Capistrano deployment fails when server ssh key has a passphrase

Question

Deploying with Capistrano fails when I have a passphrase set for ssh keys on the remote server.

But it works when there is no passphrase set...

I would like to be able to input the password when deploying so that I can still use a passphrase on the server.

Error:

01 mkdir -p /tmp
01 <user>@<ip> 0.183s
Uploading /tmp/git-ssh-<app>-<env>-<me>.sh 100.0%
02 chmod 700 /tmp/git-ssh-<app>-<env>-<me>.sh
02 <user>@<ip> 0.178s
git:check

01 git ls-remote --heads [email protected]:<me>/<my-repo>.git
01 Permission denied (publickey).
01 fatal: Could not read from remote repository.
01
01 Please make sure you have the correct access rights
01 and the repository exists.

cap aborted!
SSHKit::Runner::ExecuteError: Exception while executing as <user>@<ip>: git exit status: 128
git stdout: Nothing written
git stderr: Permission denied (publickey).
fatal: Could not read from remote repository.

deploy.rb

lock '3.7.1'
set :application, '<app>'
set :repo_url, '[email protected]:<me>/<app>.git'
set :user, '<user>'
set :scm_user, '<me>'
set :deploy_to, '/home/<user>/<app>'
set :scm, :git
set :branch, 'master'
append :linked_files, 'config/database.yml', 'config/secrets.yml'
append :linked_dirs, "log", "tmp/pids", "tmp/cache", "tmp/sockets", "vendor/bundle"

deploy/production.rb

server '<ip>', user: '<user>', roles: %w{app db web}

So I would like Capistrano to ask me for the password when deploying so that my server can use it to connect with github.

Is this possible?

Answer 1

You can use SSH Agent Forwarding. So there's no need to enter a passphrase on the server.

This way you just preload your ssh key/s locally ssh-add keyname_rsa and have them automatically forward to your host, then from your host to the Github servers as necessary.

So you only enter your passphrase once locally like this:

And the rest happens "automagically" during deployment. It's worth setting up.

From the docs:

1.2.1 SSH Agent Forwarding

As we’ve already set up an SSH agent, we can use the agent forwarding feature of SSH to make this key agent available to further hops. In short, we can use our own ssh key to authenticate ourselves from the server to Github.