Gmail Calendar Documents Reader Web more »
Recently Visited Groups | Help | Sign in
Google Groups Home
ec2-on-rails-discuss
Home
+ new post
Pages
Files
About this group
Join this group
Capistrano, public keys, and ssh-agent
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   1 message - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Micah  
View profile  
 More options Jul 31 2008, 11:43 pm
From: Micah <fanm...@micah-wedemeyer.net>
Date: Thu, 31 Jul 2008 20:43:48 -0700 (PDT)
Local: Thurs, Jul 31 2008 11:43 pm
Subject: Capistrano, public keys, and ssh-agent
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
I've been digging around in Net::SSH and I've found a trick to avoid
having the public key, assuming you're on a Linux box with ssh-agent
running.  Perhaps everyone already knows about this, but I'll post it
for posterity.

Also, in full disclosure, I'm no security expert, so this could be
absolutely terrible advice!  If so, someone please tell me!

I've only used it with Net:SSH directly, but since Capistrano relies
on Net::SSH, it should work as well.  I'd be curious if it works for
any of you...

Here's how it works: Net::SSH can make use of an ssh-agent to handle
the key management.  On my Linux box (Ubuntu, pretty standard) there
is already an ssh-agent running.  So, you simply need to hand off your
private key file to the agent.  This is done like so (from a command
line):

ssh-add /path/to/private/key/file

You can do it inside of Ruby by enclosing it in backticks:
`ssh-add #{my_key_path}`

If the key has a passphrase, you will be prompted.  This pretty much
kills it from an automation standpoint, so you'll want an unprotected
key.

At this point, the ssh-agent has the private key.  Net::SSH should
automatically detect the presence of the ssh-agent and allow it to
manage the keys.  You should now be able to connect and execute
commands on your remote server, all without ever getting a copy of the
public key!

Here is an example of how I do this in a script (using Net::SSH):

    # Assume t is our private key file

    # Pass the key file to ssh-agent
    `ssh-add #{t.path}`

    # Make the connection
    ssh = Net::SSH.start(ec2_instance_host, 'root', :auth_methods =>
["publickey"], :keys => [t.path])

    # Revoke the key from the ssh-agent
    `ssh-add -d #{t.path}`

    return ssh

Like I said, let me know if this works!


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google