Open charlieartist opened 2 years ago
tacerus
commented
2 years ago Hi, I just opened an issue (https://github.com/capistrano/sshkit/issues/495) and then found yours - could you elaborate on updating Net-SSH manually? I wonder if it is related to my situation and would like to give it a try. I installed Capistrano in RVM, does that make a difference? My apologies if these are rookie questions - I rarely work with Ruby but try to utilize Capistrano more.
mattbrictson
commented
2 years ago Capistrano uses net-ssh, and net-ssh has chosen not to include ed25519 support by default. To enable it, you have to install two additional gems, like this:
gem "bcrypt_pbkdf", require: false
gem "ed25519", require: falseIf you don't do this, then net-ssh should helpfully print an error message when you try to connect using an ed25519 key:
net-ssh requires the following gems for ed25519 support:
* ed25519 (>= 1.2, < 2.0)
* bcrypt_pbkdf (>= 1.0, < 2.0)
See https://github.com/net-ssh/net-ssh/issues/565 for more informationIs this the "having to update net-ssh manually" that you mentioned?
Since ed25519 is very common these days (as you pointed out), we could document this better in the Capistrano README, something I proposed in #1825. Would that be a good solution?
tacerus
commented
2 years ago Thank you! Yes, that is what I meant. It looks like my issue is not related however, I still receive the same output, and it does not show the useful error message you pointed out. But it was worth a try!
charlieartist
commented
2 years ago @mattbrictson It may also be good to give alternate instructions for users who aren't using gemfiles in projects, and aren't that well-versed in Ruby. Would something like this work?
gem install 'bcrypt_pbkdf:<2.0' 'ed25519:<2.0'
mattbrictson
commented
2 years ago
gem install 'bcrypt_pbkdf:<2.0' 'ed25519:<2.0'
@charlieartist yes, that should work.
DaniG2k
commented
2 years ago I think I've encountered an issue related to this. My server has an id_ed25519 key. When I try to deploy with cap production deploy I am seeing the following error:
#<Thread:0x0000000109077510 /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/runners/parallel.rb:10 run> terminated with exception (report_on_exception is true):
/Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/runners/parallel.rb:15:in `rescue in block (2 levels) in execute': Exception while executing as deploy@xxx.xx.xxx.xxx: Authentication failed for user deploy@xxx.xx.xxx.xxx (SSHKit::Runner::ExecuteError)
from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/runners/parallel.rb:11:in `block (2 levels) in execute'
/Users/me/.rvm/gems/ruby-3.1.2/gems/net-ssh-6.1.0/lib/net/ssh.rb:268:in `start': Authentication failed for user deploy@xxx.xx.xxx.xxx (Net::SSH::AuthenticationFailed)
from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/connection_pool.rb:63:in `call'
from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/connection_pool.rb:63:in `with'
from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/netssh.rb:177:in `with_ssh'
from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/netssh.rb:130:in `execute_command'
from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/abstract.rb:148:in `block in create_command_and_execute'
from <internal:kernel>:90:in `tap'
from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/abstract.rb:148:in `create_command_and_execute'
from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/abstract.rb:61:in `test'
from /Users/me/.rvm/gems/ruby-3.1.2/gems/capistrano-passenger-0.2.1/lib/capistrano/tasks/passenger.cap:43:in `block (3 levels) in <top (required)>'
from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/abstract.rb:31:in `instance_exec'
from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/abstract.rb:31:in `run'
from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/runners/parallel.rb:12:in `block (2 levels) in execute'
(Backtrace restricted to imported tasks)
cap aborted!
SSHKit::Runner::ExecuteError: Exception while executing as deploy@xxx.xx.xxx.xxx: Authentication failed for user deploy@xxx.xx.xxx.xxx
Caused by:
Net::SSH::AuthenticationFailed: Authentication failed for user deploy@xxx.xx.xxx.xxx
Tasks: TOP => rvm:hook => passenger:rvm:hook => passenger:test_which_passengerI can't figure out why this is happening, but my guess is that it has something to do with OpenSSH and ed25519 encryption 🤔
mattbrictson
commented
2 years ago Capistrano actually uses the net-ssh gem for SSH, not OpenSSH. Can you run irbto start a Ruby console and then test the following (substitute xxx.xx.xxx.xxx with your action hostname)?
$ irb
>> require "net/ssh"
true
>> Net::SSH.start("xxx.xx.xxx.xxx", "deploy")If you still get a Net::SSH::AuthenticationFailed exception, then this is probably a net-ssh issue and not a capistrano one.
DaniG2k
commented
2 years ago Thanks, yes it seems to be a net-ssh problem in that case 🤔 I've raised an issue there.
antarr
commented
2 years ago I'm running into a simalar error. But it's not attempting to use the key. I being prompted for a password that is not accepted.
bundle exec cap production deploy:check
/Users/antarr/.rbenv/versions/3.0.1/lib/ruby/3.0.0/digest.rb:6: warning: already initialized constant Digest::REQUIRE_MUTEX
/Users/antarr/.rbenv/versions/3.0.1/lib/ruby/gems/3.0.0/gems/digest-3.1.0/lib/digest.rb:20: warning: previous definition of REQUIRE_MUTEX was here
ubuntu@myserver.com's password:
ubuntu@myserver.com's password:(Backtrace restricted to imported tasks)
cap aborted!
Interrupt: set :ssh_options, {
forward_agent: true,
user: fetch(:user),
keepalive: true,
keys: %w(~/.ssh/id_rsa ~/.ssh/id_ed25519),
}
Since more web servers are moving toward a higher level of security, and OpenSSH updates are recommending the Ed25519 Algorithm, would it be a good idea if Capistrano allowed its use by default, instead of having to update Net-SSH manually?
Even GitHub is recommending this algorithm.