fabric password

Question

Every time fabric runs, it asks for root password, can it be sent along same for automated proposes.

fab staging test

I would consider very carefully before adopting **any** strategy that involved storing passwords in plaintext - as environment vars, saved in scripts, even entered at the command line - much as I hate to contradict a luminary like A.M. (really, man, you've given me a **lot** of information over the years) - it lives in your command history and presents a security risk. — gomad, Sep 18 '13 at 08:58
gomad, you are absolutely right regarding the dangers of plaintext passwords. The keychain module helps to store passwords securely, see https://stackoverflow.com/a/53964682/258772 how to use it with Fabric 2. — mrts, Dec 29 '18 at 11:15

score 60 · Answer 1 · edited Nov 24 '11 at 04:29

60

I know you've asked about password but wouldn't it better to configure the system so that you can doing fabric (i.e. SSH) without password?

For this, on local machine do:

ssh-keygen and agree with all defaults (if you have no reasons do otherwise)
cat ~/.ssh/id_rsa.pub and copy that key

On remote machine:

mkdir ~/.ssh && chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys2 && chmod 600 ~/.ssh/authorized_keys2
Paste copied key into authorized_keys2

From now your remote machine “trusts” your local machine and allows logging it in without password. Handy.

edited Nov 24 '11 at 04:29

Gringo Suave

29,931
6
88
75

answered Feb 26 '10 at 10:29

nkrkv

7,030
4
28
36

9

use ssh-copy-id may be faster: ``ssh-copy-id`` Usage: /usr/bin/ssh-copy-id [-i [identity_file]] [user@]machine – HVNSweeting Jan 04 '13 at 10:45

score 51 · Accepted Answer · edited May 27 '15 at 16:59

51

fab -h will show you all the options, you can also read them here.

In particular, and I quote,

-p PASSWORD, --password=PASSWORD

Sets env.password to the given string; it will then be used as the default password when making SSH connections or calling the sudo program.

edited May 27 '15 at 16:59

Devin McGinty

15
4

answered Feb 26 '10 at 05:58

Alex Martelli

854,459
170
1,222
1,395

score 51 · Answer 3 · answered Apr 06 '11 at 14:40

You can also set passwords on a per host basis. It wasn't obvious to me, so here it goes for anyone looking for this:

from fabric import env
env.hosts = ['user1@host1:port1', 'user2@host2.port2']
env.passwords = {'user1@host1:port1': 'password1', 'user2@host2.port2': 'password2'}

Fabric caches used passwords in the env.passwords dictionary. It sets this cache using the full hosts string as key of that dictionary and the password as the value. If you set this dictionary yourself before executing any task, Fabric won't ask for them at all.

Note - you must include port 22 even if you didn't specify it in ``env.hosts``. Got me — GuySoft, Jul 17 '18 at 10:55

score 20 · Answer 4 · answered Dec 04 '18 at 16:53

20

It's also possible to set ssh password in connect_args

    conn = Connection(
    "{username}@{ip}:{port}".format(
        username=username,
        ip=ip,
        port=port,
    ),
    connect_kwargs={"password": password},
)

answered Dec 04 '18 at 16:53

mirhossein

682
7
16

1

Thanks. The `connect_kwargs.password` notation in the docs was confusing me. – ahogen Oct 21 '21 at 23:00

score 8 · Answer 5 · edited Jul 24 '17 at 15:42

8

Just to add for anyone who winds up here from a search, you can specify the -I option when running fab for it to prompt you for a default password to use. This way it won't be visible in your command history

example:

$ fab -I my_task
Initial value for env.password:

edited Jul 24 '17 at 15:42

gitaarik

42,736
12
98
105

answered Oct 16 '13 at 16:01

bennettaur

1,243
10
8

fahhem · Answer 6 · 2015-03-06T07:34:11.517

6

One way to do this without putting the password in the process list (commands show up in ps aux) is to put it in the fabfile.py like so:

from fabric.context_managers import env
env.password = 'PASSWORD'

Put that before anything that goes to the remote system and it won't ask for a password anymore.

edited Mar 06 '15 at 07:34

answered Mar 15 '11 at 21:23

fahhem

466
4
8

Just a note, this generates an error in the latest Fabric 1.5.3 and Paramiko 1.9.0. – Darryl Hebbes Mar 01 '13 at 11:51
Just remove the `from fabric import env` – Crazenezz Aug 25 '13 at 07:59
1

New package is context_managers, `from fabric.context_managers import env` – Steve Mayne Nov 03 '13 at 13:30

score 2 · Answer 7 · answered Dec 29 '18 at 11:58

It is possible to store the password securely in the operating system keyring service with the keyring module, the password can then be automatically retrieved and used in fabfile.py.

You first need to store the password in the keyring, for example using the Python shell:

>>> import keyring
>>> keyring.set_password('some-host', 'some-user', 'passwd')

Then you can use it in fabfile.py, for example with Fabric 2:

from fabric import task
import keyring

@task
def restart_apache(connection):
    connection.config.sudo.password = keyring.get_password(connection.host, 'some-user')
    connection.sudo('service apache2 restart')

score 0 · Answer 8 · answered Mar 23 '23 at 22:21

0

You can also pass a default password into a Connection or Group using connect_kwargs. For example:

group = ThreadingGroup(*servers, connect_kwargs={
  'password': getpass('SSH password: '),
})
group.run(command)

answered Mar 23 '23 at 22:21

hughes

5,595
3
39
55

fabric password

8 Answers8

Linked