Sorry the process is such that if 9/10 times, to prepare the server for a deploy, someone has logged on by hand, and made the changes. What's your use-case? (First time in 5 years this has come up on the mailing list, perhaps I can help?)
On Thursday, January 12, 2012 at 11:52 PM, Lance.Haig wrote: > Hi All,
> I was wondering if there was a Capistrano command that will allow you to > accept a host verification key?
> I need to do this as part of a deploy.
> Thanks
> Lance
> -- > * You received this message because you are subscribed to the Google Groups "Capistrano" group. > * To post to this group, send email to capistrano@googlegroups.com (mailto:capistrano@googlegroups.com) > * To unsubscribe from this group, send email to capistrano+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano?hl=en
I am writing a cap deploy script for the gitlabhq project and part of the process is that one of the users it creates needs to be able to clone a repo from the localhost and as it has not had the host verification approved this part of the script fails.
> Sorry the process is such that if 9/10 times, to prepare the server > for a deploy, someone has logged on by hand, and made the changes. > What's your use-case? (First time in 5 years this has come up on the > mailing list, perhaps I can help?)
> - Lee
> On Thursday, January 12, 2012 at 11:52 PM, Lance.Haig wrote:
>> Hi All,
>> I was wondering if there was a Capistrano command that will allow you to >> accept a host verification key?
>> I need to do this as part of a deploy.
>> Thanks
>> Lance
>> -- >> * You received this message because you are subscribed to the Google >> Groups "Capistrano" group. >> * To post to this group, send email to capistrano@googlegroups.com >> <mailto:capistrano@googlegroups.com> >> * To unsubscribe from this group, send email to >> capistrano+unsubscribe@googlegroups.com For more options, visit this >> group at http://groups.google.com/group/capistrano?hl=en
> -- > * You received this message because you are subscribed to the Google > Groups "Capistrano" group. > * To post to this group, send email to capistrano@googlegroups.com > * To unsubscribe from this group, send email to > capistrano+unsubscribe@googlegroups.com For more options, visit this > group at http://groups.google.com/group/capistrano?hl=en
Although it's very dangerous practice, if you know what you're doing you can use ssh options to not check host verification. You can do it in 2 places:
In $HOME/.ssh/config you can put something like this: Host SOMEHOST StrictHostKeyChecking no
In Capfile you can set ssh_options[:strict_host_key_checking] to no. I'm not sure about the name but you can check the Net::SSH API docs. I was able to something like this (ssh_options[:forward_agent] = true) and it worked great.
Again, Please consider all options as by setting this you loose a big part of your ability to tell a machine has been compromised.
A better option might be to use ssh-keyscan to populate your known_hosts keys, and then clone the repository.
On Fri, Jan 13, 2012 at 5:00 PM, Lance.Haig <lnh...@gmail.com> wrote: > Hi lee,
> I am writing a cap deploy script for the gitlabhq project and part of the > process is that one of the users it creates needs to be able to clone a > repo from the localhost and as it has not had the host verification > approved this part of the script fails.
> Sorry the process is such that if 9/10 times, to prepare the server for > a deploy, someone has logged on by hand, and made the changes. What's your > use-case? (First time in 5 years this has come up on the mailing list, > perhaps I can help?)
> - Lee
> On Thursday, January 12, 2012 at 11:52 PM, Lance.Haig wrote:
> Hi All,
> I was wondering if there was a Capistrano command that will allow you to > accept a host verification key?
> I need to do this as part of a deploy.
> Thanks
> Lance
> -- > * You received this message because you are subscribed to the Google > Groups "Capistrano" group. > * To post to this group, send email to capistrano@googlegroups.com > * To unsubscribe from this group, send email to > capistrano+unsubscribe@googlegroups.com For more options, visit this > group at http://groups.google.com/group/capistrano?hl=en
> -- > * You received this message because you are subscribed to the Google > Groups "Capistrano" group. > * To post to this group, send email to capistrano@googlegroups.com > * To unsubscribe from this group, send email to > capistrano+unsubscribe@googlegroups.com For more options, visit this > group at http://groups.google.com/group/capistrano?hl=en
> -- > * You received this message because you are subscribed to the Google > Groups "Capistrano" group. > * To post to this group, send email to capistrano@googlegroups.com > * To unsubscribe from this group, send email to > capistrano+unsubscribe@googlegroups.com For more options, visit this > group at http://groups.google.com/group/capistrano?hl=en
You can also create a task that appends the known signature to the known hosts file before the task that needs it. This is allows you to actually vet those entries instead of blindly accept them.
On Jan 13, 2012, at 8:02 AM, Haim Ashkenazi <haim.ashken...@gmail.com> wrote:
> Although it's very dangerous practice, if you know what you're doing you can use ssh options to not check host verification. You can do it in 2 places:
> In $HOME/.ssh/config you can put something like this: > Host SOMEHOST > StrictHostKeyChecking no
> In Capfile you can set ssh_options[:strict_host_key_checking] to no. I'm not sure about the name but you can check the Net::SSH API docs. I was able to something like this (ssh_options[:forward_agent] = true) and it worked great.
> Again, Please consider all options as by setting this you loose a big part of your ability to tell a machine has been compromised.
> A better option might be to use ssh-keyscan to populate your known_hosts keys, and then clone the repository.
> HTH
> On Fri, Jan 13, 2012 at 5:00 PM, Lance.Haig <lnh...@gmail.com> wrote: > Hi lee,
> I am writing a cap deploy script for the gitlabhq project and part of the process is that one of the users it creates needs to be able to clone a repo from the localhost and as it has not had the host verification approved this part of the script fails.
>> Sorry the process is such that if 9/10 times, to prepare the server for a deploy, someone has logged on by hand, and made the changes. What's your use-case? (First time in 5 years this has come up on the mailing list, perhaps I can help?)
>> - Lee >> On Thursday, January 12, 2012 at 11:52 PM, Lance.Haig wrote:
>>> Hi All,
>>> I was wondering if there was a Capistrano command that will allow you to >>> accept a host verification key?
>>> I need to do this as part of a deploy.
>>> Thanks
>>> Lance
>>> -- >>> * You received this message because you are subscribed to the Google Groups "Capistrano" group. >>> * To post to this group, send email to capistrano@googlegroups.com >>> * To unsubscribe from this group, send email to capistrano+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano?hl=en
>> -- >> * You received this message because you are subscribed to the Google Groups "Capistrano" group. >> * To post to this group, send email to capistrano@googlegroups.com >> * To unsubscribe from this group, send email to capistrano+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano?hl=en
> -- > * You received this message because you are subscribed to the Google Groups "Capistrano" group. > * To post to this group, send email to capistrano@googlegroups.com > * To unsubscribe from this group, send email to capistrano+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano?hl=en
> -- > Haim > -- > * You received this message because you are subscribed to the Google Groups "Capistrano" group. > * To post to this group, send email to capistrano@googlegroups.com > * To unsubscribe from this group, send email to capistrano+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano?hl=en
Thanks this is what I wanted. I thin the option in the cap file is the best as this is a one time deployment and the host key would be different for each server.
I do not anticipate the script being run more than once to set-up the server.
> Although it's very dangerous practice, if you know what you're doing > you can use ssh options to not check host verification. You can do it > in 2 places:
> In $HOME/.ssh/config you can put something like this: > Host SOMEHOST > StrictHostKeyChecking no
> In Capfile you can set ssh_options[:strict_host_key_checking] to no. > I'm not sure about the name but you can check the Net::SSH API docs. I > was able to something like this (ssh_options[:forward_agent] = true) > and it worked great.
> Again, Please consider all options as by setting this you loose a big > part of your ability to tell a machine has been compromised.
> A better option might be to use ssh-keyscan to populate your > known_hosts keys, and then clone the repository.
> HTH
> On Fri, Jan 13, 2012 at 5:00 PM, Lance.Haig <lnh...@gmail.com > <mailto:lnh...@gmail.com>> wrote:
> Hi lee,
> I am writing a cap deploy script for the gitlabhq project and part > of the process is that one of the users it creates needs to be > able to clone a repo from the localhost and as it has not had the > host verification approved this part of the script fails.
> On 13/01/12 08:40, Lee Hambley wrote: >> No Lance,
>> Sorry the process is such that if 9/10 times, to prepare the >> server for a deploy, someone has logged on by hand, and made the >> changes. What's your use-case? (First time in 5 years this has >> come up on the mailing list, perhaps I can help?)
>> - Lee
>> On Thursday, January 12, 2012 at 11:52 PM, Lance.Haig wrote:
>>> Hi All,
>>> I was wondering if there was a Capistrano command that will >>> allow you to >>> accept a host verification key?
>>> I need to do this as part of a deploy.
>>> Thanks
>>> Lance
>>> -- >>> * You received this message because you are subscribed to the >>> Google Groups "Capistrano" group. >>> * To post to this group, send email to >>> capistrano@googlegroups.com <mailto:capistrano@googlegroups.com> >>> * To unsubscribe from this group, send email to >>> capistrano+unsubscribe@googlegroups.com >>> <mailto:capistrano+unsubscribe@googlegroups.com> For more >>> options, visit this group at >>> http://groups.google.com/group/capistrano?hl=en
>> -- >> * You received this message because you are subscribed to the >> Google Groups "Capistrano" group. >> * To post to this group, send email to >> capistrano@googlegroups.com <mailto:capistrano@googlegroups.com> >> * To unsubscribe from this group, send email to >> capistrano+unsubscribe@googlegroups.com >> <mailto:capistrano+unsubscribe@googlegroups.com> For more >> options, visit this group at >> http://groups.google.com/group/capistrano?hl=en
> -- > * You received this message because you are subscribed to the > Google Groups "Capistrano" group. > * To post to this group, send email to capistrano@googlegroups.com > <mailto:capistrano@googlegroups.com> > * To unsubscribe from this group, send email to > capistrano+unsubscribe@googlegroups.com > <mailto:capistrano%2Bunsubscribe@googlegroups.com> For more > options, visit this group at > http://groups.google.com/group/capistrano?hl=en
> -- > Haim > -- > * You received this message because you are subscribed to the Google > Groups "Capistrano" group. > * To post to this group, send email to capistrano@googlegroups.com > * To unsubscribe from this group, send email to > capistrano+unsubscribe@googlegroups.com For more options, visit this > group at http://groups.google.com/group/capistrano?hl=en
This will only be run once to set-up the account on the local host for a management account. As this will be run on a new server each time I am not sure how you would know the host key for it.
> You can also create a task that appends the known signature to the > known hosts file before the task that needs it. This is allows you to > actually vet those entries instead of blindly accept them.
> On Jan 13, 2012, at 8:02 AM, Haim Ashkenazi <haim.ashken...@gmail.com > <mailto:haim.ashken...@gmail.com>> wrote:
>> Hi Lance,
>> Although it's very dangerous practice, if you know what you're doing >> you can use ssh options to not check host verification. You can do it >> in 2 places:
>> In $HOME/.ssh/config you can put something like this: >> Host SOMEHOST >> StrictHostKeyChecking no
>> In Capfile you can set ssh_options[:strict_host_key_checking] to no. >> I'm not sure about the name but you can check the Net::SSH API docs. >> I was able to something like this (ssh_options[:forward_agent] = >> true) and it worked great.
>> Again, Please consider all options as by setting this you loose a big >> part of your ability to tell a machine has been compromised.
>> A better option might be to use ssh-keyscan to populate your >> known_hosts keys, and then clone the repository.
>> HTH
>> On Fri, Jan 13, 2012 at 5:00 PM, Lance.Haig <lnh...@gmail.com >> <mailto:lnh...@gmail.com>> wrote:
>> Hi lee,
>> I am writing a cap deploy script for the gitlabhq project and >> part of the process is that one of the users it creates needs to >> be able to clone a repo from the localhost and as it has not had >> the host verification approved this part of the script fails.
>> On 13/01/12 08:40, Lee Hambley wrote: >>> No Lance,
>>> Sorry the process is such that if 9/10 times, to prepare the >>> server for a deploy, someone has logged on by hand, and made the >>> changes. What's your use-case? (First time in 5 years this has >>> come up on the mailing list, perhaps I can help?)
>>> - Lee
>>> On Thursday, January 12, 2012 at 11:52 PM, Lance.Haig wrote:
>>>> Hi All,
>>>> I was wondering if there was a Capistrano command that will >>>> allow you to >>>> accept a host verification key?
>>>> I need to do this as part of a deploy.
>>>> Thanks
>>>> Lance
>>>> -- >>>> * You received this message because you are subscribed to the >>>> Google Groups "Capistrano" group. >>>> * To post to this group, send email to >>>> capistrano@googlegroups.com <mailto:capistrano@googlegroups.com> >>>> * To unsubscribe from this group, send email to >>>> capistrano+unsubscribe@googlegroups.com >>>> <mailto:capistrano+unsubscribe@googlegroups.com> For more >>>> options, visit this group at >>>> http://groups.google.com/group/capistrano?hl=en
>>> -- >>> * You received this message because you are subscribed to the >>> Google Groups "Capistrano" group. >>> * To post to this group, send email to >>> capistrano@googlegroups.com <mailto:capistrano@googlegroups.com> >>> * To unsubscribe from this group, send email to >>> capistrano+unsubscribe@googlegroups.com >>> <mailto:capistrano+unsubscribe@googlegroups.com> For more >>> options, visit this group at >>> http://groups.google.com/group/capistrano?hl=en
>> -- >> * You received this message because you are subscribed to the >> Google Groups "Capistrano" group. >> * To post to this group, send email to >> capistrano@googlegroups.com <mailto:capistrano@googlegroups.com> >> * To unsubscribe from this group, send email to >> capistrano+unsubscribe@googlegroups.com >> <mailto:capistrano%2Bunsubscribe@googlegroups.com> For more >> options, visit this group at >> http://groups.google.com/group/capistrano?hl=en
>> -- >> Haim >> -- >> * You received this message because you are subscribed to the Google >> Groups "Capistrano" group. >> * To post to this group, send email to capistrano@googlegroups.com >> <mailto:capistrano@googlegroups.com> >> * To unsubscribe from this group, send email to >> capistrano+unsubscribe@googlegroups.com >> <mailto:capistrano+unsubscribe@googlegroups.com> For more options, >> visit this group at http://groups.google.com/group/capistrano?hl=en > -- > * You received this message because you are subscribed to the Google > Groups "Capistrano" group. > * To post to this group, send email to capistrano@googlegroups.com > * To unsubscribe from this group, send email to > capistrano+unsubscribe@googlegroups.com For more options, visit this > group at http://groups.google.com/group/capistrano?hl=en
