pearfarm push
Evert Pot
I'm attempting to integrate the pearfarm commandline tool into my build system (phing).
Even though my keys are added to my ssh-agent, 'pearfarm push' will still ask for my password. Is there a way I can get around that?
Evert
Alan Pinstein
1) Do you know about ssh-agent? It's very cool. It is like a Mac
keychain for your keys (and passwords).
If you want to learn more, you can see how I set up ssh-agent for my
box (works on Mac OS X and Linux):
From http://github.com/apinstein/dotfiles/blob/master/zprofile :
> # another way, if you don't have pidof or need to know it's _your_
> agent
> idfile=~/.agentid
> # already exists ssh-agent? flags so we don't false-positive on the
> grep
> if ps x -o 'command' -U `whoami` | grep "^ssh-agent" &> /dev/null
> then
> test ! "$SSH_CLIENT" && test -r $idfile && eval `cat $idfile`
> else
> if eval `ssh-agent -t 43200`
> then
> export SSH_AGENT_PID
> export SSH_AUTH_SOCK
> echo "export SSH_AGENT_PID=$SSH_AGENT_PID" > $idfile
> echo "export SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> $idfile
> echo "Use ssh-add to add desired keys. I recommend
> an alias called 'ssh-keys-add-mine' to add all keys you want since
> we have a default timeout of 12 hours."
> else
> rm -f $idfile
> fi
> fi
> unset idfile
This will automatically create an ssh-agent on your machine if one
isn't running, and automatically wire it up to any new shells for your
user.
2) You could create a separate key for pearfarm and remove the
password. Pearfarm uses the (private) key specified in
~/.pearfarm_config
> $ cat ~/.pearfarm_config
> keyfile = /Users/alanpinstein/.ssh/mykey
Hope that helps,
Alan
Evert Pot
Yet I'm asked a password..
It would also be nice if the pearfarm cli would get an argument that makes it non-interactive. I'd like it to error if it can't authenticate without user input. Right now Phing will just hang with no prompt (presumably because phing will only print a line when it hits \n).
Evert
Alan Pinstein
> anyway.. I added my keys using ssh-add -K which actually hooks into
> the OS/X keychain.
Ah that's true on Leopard, I forgot. I haven't updated my script to
tap into that one; it starts a separate one.
> Yet I'm asked a password..
Probably your shell is not wired to the agent.
Run `ssh-add -l`. If your shell is hooked up to your ssh-agent and the
key is there then you will see it listed by that command. My guess is
that your SSH_AGENT_PID and SSH_AUTH_SOCK are not set up in the shell.
Although OS X does run its own keychain, I don't belive it's
automatically wired into the shell sessions. See my code below to see
how that's managed. Maybe this link will be useful?
http://www.dribin.org/dave/blog/archives/2007/11/28/ssh_agent_leopard/
I would actually love to get that working myself so I don't have to
have 2 agents running on my machine. Plus it's cool because the ssh
key passwords can be stored in the keychain!
> It would also be nice if the pearfarm cli would get an argument that
> makes it non-interactive. I'd like it to error if it can't
> authenticate without user input. Right now Phing will just hang with
> no prompt (presumably because phing will only print a line when it
> hits \n).
Everything *but* the password is able to be made non-interactive for
this reason. We were a little worried about allowing people to
automate the passwords, since it would necessarily mean writing the
passwords in plain text in a script somewhere, and really should we be
encouraging such behavior?
I could be convinced that it's ok to do so if someone can make a
compelling argument, but for now I thin ssh-agent is the proper
solution to this problem.
Alan
Evert Pot
>> Yet I'm asked a password..
>
> Probably your shell is not wired to the agent.
>
> Run `ssh-add -l`. If your shell is hooked up to your ssh-agent and the key is there then you will see it listed by that command. My guess is that your SSH_AGENT_PID and SSH_AUTH_SOCK are not set up in the shell.
>
ssh-add -l shows my 5 public keys.
I have SSH_AUTH_SOCK, but not SSH_AGENT_PID. I tried testing it by simply manually adding SSH_AGENT_PID, but it will actually still ask me for a password. Note that I use the same identity to log into ssh on a couple of machines, without ever needing a pwd.
>> It would also be nice if the pearfarm cli would get an argument that makes it non-interactive. I'd like it to error if it can't authenticate without user input. Right now Phing will just hang with no prompt (presumably because phing will only print a line when it hits \n).
>
> Everything *but* the password is able to be made non-interactive for this reason. We were a little worried about allowing people to automate the passwords, since it would necessarily mean writing the passwords in plain text in a script somewhere, and really should we be encouraging such behavior?
>
> I could be convinced that it's ok to do so if someone can make a compelling argument, but for now I thin ssh-agent is the proper solution to this problem.
I think you misunderstood my request. I wouldn't add the password as a new argument, but I'd like a non-interactive argument that will _error out_ if user input is required. I just want a non-0 exitcode =)
Evert
Alan Pinstein
Oh, man, I am an idiot, sorry. It does it to me, too, and I am so
burnt out at the moment I didn't even realize!
Ok, so here's how it works. We are using the php openssl_* functions,
which require the password to be input in the function signature:
http://github.com/fgrehm/pearfarm/blob/master/src/Pearfarm/Task/Push.php#L116
They way I understand it, ssh uses openssl, but not vice-versa, and
ssh-agent is part of ssh, not openssl.
I don't see any signing functions in ssh2_* so that we could try to
engineer it to use the agent.
It would be cool, tho! If you have any ideas I'm game.
> I think you misunderstood my request. I wouldn't add the password as
> a new argument, but I'd like a non-interactive argument that will
> _error out_ if user input is required. I just want a non-0 exitcode =)
Oh, hmm. Well, we could probably do a --non-interactive flag or
something that will automatically exit(1) if any input is requested.
But I am not sure how that would help you, since if you added the flag
to a phing script it would *always* die, and what good is that?
Maybe you have just made a case for a --password flag; I guess it is
OK to use so long as the thing generating the "--password 1234" is
interactively requesting it (say with a phing input command).
Thoughts?
Alan
Evert Pot
On 2010-01-11, at 1:11 PM, Alan Pinstein wrote:
>> ssh-add -l shows my 5 public keys.
>
> Oh, man, I am an idiot, sorry. It does it to me, too, and I am so burnt out at the moment I didn't even realize!
>
> Ok, so here's how it works. We are using the php openssl_* functions, which require the password to be input in the function signature:
>
> http://github.com/fgrehm/pearfarm/blob/master/src/Pearfarm/Task/Push.php#L116
>
> They way I understand it, ssh uses openssl, but not vice-versa, and ssh-agent is part of ssh, not openssl.
>
> I don't see any signing functions in ssh2_* so that we could try to engineer it to use the agent.
>
> It would be cool, tho! If you have any ideas I'm game.
No idea myself.. Not too familiar with either openssl or ssh, I just know enough to get by.
>
>> I think you misunderstood my request. I wouldn't add the password as a new argument, but I'd like a non-interactive argument that will _error out_ if user input is required. I just want a non-0 exitcode =)
>
> Oh, hmm. Well, we could probably do a --non-interactive flag or something that will automatically exit(1) if any input is requested. But I am not sure how that would help you, since if you added the flag to a phing script it would *always* die, and what good is that?
The script I'm writing might not be invoked by a console application. The benefit it gives me, is that I (or someone else) makes a mistake in the configuration, the phing script won't hang waiting for input that never comes, but just error.
> Maybe you have just made a case for a --password flag; I guess it is OK to use so long as the thing generating the "--password 1234" is interactively requesting it (say with a phing input command).
I don't know the security implications of this, so I wouldn't be able to give you advice. For now I will simply switch to a different password-less key that I'll just use for pearfarm.
Thanks for all the feedback,
Evert
Alan Pinstein
>>> as a new argument, but I'd like a non-interactive argument that
>>> will _error out_ if user input is required. I just want a non-0
>>> exitcode =)
>>
>> Oh, hmm. Well, we could probably do a --non-interactive flag or
>> something that will automatically exit(1) if any input is
>> requested. But I am not sure how that would help you, since if you
>> added the flag to a phing script it would *always* die, and what
>> good is that?
>
> The script I'm writing might not be invoked by a console
> application. The benefit it gives me, is that I (or someone else)
> makes a mistake in the configuration, the phing script won't hang
> waiting for input that never comes, but just error.
It looks like "read" (which we use to read the pw) takes a timeout
parameter; would it be OK if it took 30s to fail?
>> Maybe you have just made a case for a --password flag; I guess it
>> is OK to use so long as the thing generating the "--password 1234"
>> is interactively requesting it (say with a phing input command).
>
> I don't know the security implications of this, so I wouldn't be
> able to give you advice. For now I will simply switch to a different
> password-less key that I'll just use for pearfarm.
Ok, thanks.
Alan
Evert Pot
>> The script I'm writing might not be invoked by a console application. The benefit it gives me, is that I (or someone else) makes a mistake in the configuration, the phing script won't hang waiting for input that never comes, but just error.
>
> It looks like "read" (which we use to read the pw) takes a timeout parameter; would it be OK if it took 30s to fail?
How about setting the timeout to 1s if --non-interactive is set?
No hurry on my part though, I'll replace my publickey for now..
Evert
Evert Pot
* Even if I have a key without a password, it will still ask me for one. Perhaps you can initially just always try an empty string.
* pearfarm keygen defaults to .ssh/id_rsa, and does not take .pearfarm_config into consideration. 'pearfarm push' does do this
* When I hit ctrl-c on the 'enter pass phrase' prompt, i get thrown into an infinite loop and I need to hand-kill the openssl process.
I don't mind adding these to a bugtracker. Is there one?
Evert
Alan Pinstein
I think the idea of --non-interactive => 1s timeout would work.
It's at http://github.com/fgrehm/pearfarm/issues
Alan