3

我在使用 Capistrano 使用公钥身份验证进行部署时遇到问题。在 Windows 上,我将其配置为在打开终端时自动启动 SSH 代理。

Agent pid 4476
Enter passphrase for /c/Users/Lea/.ssh/id_rsa:
Identity added: /c/Users/Lea/.ssh/id_rsa (/c/Users/Lea/.ssh/id_rsa)

id_rsa在我authorized_keys服务器上的文件中,我一直使用它来使用ssh lea@web.3.

我的Capfile如下:

require 'rubygems'
require 'railsless-deploy'

# application name
set :application, "site.com"

# multi-stage deploy
task :production do
    set :branch, "master"
    set :app_environment, "production"
    role :web, "web.3", :primary => true
    set :deploy_to, "/var/www/vhosts/site/site.com/"
end

task :dev do
    set :branch, `git rev-parse HEAD`
    set :app_environment, "development"
    role :web, "web.3", :primary => true
    set :deploy_to, "/var/www/vhosts/site/dev.site.com/"
end

# deploys remotely on SSH using deploy only key
set :repository,  "git@bitbucket.org:us/site.git"
set :scm, :git
set :git_enable_submodules, 1
set :deploy_via, :remote_cache

# release configuration
set :use_sudo, false
set :keep_releases, 2
after "deploy:update", "deploy:cleanup"

# the web server user
set :user, "lea"

namespace :deploy do

    task :migrate do
        # do nothing
    end

    task :finalize_update, :except => { :no_release => true } do
        transaction do
            #run "chmod -R g+w #{release_path}"
            run "echo '#{app_environment}' > #{release_path}/ENVIRONMENT"
        end
    end

    task :restart, :except => { :no_release => true } do
        # don't need to restart
    end
end

当我运行部署时,它会再次询问我的 id_rsa 密码。为什么在我已经运行 ssh 代理并输入密码时会询问?

以下是 cap dev deploy 命令的日志。你可以看到它在哪里询问我的密码。另请注意,当我 ssh 进入服务器时,它也会在那里启动一个 ssh-agent 并加载一个用于 git 的 deployment_rsa 密钥(您可以在日志中看到这些消息)。

$ cap dev deploy
DL is deprecated, please use Fiddle
  * 2013-09-12 13:19:30 executing `dev'
  * 2013-09-12 13:19:30 executing `deploy'
  * 2013-09-12 13:19:30 executing `deploy:update'
 ** transaction: start
  * 2013-09-12 13:19:30 executing `deploy:update_code'
    updating the cached checkout on all servers
  * executing "if [ -d /var/www/vhosts/site/dev.site.com/shared/cache
d-copy ]; then cd /var/www/vhosts/site/dev.site.com/shared/cached-cop
y && git fetch -q origin && git fetch --tags -q origin && git reset -q --hard 33
09af4ac302a6c2dc46bcf36e877abbd8472988\\\n && git submodule -q init && git submo
dule -q sync && export GIT_RECURSIVE=$([ ! \"`git --version`\" \\< \"git version
 1.6.5\" ] && echo --recursive) && git submodule -q update --init $GIT_RECURSIVE
 && git clean -q -d -x -f; else git clone -q git@bitbucket.org:us/v
entek.git /var/www/vhosts/site/dev.site.com/shared/cached-copy && cd
/var/www/vhosts/site/dev.site.com/shared/cached-copy && git checkout
-q -b deploy 3309af4ac302a6c2dc46bcf36e877abbd8472988 && git submodule -q init &
& git submodule -q sync && export GIT_RECURSIVE=$([ ! \"`git --version`\" \\< \"
git version 1.6.5\" ] && echo --recursive) && git submodule -q update --init $GI
T_RECURSIVE; fi"
    servers: ["web.3"]
Enter passphrase for c:/Users/Lea/.ssh/id_rsa:
    [web.3] executing command
 ** [web.3 :: out] Agent pid 11336
 ** [web.3 :: err] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh
/deployment_rsa)
    command finished in 2300ms
    copying the cached version to /var/www/vhosts/site/dev.site.com/r
eleases/20130912191939
  * executing "cp -RPp /var/www/vhosts/site/dev.site.com/shared/cache
d-copy /var/www/vhosts/site/dev.site.com/releases/20130912191939 && (
echo 3309af4ac302a6c2dc46bcf36e877abbd8472988\\\n > /var/www/vhosts/us/dev.site.com/releases/20130912191939/REVISION)"
    servers: ["web.3"]
    [web.3] executing command
 ** [out :: web.3] Agent pid 11442
*** [err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh
/deployment_rsa)
    command finished in 751ms
  * 2013-09-12 13:19:39 executing `deploy:finalize_update'
  * executing "echo 'development' > /var/www/vhosts/site/dev.site.com
/releases/20130912191939/ENVIRONMENT"
    servers: ["web.3"]
    [web.3] executing command
 ** [out :: web.3] Agent pid 11451
*** [err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh
/deployment_rsa)
    command finished in 610ms
  * 2013-09-12 13:19:40 executing `deploy:create_symlink'
  * executing "rm -f /var/www/vhosts/site/dev.site.com/current && ln
-s /var/www/vhosts/site/dev.site.com/releases/20130912191939 /var/www
/vhosts/site/dev.site.com/current"
    servers: ["web.3"]
    [web.3] executing command
 ** [out :: web.3] Agent pid 11460
*** [err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh
/deployment_rsa)
    command finished in 621ms
 ** transaction: commit
    triggering after callbacks for `deploy:update'
  * 2013-09-12 13:19:41 executing `deploy:cleanup'
  * executing "ls -xt /var/www/vhosts/site/dev.site.com/releases"
    servers: ["web.3"]
    [web.3] executing command
[err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh/dep
loyment_rsa)
    command finished in 1186ms
 ** keeping 2 of 7 deployed releases
  * executing "rm -rf /var/www/vhosts/site/dev.site.com/releases/2013
0906181120 /var/www/vhosts/site/dev.site.com/releases/20130912185329
/var/www/vhosts/site/dev.site.com/releases/20130912185937 /var/www/vhosts/site/dev.site.com/releases/20130912191939 /var/www/vhosts/us/dev.site.com/releases/11469"
    servers: ["web.3"]
    [web.3] executing command
 ** [out :: web.3] Agent pid 11476
*** [err :: web.3] Identity added: /home/lea/.ssh/deployment_rsa (/home/lea/.ssh
/deployment_rsa)
    command finished in 750ms

$ 

现在,我的主要问题不在于密码。每次我运行 capistrano 时,每次部署都无法进行 2 次身份验证。我在服务器上的 ssh 日志中看到了这一点,但 Capistrano 中没有给出任何指示:

11:58:44 web3 sshd[1134]: Failed password for lea from [ip] port 42421 ssh2
11:58:56 web3 sshd[1134]: Failed password for lea from [ip] port 42421 ssh2

服务器正在运行 fail2ban,它在 5 次身份验证失败后阻止我的 IP(10 分钟),这意味着我在运行 capistrano 3 次后被阻止。这是一个巨大的不可接受的问题,我不知道为什么会发生这种情况。您对如何解决此问题或解决方案有任何建议吗?

谢谢!

4

2 回答 2

0

第1步:

您真的需要为您的密钥设置密码吗?如今,这种风险通过全盘加密产品或使用真正加密的 USB 记忆棒得以缓解。减少 PITA,仍然通过您的安全经理的最佳实践。

那说:

http://blog.blenderbox.com/2013/02/20/ssh-agent-forwarding-with-github/

尝试添加

ssh_options[:forward_agent] = true

到 capfile,而不是 Deploy.rb

于 2013-09-27T19:13:23.070 回答
0

我最终自己解决了这个问题。我被锁定在服务器之外,因为 Fail2ban 是旧版本。

连接到 SSH 时,sshd 会进行反向 DNS 查找。我在办公室互联网上的反向 DNS 失败了,它在 /var/logs/secure 日志文件中打印了一个错误。

Address x.x.x.x maps to server.domain.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Fail2ban 认为这是一个失败的连接,并因此阻止了我的 IP。手动连接时从来都不是问题,因为这种情况很少见,但是当 Capistrano 连续进行多个连接时,它就会触发它。

我在这里使用了信息:https ://github.com/fail2ban/fail2ban/pull/64通过从 fail2ban 配置文件中删除正则表达式来解决问题。

于 2013-10-02T23:30:50.843 回答