Inability to use agent-passed ssh key with capistrano and symfony2 bin / vendors install

We use ssh agent forwarding to deploy our Symfony2 projects on our servers. This works just fine and we have no problem running git clone etc. From github using capistrano.

But for Symfony2 you need to install bin / vendors to get the latest depot. These script providers ( https://github.com/symfony/symfony-standard/blob/2.0/bin/vendors ) are a php script that executes "system ()" commands such as git pull.

Capifony (an addon for capistrano and symfony) has a team of providers, and we slightly changed it to use try_sudo, which was necessary due to our own hosting platform. This works perfect for the public https: // url from github

try_sudo "sh -c 'cd #{latest_release} && #{php_bin} bin/vendors install'"

The problem we are facing is that when using the git @ github.com format (necessary for some private repo, and when we want to change the packages and push the changes back), ssh-agent is not available, so our forwarded key is missing, and we get permission to reject errors.

  • Switching to https: // format sounds like an easy fix, but a private repo asks for a password.
  • Running ssh-agent in the system () command worked, but then the key still does not exist.

So I don’t know what to look for next. Some way to pass ssh-agent to php script provider maybe?

UPDATE

I found the answer, sudo resets all environment variables for security reasons, so you can never bind to an existing ssh agent.

At https://serverfault.com/questions/107187/sudo-su-username-while-keeping-ssh-key-forwarding I found an error and a solution. By adding Defaults env_keep + = SSH_AUTH_SOCK to / etc / sudoers and then chmodding the agent socket so that the user you are sudoing can access it, you can save the ssh agent.

But please read this topic carefully, it is unsafe. The agent disconnects when you log out, so in our deployment sequence for capistrano combined with a server without an unreliable user, I think this might be acceptable. If I'm not mistaken?

+4
source share

Source: https://habr.com/ru/post/1413985/


All Articles