正则表达式来解决问题。

相关问题
最新问题