automatic input

58 views
Skip to first unread message

Rodrigo Dominguez

unread,
Jul 21, 2015, 3:55:04 AM7/21/15
to capis...@googlegroups.com
Versions:
  • Ruby 2.1.6
  • Capistrano 3.4.0
Platform:
  • Linux
Files:
  • deploy.rb


I'm wondering if there is a way to automatic enter info on server when it requests.


To give some background, I added Two Factor Auth with google authenticator on some servers.


When I deploy just to one server, it asks me for:


Password:
Verification Code:

Which I enter manually (a password for Password, a code for Verification Code) and the deploy is made without major problems.


When I have to deploy to more than one server at the same time, it asks me for:


Password:  Password: 


and whatever I enter it always break.


So I'm wondering if I can make the deploy scripts to automatic enter some text when it seems "Password:" and "Verification Code:" automatically, by doing that, I'm planing to ask for password and google token when the deploy process start, and when the remote server asks for Password: and Verification Code: to automatically enter the data I supplied for password and verification code.


Thank you


Rod

Lee Hambley

unread,
Jul 21, 2015, 4:06:41 AM7/21/15
to Capistrano
​The canonical way to solve this is to pipe something into your command, for example the Linux command `yes` (at `/usr/bin/yes​`) echos `y` followed by a carriage return indefinitely. This can be used to answer `(y/N)` prompts thusly:

/usr/bin/yes | apt-get install something 

(most programs have a --assume-yet, or --force flag, which achieves the same thing)

to answer your question, you could use ask() to get the totp code into a variable, and then do something like:

echo "#{nyvariable}" | my-command-that-wants-the-totp code

Note however that many things (passwd, sudo, etc) will refuse to read a password from stdin, because it's considered very, very poor practice. Also, you will have a very, very hard time to modify Capistrano to ask this when SSHing into a machine. Ask yourself what you are really gaining by adding a 6 byte TOTP token, plus a huge unverified PAM module, to what are already 2048+bit keys with a well proven system in SSH. It would be better, however impossible to have your server enforce that SSH keys are passphrased, which you can't solve with technology, just education and enforcement within your team.

With all this said, you might be interested in a newish feature of Capistrano & SSHKit https://github.com/capistrano/sshkit#using-the-sshkitmappinginteractionhandler - note however, that needing something like this is a sign that your deployment environment is most likely poorly designed. TOTP in cases like this is pseudo security.


--
You received this message because you are subscribed to the Google Groups "Capistrano" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capistrano+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/capistrano/8fd0799f-90fe-4f22-a29b-1981a6071348%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Rodrigo Dominguez

unread,
Jul 21, 2015, 12:30:11 PM7/21/15
to capis...@googlegroups.com
The policy at the company where I work is to add two factor auth to every system, so I have not other choice than implementing it.

For now I just added a environment for server, so I can do cap server1 deploy, cap server2 deploy, etc. not a nice or effective way to deploy but it works, I'll be looking at your advice and see if I can make it work with all servers in one single deploy.

Thx
Reply all
Reply to author
Forward
0 new messages