Make Capistrano use SSH Key Forwarding

Posted Over 12 years ago. Visible to the public.

When deploying code with Capistrano (depending on your configuration) at some point Capistrano tries to check out code from your repository. In order to do so, Capistrano connects to your repository server from the application server you're deploying to with SSH. For this connection you can use two SSH keys:

  • the user's ~/.ssh/id_rsa [default]
  • the very same key you used for connecting to the application server - forwarded automatically to the git repository.

If you prefer the second way, add this to deploy.rb:

ssh_options[:forward_agent] = true

Warning

Agent forwarding should be enabled with caution. Users with the ability to bypass file permission on the remote host (e.g. the root user) can access the local agent through the forwarded connections. Its not possible to extract your key, but it would be possible to use your agent forwarding to connect to other hosts with your agent/identity.

Never enable SSH Agent forwarding globally in your ssh_config

Thomas Eisenbarth
makandra.de
Say thanks4
Last edit
Over 3 years ago
Kim Klotz
License
Source code in this card is licensed under the MIT License.

Related cards:

How to fix "Too many authentic authentication failures" with SSH and/or Capistrano

You are getting when connecting via SSH or deploying with Capistrano (which uses SSH):

Too many authentication failures for username

This is caused by having too many SSH keys added to your keyring or ssh-agent. Your ssh-agent will throw all...

Manage ssh keys with Keychain

Keychain helps you to manage ssh and GPG keys in a convenient and secure manner. It acts as a frontend to ssh-agent and ssh add, but allows you to easily have one long running ssh-agent process per system, rather than the norm of one ssh-agent pe...

Heads up: Deployment with newly generated SSH key (using ED25519) might fail

If you use a newer SSH key generated with the ED25519 algorithm instead of RSA (see Create a new SSH key pair), the deployment with Capistrano may fail with the following mes...

Force SSH client to use password authentication instead of public key

To test if you can connect to a host using password authentication and explicitly deny public key authentication:

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host

This also works for Secure Copy:

scp -o ...

Setting up Tomcat to use an existing OpenSSL certificate

This is for those who already own an SSL certificate (e.g. using it in the Apache HTTP Server) and need to feed it to a Tomcat application. The main issue is that you need to convert your OpenSSL certificate for Java to use it in its keystore.

Cr...

Workflow: How to use a key management service to encrypt passwords in the database

This is an extract from the linked article. It shows an approach on how to implement encrypted passwords with the AWS Key Management Service (KMS).

For most applications it's enough to use a hashed...

SSH: X-Forwarding

If you need to run a program on a remote machine (e.g. to your office PC) with a graphical UI (and you trust the remote machine), you can use SSH X-Forwarding. I sometimes use this to connect to a virtual machine installed on my...

Capistrano: Different usernames for each server

If you have different users for different servers, don't use set :user. Encode the username into the server definition instead:

server "username@servername.tld", :app, :web, :cron, :db, :primary => true

How to use the Capistrano 2 shell to execute commands on servers

Capistrano 2 brings the shell command which allows you to run commands on your deployment targets.
There is also invoke to run a command directly from your terminal.

Both commands allow running Capistrano tasks or shell commands, and scope to...

Find out your SSH key's fingerprint (e.g. to authenticate on GitHub)

If you want to know your public key's fingerprint, do this:

ssh-keygen -lf ~/.ssh/my.key.pub

This may be necessary to authenticate your key on GitHub because of [recent events](https://github.com/blog/1068-public-key-security-vulnerability-a...

Posted by Thomas Eisenbarth to makandra dev (2012-02-13 07:59)
This website uses short-lived cookies to improve usability.
or learn more