2

I have a rails app where a user can submit a form and it goes off and connects to a remote server via ssh to call a script. Eventually I plan to use delayed_job or something like that but I can't get it to work in production with even a simple test.

The odd thing is, Net::SSH works just fine from the console in production, but it fails with AuthenticationFailed when I submit the form in production. Both the console and the webapp work fine in development.

The error:

Net::SSH::AuthenticationFailed (my_ssh_username):

app/models/branch.rb:69:in `ssh_to_machine'

app/controllers/branches_controller.rb:55:in `update'

Controller's update action:

  def update
    @branch = Branch.find(params[:id])
    if @branch.update_attributes(params[:branch])
      @branch.ssh_to_machine(@branch.hostname, @branch.user_name, @branch.command_to_run)
      redirect_to @branch, :notice  => "Update request now processing."
    else
      render :action => 'edit'
    end
  end

Method I'm calling, mostly copy/pasted from the Net::SSH api example:

def ssh_to_machine(host_name, user_name, command_to_run)
    require 'net/ssh'
    Net::SSH.start(host_name, user_name, { :verbose => Logger::DEBUG, :keys => %w{ /home/www-data/.ssh/my_ssh_username_id_rsa }, :auth_methods => %w{ publickey } }) do |ssh|
      # capture all stderr and stdout output from a remote process
      output = ssh.exec!("hostname")

      # run multiple processes in parallel to completion
      ssh.exec command_to_run
      ssh.loop
    end
end

I've tried it with and without :verbose, :keys, :auth_methods; being careful to restart apache each time, but in production it always works from the console (with RAILS_ENV=production exported before calling 'rails c') and never works from the webapp.

I would also welcome any recommendations on how to get enhanced logging when I do call it from the webapp - :verbose worked for me at the console but didn't add anything to my production.log.

wonderfulthunk
  • 555
  • 4
  • 16
  • Does it work when you start the console with `rails c production`? – rdvdijk Sep 24 '11 at 09:22
  • Yes, thanks @rdvdijk, I just tried `rails c production` and it works fine. – wonderfulthunk Sep 26 '11 at 19:16
  • Just to clarify, "rails c production" and the SSH works fine from the production console, but it still fails from the production webapp. – wonderfulthunk Oct 26 '11 at 15:30
  • Could it be a firewall issue on the server? – rdvdijk Oct 26 '11 at 15:39
  • Not sure which server would have the firewall issue - the apache server running the rails app or the server that I'm ssh'ing into? Where the connection is between the same machines (apache -> ssh) and the only time it doesn't work is from the rails app running as a web page (but works when running the rails app from the console) I don't understand how a firewall could be related. – wonderfulthunk Oct 27 '11 at 16:54
  • Although this is turning in to a forum-like discussion (not very suitable here on StackOverflow), one more question: Have you printed out the actual `@branch`-values you pass into `ssh_to_machine`? – rdvdijk Nov 07 '11 at 08:16

1 Answers1

0

When you run it from the console, you're using your own account, right?

This is kinda bizarre, but my guess is that your production web app is running under an account that doesn't have read access to "/home/www-data/.ssh/my_ssh_username_id_rsa".

From your description it almost has to be a permissions issue of some sort.

David
  • 1,143
  • 8
  • 12
  • When I run from the console I'm actually using the www-data account. I double checked the permissions, and /home/www-data/.ssh/my_ssh_username_id_rsa is -rw------- 1 www-data www-data. That seems to also confirm that if I was someone other than www-data when running at the console, I would have the opposite problem (not working at the console but working in production). I think it's just a weird "no shell access" permissions/security thing in rails that no one knows because no one is dumb enough (like me) to try directly running unix shell commands on the backend of their rails app. – wonderfulthunk May 22 '12 at 18:24