Re: [capistrano] "Host key verification failed" message when trying to do deploy:update

[Lee Hambley]

Doug,

The output lines:

[mayfair.textdrive.us] executing command

    ←[2;37mcommand finished in 391ms←[0m
failed: "sh -c 'git clone -q jdqu...@mayfair.textdrive.us:/users/home/jdquirke/
git/deq.git /users/home/jdquirke/rails_apps/deq/releases/20130305183649 && cd /u

sers/home/jdquirke/rails_apps/deq/releases/20130305183649 && git checkout -q -b
deploy a58d22c14a114a62ffae1066628cbf9ebb6bac77 && (echo a58d22c14a114a62ffae106
6628cbf9ebb6bac77 > /users/home/jdquirke/rails_apps/deq/releases/20130305183649/

REVISION)'" on mayfair.textdrive.us

indicate that this error is coming out of your server, and that the server is refusing to access mayfair.textdrive.us because mayfair.textdrive.us's SSH host key has not been added to known keys, or the server has never connected to that host, as that user over ssh before.

Best bet is to log onto the server by hand as your deploy user, and manually do something like an ls-remote from the server, to mayfair.textdrive.us.

Lee Hambley

--

http://lee.hambley.name/

+49 (0) 170 298 5667

On 5 March 2013 20:58, <jdqu...@gmail.com> wrote:

I'm on a Windows (XP) machine and I'm trying to use Capistrano to remotely update Rails code from a repository on server to a rails application directory on that same server, and I'm getting a "Host key verification failed" message.  The thing that I find odd is that the "git ls-remote" command that runs first is asking for my passphrase and appears to be working fine.  It looks like it's the next command (git clone) that's returning the "verification failed" message.

Is it indicative of a problem that the passphrase prompts look slightly different from each other?
Enter passphrase for key '/c/Documents and Settings/J. Douglas Quirk/.ssh/id_rsa': versus
Enter passphrase for C:/Documents and Settings/J. Douglas Quirk/.ssh/id_rsa:

I've put put the command/response sequence at the following link, along with the contents of deploy.rb and Capfile.

https://gist.github.com/dougq/5093627

Thanks for any suggestions,

Doug

--
--
* You received this message because you are subscribed to the Google Groups "Capistrano" group.
* To post to this group, send email to capis...@googlegroups.com
* To unsubscribe from this group, send email to capistrano+...@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano?hl=en
---
You received this message because you are subscribed to the Google Groups "Capistrano" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capistrano+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[jdqu...@gmail.com]

Thanks Lee.  I'm really puzzled by the fact that the following is prompting me to enter the passphrase for my key and the command seems to be executing just fine:

←[33mexecuting locally: "git ls-remote us...@server.com:/users/home/jdquirke/git/deq.git HEAD"←[0m

Enter passphrase for key '/c/Documents and Settings/J. Douglas Quirk/.ssh/id_rsa':

←[2;37mcommand finished in 9547ms←[0m

Similarly, cap deploy:setup prompts me for my passphrase and then successfully creates directories on the remote server.

I'm wondering why the key seems to be working in the context of the above, but is failing on the "git clone" command.

On Tuesday, March 5, 2013 11:36:38 PM UTC-8, Lee Hambley wrote:

Doug,

The output lines:

[mayfair.textdrive.us] executing command

    ←[2;37mcommand finished in 391ms←[0m

failed: "sh -c 'git clone -q us...@server.com:/users/home/jdquirke/

[Lee Hambley]

The clue is "executing locally", on your local machine, as your local user, you have an entry for the Git server in the known_hosts file in your ssh (usually ~/.ssh/) directory. The server has never connected to the Git host over SSH as your deploy user before, and thus the deploy user's ~/.ssh/known_hosts file on the server is empty, thus without a TTY to prompt you "is this host key correct" (when people always hit "yes" without checking) it won't continue.

Various workarounds exist, one option is to override GIT_SSH and make that point to a wrapper script that performs the same ssh checkout, with `-o StrictHostKeyChecking=no`, we don't do that because it's a matter of a) Git (we support a bunch of SCMs) b) It only applies to about 1/3 of possible Git use cases (http, git and ssh protocols) and c) well, the whole security thing.

Admittedly it's misleading, in the forthcoming version of Capistrano this will be checked for in `cap deploy:check`, as we can realistically be expected to know how this works by now! In the meantime, you'll have to either add the line manually to known_hosts (take a look at your local file for the format), or simply connect once to the git server using ssh from the server(s) you are trying to deploy to and answer "yes" when prompted.

Hope that helps!

 

Lee Hambley

--

http://lee.hambley.name/

+49 (0) 170 298 5667

[jdqu...@gmail.com]

Thanks again.  Does it matter that the Git repository and the deploy directory are both on the same remote machine? In other words, there's just my local/Windows XP machine and the remote (Solaris, I think) machine (there's not a third machine involving Git, Git is on the same machine I'm trying to deploy to).

I noticed today that if I run "cap deploy:setup" I get prompted for my passphrase and the directories do in fact get created on the remote machine.  (I confirmed that if I delete them they re-appear after "cap deploy:setup."

So, when I run "cap deploy:update," the clone command is trying to clone from one directory in my directory tree on the remote machine to a different directory in my directory tree (both under the control of the same user).  I wonder if the fact that I'm doing this remotely means that the remote server needs info about my local machine in its known_hosts file?  Or does it need info about itself in that file?

[Lee Hambley]

Thanks again.  Does it matter that the Git repository and the deploy directory are both on the same remote machine?

Yes, the way you have it now, the machine is trying to ssh into itself, that's where the host key verification is coming from. See `:local_repository` at https://github.com/capistrano/capistrano/wiki/2.x-Significant-Configuration-Variables

 

In other words, there's just my local/Windows XP machine and the remote (Solaris, I think) machine (there's not a third machine involving Git, Git is on the same machine I'm trying to deploy to).

Understood, that's typical of starting-up people!

 

I noticed today that if I run "cap deploy:setup" I get prompted for my passphrase and the directories do in fact get created on the remote machine.  (I confirmed that if I delete them they re-appear after "cap deploy:setup."

Sure, `cap deploy:setup` should really "set up" the host key, too, but it doesn't yet. `deploy:setup` just verifies all the parts between your workstation and the server you are deploying to.

 

So, when I run "cap deploy:update," the clone command is trying to clone from one directory in my directory tree on the remote machine to a different directory in my directory tree (both under the control of the same user).  I wonder if the fact that I'm doing this remotely means that the remote server needs info about my local machine in its known_hosts file?  Or does it need info about itself in that file?

No, it would need it's *own* host key in the known_hosts file.. see the note above about :local_repository, so you can see how to have your workstation access the server first, and then the server not have to loop back into itself. 

[jdqu...@gmail.com]

Yes!! That did the trick--much appreciated!