Monday, November 27, 2017

Capistrano is failing because it cannot connect to remote git repository

Leave a Comment

I am trying to deploy using capistrano 3.x

I configured AgentForwarding in my /.ssh/config file:

Host git-codecommit.*.amazonaws.com   Hostname xxxx   ForwardAgent yes   IdentityFile /path/to/codecommit_rsa 

I did the same thing for my server connection with ForwardAgent 'yes' also.

I verified my server allows agent forwaridng in the /etc/ssh/sshd_config file also.

AllowAgentForwarding yes     INFO ----------------------------------------------------------------    INFO START 2017-11-18 16:09:44 -0500 cap production deploy   INFO ---------------------------------------------------------------------------   INFO [b43ed70f] Running /usr/bin/env mkdir -p /tmp as deploy@50.116.2.15  DEBUG [b43ed70f] Command: /usr/bin/env mkdir -p /tmp   INFO [b43ed70f] Finished in 1.132 seconds with exit status 0 (successful).  DEBUG Uploading /tmp/git-ssh-testapp-production-blankman.sh 0.0%   INFO Uploading /tmp/git-ssh-testapp-production-blankman.sh 100.0%   INFO [b1a90dc1] Running /usr/bin/env chmod 700 /tmp/git-ssh-testapp-production-blankman.sh as deploy@50.116.2.15  DEBUG [b1a90dc1] Command: /usr/bin/env chmod 700 /tmp/git-ssh-testapp-production-blankman.sh   INFO [b1a90dc1] Finished in 0.265 seconds with exit status 0 (successful).   INFO [b323707d] Running /usr/bin/env git ls-remote ssh://git-codecommit.us-east-1.amazonaws.com/v1/repos/fuweb HEAD as deploy@50.116.2.15  DEBUG [b323707d] Command: ( export GIT_ASKPASS="/bin/echo" GIT_SSH="/tmp/git-ssh-testapp-production-blankman.sh" ; /usr/bin/env git ls-remote ssh://git-codecommit.us-east-1.amazonaws.com/v1/repos/fuweb HEAD )  DEBUG [b323707d]   Permission denied (publickey).  DEBUG [b323707d]   fatal: Could not read from remote repository.  Please make sure you have the correct access rights and the repository exists. 

What am I missing here?

3 Answers

Answers 1

You need to make Capistrano aware that you expect it to forward your local key. This can be done by going into you project's config/deploy.rb and adding this line:

ssh_options[:forward_agent] = true 

IIRC, Capistrano executes commands remotely through SSHKit, so even if you invoke the ssh-agent and add a key locally, I can't say if it will persist for the next command.

Answers 2

As discussed in the comments, an SSH agent must run on the remote server as well as on the local machine that contains the key because the agents at each end need to cooperate to forward the key information. The agent (ssh-agent) is different from the SSH server (sshd). The server accepts connections, while the (otherwise optional) agent manages credentials.

Some systems start an agent automatically upon login. To check if this is the case, log in to the server and run:

$ env | grep SSH 

...looking for variables like SSH_AGENT_PID or SSH_AGENT_SOCK. If it isn't started, we can execute the following command to start the agent on the server:

$ eval "$(ssh-agent)" 

As we can see, this evaluates the output of the ssh-agent command because ssh-agent returns a script that sets some needed environment variables in the session.

We'll need to make sure the agent starts automatically upon login so that it doesn't interfere with the deploy process. If we checked and determined that the agent does not, in fact, start on login, we can add the last command to the "deploy" user's ~/.profile file (or ~/.bash_profile).

Note also that the host specified in the local ~/.ssh/config must match the name or IP address of the host that we want to forward credentials to, not the host that ultimately authenticates using the forwarded key. We need to change:

Host git-codecommit.*.amazonaws.com 

...to:

Host 50.116.2.15 

We can verify that the SSH client performs agent forwarding by checking the verbose output:

$ ssh -v deploy@50.116.2.15 ... debug1: Requesting authentication agent forwarding. ... 

Of course, be sure to register any needed keys with the local agent by using ssh-add (this can also be done automatically when logging in as shown above). We can check which keys the agent loaded at any time with:

$ ssh-add -l 

Answers 3

This usually helps me:

ssh-add -D    ssh-agent     ssh-add       
If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment