Capistrano 3.0 — How securely prompt for password now?
jibiel
Prior to 3.0 there was a way to do that:
# ...
set :mysql_password, proc { Capistrano::CLI.password_prompt "Gimme remote database server password. Don't worry, I won't tell anyone: " }
# ...
namespace :db do
desc 'Dump remote database'
task :dump do
run "mysqldump -u #{mysql_user} -p #{mysql_database} > ~/#{mysql_database}.sql" do |channel, stream, data|
if data =~ /^Enter password:/
channel.send_data "#{mysql_password}\n"
end
end
end
endIt prompts for password, doesn't show it as you type and leaves no traces of it in the logs and the output.
Now, as of 3.0 the only way I have found:
# ...
namespace :db do
desc 'Dump remote database'
task :dump do
ask :mysql_password, nil
on roles(:db) do
execute "mysqldump -u#{fetch :mysql_user} -p#{fetch :mysql_password} #{fetch :mysql_database} > ~/#{fetch :mysql_database}.sql"
end
end
endIt does the job but reveals password everywhere.
Is there a secure way for password prompting in 3.0? Thanks!
Taken from SO — http://stackoverflow.com/q/20789912/535406
Rob Hunter
This won't help with prompting, but I do want to mention that any command-line arguments (including passwords) are visible to all users with no special privileges or tools.
If you want your passwords to be secret, you'll almost certainly want to choose a different mechanism other than command-line arguments. (eg an interactive prompt, or files with permissions)
In the case of MySQL, I think the manual has a warning on this topic when it talks about the -p option.
Hunter
--
You received this message because you are subscribed to the Google Groups "Capistrano" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capistrano+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/capistrano/9394d648-e2c1-4708-99fc-aea7377543ec%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.