How can you do without passwords for git, ssh under Gulp?

A

Arman2017-09-23 12:52:36

git

Arman, 2017-09-23 12:52:36

DD. I’ll say in advance that maybe I chose the wrong tool, but for now I want to get by with what we already use.
I did the following thing for deployment on Gulp:

'use strict';
var gulp = require('gulp'),
    // ...
    fs = require('fs'),
    expandTilde = require('expand-tilde'),
    GulpSSH = require('gulp-ssh'),
    config = require('./gulp-config.json');

//...

// deploy
var gulpSSH = new GulpSSH({
    ignoreErrors: false,
    sshConfig: {
        host: 'host',
        port: 'port',
        username: 'username',
        privateKey: fs.readFileSync(expandTilde('~/.ssh/id_rsa')),
        passphrase: config.ssh.passphrase
    }
});

gulp.task('deploy', function () {
    return gulpSSH
        .shell([
            // пробелы перед командами, чтоб в историю не записывал на сервере
            ' cd /var/www/webiste',
            ' git pull https://' + config.git.username + ':' + config.git.password + '@bitbucket.org/username/project.git',
            ' composer install --prefer-dist --no-scripts --quiet',
            ' composer dump-autoload --optimize --no-dev --quiet',
            // ' php yii migrate', // todo: test!
            ' npm install',
            ' npm run prod'
        ], {filePath: 'deploy.log'})
        .pipe(gulp.dest('./gulp'))
});

./gulp-config.json

{
  "ssh": {
    "passphrase": "Пароль от ssh ключа"
  },
  "git": {
    "username": "Логин битбакета",
    "password": "Пароль битбакета"
  }
}

In fact, everything works, but passwords shine in the window and in the logs.
1. The problem is in the password from the ssh key (passphrase), I tried everything, but without it it does not want to work at least under MacOS, throws an error:
"Error: Encrypted private key detected, but no passphrase given"
yes, the gulp-config.json file in ignore and do not send to turnips, but still store the password in clear text?
2. Login and password from the central turnip.
Of course, you can make a key for the server and pull it from the bitbucket, but it’s more convenient to leave everything on a bunch of login and password. Here I see two ways:
- somehow transfer the git'a request for a login and password to the user, and he will already indicate himself (now everyone indicates their own)
- somehow can set up "ForwardAgent yes" for SSH, so that you can use it on the production / test server, and then somehow transfer the key to git . those. git pull on the server will use the key of the user who logged in and ran the command.
If there are any other ideas, comments on the code, I will be glad to listen.
Thanks in advance.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

M

magazovski, 2017-09-28
@Arik

It is better to set up ssh agent forwarding to the server. A space before the command does little to no security. Anyone who has access to the server under the same user will be able to sniff all the commands that are entered. Git will pick up the agent itself if you fire via sshgit pull [email protected]/username/project.git

sshConfig: {
            host: 'host',
            port: 'port',
            username: 'username',
            agent: process.env.SSH_AUTH_SOCK,
            agentForward: true
}