Capistrano 3.0 — How securely prompt for password now?

Question

Prior to 3.0 there was a way to do that:

# ...
set :mysql_password, proc { Capistrano::CLI.password_prompt "Gimme remote database server password. Don't worry, I won't tell anyone: " }
# ...

namespace :db do
  desc 'Dump remote database'
  task :dump do
    run "mysqldump -u #{mysql_user} -p #{mysql_database} > ~/#{mysql_database}.sql" do |channel, stream, data|
      if data =~ /^Enter password:/
        channel.send_data "#{mysql_password}\n"
      end
    end
  end
end

It prompts for password, doesn't show it as you type and leaves no traces of it in the logs and the output.

Now, as of 3.0 the only way I have found:

# ...

namespace :db do
  desc 'Dump remote database'
  task :dump do
    ask :mysql_password, nil
    on roles(:db) do
      execute "mysqldump -u#{fetch :mysql_user} -p#{fetch :mysql_password} #{fetch :mysql_database} > ~/#{fetch :mysql_database}.sql"
    end
  end
end

It does the job but reveals password everywhere.

Have anyone found a secure way for password prompting in 3.0? Thanks!

Answer 1

Currently, no, might be on the next minor version (3.2):

It would be helpful if ask() had an option to not echo input, similar to the previous Capistrano::CLI.password_prompt

...

Either way, it'll be a 3.2 thing.

Answer 2

# Capistrano >= 3.3.3 supports `echo: false`
ask :password, 'default', echo: false
server 'server.domain.com', user: 'ssh_user_name', port: 22, password: fetch(:password), roles: %w{web app db}

— [email protected]
— @mattbrictson, capistrano/capistrano