I'm trying to automate the deployment of an SVN repository (with a web app) over multiple production servers, without installing any private key on the servers.
The SVN server is hosted on srv3, and the web app should be updated after each commit on srv3 and srv2, using an SVN post-commit hook.
I'm using those platforms/softwares :
- Windows client
- Debian server
- PuTTY + Pageant
- TortoiseSVN
The SSH agent forwarding is already working when I SSH to srv3 and SSH to srv2 right after :
Using username "adrien". Authenticating with public key "adrien" from agent Linux srv3 4.9.78-xxxx-std-ipv6-64 #2 SMP Wed Jan 24 10:27:15 CET 2018 x86_64 Debian GNU/Linux 9 (stretch) Linux srv3.xxx 4.9.78-xxxx-std-ipv6-64 #2 SMP Wed Jan 24 10:27:15 CET 2018 x86_64 GNU/Linux Server : xxx IPv4 : xxx IPv6 : xxx Hostname : srv3.xxx Last login: Tue Sep 24 09:18:10 2019 from 80.245.26.124 adrien@srv3:~$ ssh srv2 Linux srv2 4.9.149-xxxx-std-ipv6-64 #539070 SMP Thu Jan 10 08:31:30 UTC 2019 x86_64 Debian GNU/Linux 9 (stretch) Linux srv2 4.9.133-xxxx-std-ipv6-64 #413770 SMP Mon Oct 15 08:12:05 UTC 2018 x86_64 GNU/Linux Server : xxx IPv4 : xxx IPv6 : xxx Hostname : srv2.xxx Last login: Tue Sep 24 06:35:09 2019 from xxx adrien@srv2:~$ The -v flag returns (I truncated the begining) :
debug1: Next authentication method: publickey debug1: Offering RSA public key: adrien debug1: Server accepts key: pkalg ssh-rsa blen 277 debug1: Authentication succeeded (publickey). Authenticated to srv2.fr0.fr ([176.31.123.129]:7227). debug1: channel 0: new [client-session] debug1: Requesting [email protected] debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype [email protected] want_reply 0 debug1: Requesting authentication agent forwarding. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 However, when I make an SVN commit (the url is svn+ssh://srv3/var/svn/xxx and srv3 is a PuTTY alias), the SSH agent-forwarding is not working :
SSH agent-forwarding not working
The hooks/post-commit file is :
#!/bin/sh /usr/bin/ssh -A -v srv2 "svn update /var/www/xxx" First try
I tried overriding the TortoiseSVN SSH client (to add the -A flag) without any luck :
Overriding TortoiseSVN SSH client
Second try
I tried to manually define the SSH tunnel command in the TortoiseSVN config file :
[tunnels] # I changed the SSH server to use a custom port ssh = C:\\Program Files\\PuTTY\\plink.exe -ssh -P xxxx -v -A C:\test>svn commit -m "test" Looking up host "srv3.xxx" for SSH connection Connecting to xxx port xxx We claim version: SSH-2.0-PuTTY_Release_0.72 Remote version: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4 Using SSH protocol version 2 No GSSAPI security context available Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated) Server also has ssh-ed25519/ecdsa-sha2-nistp256 host keys, but we don't know any of them Host key fingerprint is: ssh-rsa 2048 20:9f:25:9a:36:6a:1d:2e:63:2b:01:82:16:53:86:d5 Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption Initialised HMAC-SHA-256 (unaccelerated) outbound MAC algorithm Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption Initialised HMAC-SHA-256 (unaccelerated) inbound MAC algorithm Pageant is running. Requesting keys. Pageant has 1 SSH-2 keys Using username "adrien". Trying Pageant key #0 ASending Pageant's response uthenticating with public key "adrien" from agent Access granted Opening main session channel Opened main channel Agent forwarding enabled Started a shell/command Sending main.php Transmitting file data .done Committing transaction... Committed revision 28717. Warning: post-commit hook failed (exit code 255) with output: OpenSSH_7.4p1 Debian-10+deb9u4, OpenSSL 1.0.2q 20 Nov 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: /etc/ssh/ssh_config line 56: Deprecated option "useroaming" debug1: /etc/ssh/ssh_config line 60: Applying options for srv* debug1: Connecting to srv2.xxx [xxx] port xxx. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file /home/adrien/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/adrien/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/adrien/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/adrien/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/adrien/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/adrien/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/adrien/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/adrien/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u4 debug1: match: OpenSSH_7.4p1 Debian-10+deb9u4 pat OpenSSH* compat 0x04000000 debug1: Authenticating to srv2.xxx:xxx as 'adrien' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:SSkilAGRvuD2YbreS/Hx249uhxOO/ql6QB1sqDZwW3o debug1: Host '[srv3.xxx]:xxx' is known and matches the ECDSA host key. debug1: Found key in /home/adrien/.ssh/known_hosts:1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/adrien/.ssh/id_rsa debug1: Trying private key: /home/adrien/.ssh/id_dsa debug1: Trying private key: /home/adrien/.ssh/id_ecdsa debug1: Trying private key: /home/adrien/.ssh/id_ed25519 debug1: No more authentication methods to try. Permission denied (publickey). 2019-10-24 : additional info
I added those commands to the post-commit hook :
echo "*** whoami" >> /tmp/log whoami >> /tmp/log echo "*** printenv SSH_AUTH_SOCK" >> /tmp/log printenv SSH_AUTH_SOCK >> /tmp/log echo "*** ls -al /tmp/ssh-*" >> /tmp/log ls -al /tmp/ssh-* >> /tmp/log The result is :
*** whoami adrien *** printenv SSH_AUTH_SOCK *** ls -al /tmp/ssh-* total 8 drwx------ 2 adrien adrien 4096 Oct 24 07:37 . drwxrwxrwt 12 root root 4096 Oct 24 07:37 .. srwxr-xr-x 1 adrien adrien 0 Oct 24 07:37 agent.31456 So, it looks like the agent socket is created but not defined in SSH_AUTH_SOCK !
2019-10-26 : Third Try
I remplaced the commands in the post-commit hook with instructions to start the ssh-agent :
eval $(ssh-agent -s) ssh-add echo "*** whoami" >> /tmp/log whoami >> /tmp/log echo "*** printenv SSH_AUTH_SOCK" >> /tmp/log printenv SSH_AUTH_SOCK >> /tmp/log echo "*** ssh-add -l" >> /tmp/log ssh-add -l >> /tmp/log Unfortunately, this is not working... SSH_AUTH_SOCK is now defined, but the agent still has no keys :
*** whoami adrien *** printenv SSH_AUTH_SOCK /tmp/ssh-sZDW2KCwgdQ5/agent.21063 *** ssh-add -l The agent has no identities. ssh-add -l in a regular SSH session shows :
2048 SHA256:GQu880UuPXT89G00Xv8JDNHl0BzEkLcY9Gxt/CHxCtw adrien (RSA) I'm stuck here and don't know what to try next.
Any help would be appreciated !
