Capistrano Auth Trick

This past summer, we needed to automate testing of several failure scenarios for VPN-Cubed. Having asked the LazyWeb about any frameworks that could help us and having gotten no response, our dev team had a short chat in the office. We decided that ultimately we were going to have to roll out our own system based on SSH. Capistrano was the obvious choice, because it’s essentially a higher-level wrapper around Net::SSH module (if you prefer python, you may take a look at fabric or paramiko).

One obstacle was that because we were emulating various failures, at times our local capistrano process, which was driving the tests, had to lose SSH connectivity to its target servers. We quickly discovered that this resulted in exception and cap process would die.

To work around this, I added yet another level on top of cap which uses GNU make (one of my all time favorites). In a nutshell, user controls the testing process via make, and make starts cap. In this case, it’s ok for cap process to occasionally exit.

But then - and we are finally getting to the point of this post - another issue came up: I didn’t want to keep typing password into cap each time it was started by make. Here is how I ended up implementing it to avoid re-typing password.

# in Makefile
USER_PASS := $(shell read -s -p "[make] user's password: " P; echo $$P )
export USER_PASS

all: set_password
# do something here

set_password:
     @test "$(USER_PASS)"

# in Capfile
set :password, lambda { ENV['USER_PASS'] ||
CLI.password_prompt("[cap] #{user}'s password: ") }

Categories: ruby |

Comments (2)

Lee Hambley // 08 Oct 2009

You should be using SSH keys, advice like this is dangerous as hell, is there a good reason for not using SSH keys to manage authentication?

Dmitriy // 08 Oct 2009

Fair enough, SSH keys could be better, and SSH agent can come in handy as well.

But "dangerous as hell" - that's a strong statement :) What's wrong with usernames and passwords? I am not aware of any critical vulnerabilities in OpenSSH caused by username/password auth. Are you? Would appreciate it if you let me know.