Capistrano错误：无法连接到ssh-agent [英] Capistrano error : could not connect to ssh-agent

问题描述

我在Capistrano部署中使用基岩。

当我使用命令 bundle exec cap暂存deploy：check 时，出现身份验证错误：

  ... 
 D，[2015-05-09T15：39：53.878464＃15636]调试-净.ssh.authentication.session [1e34a58]：尝试使用publickey 
 D，[2015-05-09T15：39：53.878464＃15636]调试-net.ssh.authentication.agent [1e30d2c]：连接到ssh-agent 
 E，[2015-05-09T15：39：53.879447＃15636]错误-net.ssh.authentication.agent [1e30d2c]：无法连接到ssh-agent 
 E，[2015-05 -09T15：39：53.879447＃15636]错误-net.ssh.authentication.session [1e34a58]：所有授权方法都失败了（尝试使用公钥）
 cap异常终止！ 
 SSHKit :: Runner :: ExecuteError：作为deploy @ SERVER_IP执行时发生异常：用户deploy @ SERVER_IP的身份验证失败
任务：TOP => git：check => git：wrapper 
  

Capistrano无法连接到服务器上的ssh-agent。

但是我可以像这样的 ssh deploy @ SERVER_IP 一样通过SSH登录到服务器，而无需输入密码。我将 Capistrano身份验证和&授权文档页面，因此我可以使用 me @ localhost $ ssh deploy@one-of-my-servers.com主机名之类的命令；正常运行时间。。


如果我输入命令 ssh -A deploy @ SERVER_IP’env | grep SSH_AUTH_SOCK'我得到结果

  SSH_AUTH_SOCK = / tmp / ssh-UweQkw7578 / agent.7578 
  

这是我的deploy.rb文件：

  set：application，'dyxovka-special'
 set：repo_url，'git@github.com：tanzoor / dyxovka-wp-theme.git'
 set：分支，：master 
设置：tmp_dir，'〜/ tmp'
设置：log_level，：info 
设置：linked_files，fetch（：linked_files，[]）。push（'。env' ）
设置：linked_dirs，fetch（：linked_dirs，[]）。push（'web / app / uploads'）
  

这是我的staging.rb文件：

  set：stage，：staging 
 set ：deploy_to，-> { / var / www / vhosts / project / dev} 
服务器'SERVER_IP'，用户：'deploy'，角色：％w {web app} 
 set：ssh_options，{
用户：'deploy'，
键：％w（'/ c / Users / alexander / .ssh / id_rsa'），
 forward_agent：true，
 auth_methods：％w（publickey）， 
 verbose：：debug 
} 
 fetch（：default_env）.merge！（wp_env：：staging）
  

在sshd_config文件中启用了Apache的代理转发代理指令： AllowAgentForwarding yes

如何使用我的配置文件使我的部署正常工作？

Windows 8.1

Ruby 2.2.0

Capistrano 3.2.1

Git Bash

解决方案

好，所以我遇到了同样的问题，花了太长的时间才弄清楚这里到底发生了什么，结果是-

• 对于Windows上的红宝石，您必须运行pagent而不是ssh-agent，以使Capistrano和代理转发正常工作-实际上几乎任何工具帽子在Windows上使用了Ruby net-ssh库。

我认为这种情况不会改变，至少一段时间不会改变。 / p>

代理转发

请参见《 SSH代理转发的图解指南》 ，详细介绍了代理转发以及主要挑战如何最终在我们的工作站上恢复。

术语

• 工作站-机器（Windowa服务器/台式机/笔记本电脑）上运行我们的SSH
  客户端软件，最重要的是，我们的PKI
  私钥存储在（带有或不带有密码短语）




• 部署节点-Capistrano部署任务的目标，大多数
  就像在config / deploy.rb或
  config中的服务器键中定义的一样/deploy/.rb文件




• git repo-我们将从中提取代码的位置，首先通过 git
  ls-remote查询-我们将通过SSH访问此git repo，部署
  节点将使用代理转发将关键挑战传递回
  工作站




• SSH客户端软件-我们如何与远程服务器上的sshd进行连接，以及
  可以访问我们的私钥。可能是腻子，OpenSSH ssh
  客户端或Ruby中的net-ssh库。

设置

我有一个Windows 7工作站，带有Git-Bash及其OpenSSH ssh客户端以及 Joe Reagle 设置了一些环境变量，这些变量说明ssh-agent是哪个端口和pid

我也有Putty和Pageant，但是起初我只专注于OpenSSH / Git-Bash工具。

我已经从工作站到部署节点设置了无密码的ssh，正在运行ssh-agent，已通过ssh-add添加了我的密钥，并且已将我的公共密钥注册为只读

基本

因此，我们正在尝试使用SSH代理转发将Capistrano从我们的Git存储库中拉到我们的部署节点。

现在我们可以通过在部署节点上设置我们的公共SSH密钥并使用例如OpenSSH ssh客户端来确认我们有无密码的ssh，可以自己进行测试。然后我们可以通过以下方式设置ssh-agent：

1. 启动ssh-agent并根据需要设置SSH_AUTH_SOCK和SSH_AGENT_PID。


2. 通过ssh-add
将我们的私钥添加到ssh-agent中

3. 将我们的公钥作为授权密钥添加到git repo中


4. ssh到部署节点，然后从那里执行 git ls-remote git @（或ssh -T git @）

如果一切都正确设置，这一切都会奏效，所以我们会认为好吧，我可以做一个'cap deploy：check'-它会失败。

出了什么问题

我们会得到一个错误

从身份验证套接字读取响应长度时出错

谁在告诉我们？现在还不清楚，但是

• 不是git repo




• 它不是部署节点上的git客户端




• 它不是部署节点上的sshd守护程序，它想通过关键挑战回到工作站。

它是工作站上的Ruby ssh客户端库。

我们怎么知道

在deploy.rb文件的ssh_options哈希中，添加以下内容：
verbose：：debug

执行此操作时，我们会看到此消息

• Pageant没有运行。

Capistrano为什么要尝试使用Pageant而不是ssh-agent

通过Capistrano运行时，ssh客户端与您手动验证时使用的客户端不同。

手动验证时，它是一个OpenSSH ssh客户端。现在是Ruby中的net-ssh库。

在Windows上，net-ssh有以下几行

 如果Net :: SSH :: Authentication :: PLATFORM ==：win32 
需要'net / ssh / authentication / pageant'
 end 
  

或

 案例净额:: SSH :: Authentication :: PLATFORM 
 when：java_win32 
需要'net / ssh / authentication / agent / java_pageant'
否则
需要'net / ssh / authentication / agent / socket'
  

因此，加载选区会硬编码为net-ssh。它甚至不尝试查看您是否在类unix的外壳（如git-bash或cygwin）下运行，然后使用unix域ssh-agent SSH_AUTH_SOCK

<当前，net-ssh不会尝试打开一个名为socket的unix域。从理论上讲，我认为可以通过stdlib中的UNIXSocket类实现。但是我还没有在Windows计算机上进行过尝试。

I'm using Bedrock with Capistrano deploys.
When I use command bundle exec cap staging deploy:check I get an authentication error :

...
D, [2015-05-09T15:39:53.878464 #15636] DEBUG -- net.ssh.authentication.session[1e34a58]: trying publickey
D, [2015-05-09T15:39:53.878464 #15636] DEBUG -- net.ssh.authentication.agent[1e30d2c]: connecting to ssh-agent
E, [2015-05-09T15:39:53.879447 #15636] ERROR -- net.ssh.authentication.agent[1e30d2c]: could not connect to ssh-agent
E, [2015-05-09T15:39:53.879447 #15636] ERROR -- net.ssh.authentication.session[1e34a58]: all authorization methods failed (tried publickey)
cap aborted!
SSHKit::Runner::ExecuteError: Exception while executing as deploy@SERVER_IP: Authentication failed for user deploy@SERVER_IP
Tasks: TOP => git:check => git:wrapper

Capistrano could not connect to ssh-agent on my server.

But I can log in on my server via SSH like this ssh deploy@SERVER_IP without password. I dit all the instructions in Capistrano Authentication & Authorisation Docs page, so I can use command like me@localhost $ ssh deploy@one-of-my-servers.com 'hostname; uptime'.

If I enter command ssh -A deploy@SERVER_IP 'env | grep SSH_AUTH_SOCK' I get result

SSH_AUTH_SOCK=/tmp/ssh-UweQkw7578/agent.7578

Here is my deploy.rb file :

set :application, 'dyxovka-special'
set :repo_url, 'git@github.com:tanzoor/dyxovka-wp-theme.git'
set :branch, :master
set :tmp_dir, '~/tmp'
set :log_level, :info
set :linked_files, fetch(:linked_files, []).push('.env')
set :linked_dirs, fetch(:linked_dirs, []).push('web/app/uploads')

Here is my staging.rb file :

set :stage, :staging
set :deploy_to, -> { "/var/www/vhosts/project/dev" }
server 'SERVER_IP', user: 'deploy', roles: %w{web app}
set :ssh_options, {
  user: 'deploy',
  keys: %w('/c/Users/alexander/.ssh/id_rsa'),
  forward_agent: true,
  auth_methods: %w(publickey),
  verbose: :debug
}
fetch(:default_env).merge!(wp_env: :staging)

Apache's agent forwarding agent instruction is enabled in sshd_config file : AllowAgentForwarding yes

What should do with my config files to make my deploy work?

Windows 8.1
Ruby 2.2.0
Capistrano 3.2.1
Git Bash

解决方案

OK so I had the same issue, and I spent way too long working out exactly what is happening here, and the upshot is -

• for ruby on windows, you must run pagent, not ssh-agent, for Capistrano and agent forwarding to work - in fact pretty much any tool that uses the Ruby net-ssh library on Windows.

And I dont think that will change, at least not for a while.

Agent Forwarding

See An Illustrated Guide to SSH Agent Forwarding for more about agent forwarding, and how the key challenge ends back up on our workstation.

Terminology

• workstation - the machine (Windowa server/desktop/laptop) our SSH client software is running from, and, most importantly, our PKI private key is stored on (with or without a passphrase)

• deployment node - the target of our Capistrano deployment task, most like defined in the 'server' key in our config/deploy.rb, or config/deploy/.rb file

• git repo - where we will pull the code from, first queried via "git ls-remote" - we will access this git repo via SSH, and the deployment node will use agent forwarding to pass the key challenge back to the workstation

• SSH client software - how we reach out to sshd on remote servers, and which has access to our private key. Might be putty, an OpenSSH ssh client or the net-ssh library in Ruby.

Setup

I have a Windows 7 workstation box, with Git-Bash, and its OpenSSH ssh client, plus the script from Joe Reagle that sets up some environmental variables that say which port and pid the ssh-agent is operating on.

I also have Putty and Pageant, but I focussed, initially, on just the OpenSSH/Git-Bash tools.

I have set up passwordless ssh from the workstation to the deployment node, I have the ssh-agent running, I have my key added through ssh-add, and I have my public key registered as a read-only access key to the git repo.

Basics

So we are trying to use SSH agent forwarding to have Capistrano pull from our Git repo onto our deployment node.

Now we can test this all ourselves by setting up our public SSH key on the deployment node and using, say, the OpenSSH ssh client, to confirm we have passwordless ssh working. Then we can setup ssh-agent by

1. starting ssh-agent and setting the SSH_AUTH_SOCK and SSH_AGENT_PID as required.
2. adding our private key to the ssh-agent via ssh-add
3. add our public key as an authorised key to the git repo
4. ssh to the deployment node, and from there do a "git ls-remote git@" (or a ssh -T git@)

If everything is setup correctly, this will all work, and so we will think "ok I can do a 'cap deploy:check'" - and it will fail.

What Went Wrong

We will get an error

"Error reading response length from authentication socket"

Who is telling us this ? It isnt immediately clear, but it

• isn't the git repo

• it isnt the git client on the deployment node

• it isnt the sshd daemon on the deployment node, that wants to pass the key challenge back to the workstation.

Its the Ruby ssh client library on the workstation.

How do we know this

In the ssh_options hash in the deploy.rb file, we add the following : verbose: :debug

When we do this we see this message

• Pageant not running.

Why is Capistrano trying to use Pageant instead of ssh-agent

When running via Capistrano, the ssh client is different to the one you used when verifying things by hand.

When verifying by hand, it was an OpenSSH ssh client. Now it is the net-ssh library in Ruby.

And on Windows, net-ssh has these lines

if Net::SSH::Authentication::PLATFORM == :win32
  require 'net/ssh/authentication/pageant'
end

or

case Net::SSH::Authentication::PLATFORM
when :java_win32
  require 'net/ssh/authentication/agent/java_pageant'
else
  require 'net/ssh/authentication/agent/socket'

So loading pageant is hard-coded into net-ssh. It doesnt even try to see if you are running under a unix-like shell (like git-bash or cygwin), and to then use the unix-domain ssh-agent SSH_AUTH_SOCK

At present net-ssh doesnt try to open a unix-domain named socket. In theory I think it could, through the UNIXSocket class in the stdlib. But I haven't experimented with that on a Windows machine yet.

这篇关于Capistrano错误：无法连接到ssh-agent的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！