Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Capistrano 3.0 — How securely prompt for password now?

Prior to 3.0 there was a way to do that:

# ...
set :mysql_password, proc { Capistrano::CLI.password_prompt "Gimme remote database server password. Don't worry, I won't tell anyone: " }
# ...

namespace :db do
  desc 'Dump remote database'
  task :dump do
    run "mysqldump -u #{mysql_user} -p #{mysql_database} > ~/#{mysql_database}.sql" do |channel, stream, data|
      if data =~ /^Enter password:/
        channel.send_data "#{mysql_password}\n"
      end
    end
  end
end

It prompts for password, doesn't show it as you type and leaves no traces of it in the logs and the output.

Now, as of 3.0 the only way I have found:

# ...

namespace :db do
  desc 'Dump remote database'
  task :dump do
    ask :mysql_password, nil
    on roles(:db) do
      execute "mysqldump -u#{fetch :mysql_user} -p#{fetch :mysql_password} #{fetch :mysql_database} > ~/#{fetch :mysql_database}.sql"
    end
  end
end

It does the job but reveals password everywhere.

Have anyone found a secure way for password prompting in 3.0? Thanks!

like image 235
jibiel Avatar asked Dec 26 '13 19:12

jibiel


2 Answers

Currently, no, might be on the next minor version (3.2):

It would be helpful if ask() had an option to not echo input, similar to the previous Capistrano::CLI.password_prompt

...

Either way, it'll be a 3.2 thing.

like image 124
Uri Agassi Avatar answered Nov 03 '22 16:11

Uri Agassi


# Capistrano >= 3.3.3 supports `echo: false`
ask :password, 'default', echo: false
server 'server.domain.com', user: 'ssh_user_name', port: 22, password: fetch(:password), roles: %w{web app db}

[email protected]
— @mattbrictson, capistrano/capistrano

like image 37
jibiel Avatar answered Nov 03 '22 17:11

jibiel