Scap/Scap3 keyholder key

This page is currently a draft. More information and discussion about changes to this draft on the talk page.

Scap requires an SSH key to establish a connection with the target server. Scap looks for the SSH key file located in /etc/keyholder.d/${keyfile} on deploymentserver. Initially, Scap loads the configuration from scap.cfg. The scap.cfg file consists of sections with [section] as headers followed by name: value entries. The configuration object is populated with values from the global section and additional sections based on the fully qualified domain name of the local host.

Configuration values are loaded from a file placed at the default locations with the following hierarchy, sorted by override priority: [1]

• $(pwd)/scap/environments/<environment>/scap.cfg or
• $(pwd)/scap/scap.cfg (if no environment was specified) or
• /etc/scap.cfg (if use_global_config is true)

Format of scap.cfg:

[global]
ssh_user: user-deploy
git_repo: project/deployment
git_deploy_dir: /srv/deployment/
dsh_targets: project-targets
git_submodules: True
config_deploy: True
keyholder_key: ssh-key.pub

[server.hostname.cloud]
ssh_user: deploy-devtools
dsh_targets: devtools-targets

Scap performs the following actions to SSH on the target server:

1. Load Configuration: Scap considers scap.cfg and loads the provided parameters and their values.
2. Extract SSH User Details: By default, Scap uses getpass.getuser() method to fetch the host user_name and uses it as ssh_user. Additionally, it fetches ssh_user details from scap.cfg.
3. Find SSH Key: Scap uses the SSH key as a password to SSH on the target server. It locates the key file at the /etc/keyholder.d directory and searches for the value of the keyholder_key parameter mentioned in scap.cfg. If the keyholder_key parameter is not provided in scap.cfg, Scap will derive the key name from ssh_user mentioned in get_keyholder_key()

Error handling

In case the specified SSH key doesn't exist, Scap will throw an error "Unable to find keyholder key for ${keyname}" and tries to SSH without a key.

Testing scenarios for keyholder error

Test scenario 1: No SSH key in the keyfolder.d

{"name": "deploy", "msg": "Unable to find keyholder key for %s", "args": ["scap_deploy"], "levelno": 10, "filename": "cli.py", "exc_text": null, "lineno": 152, "funcName": "get_keyholder_key", "created": 1715803062.4578805, "msecs": 457.88049697875977, "relativeCreated": 1282.752513885498, "host": "deploy"}

Description: scap fails to find the keyholder key and attempts SSH without a key.

Tested with different key in keyholder.d

{"name": "deploy", "msg": "Unable to find keyholder key for %s", "args": ["scap_deploy"], "levelno": 10, "filename": "cli.py", "exc_text": null, "lineno": 152, "funcName": "get_keyholder_key", "created": 1715809119.1792183, "msecs": 179.21829223632812, "relativeCreated": 1296.0443496704102, "host": "deploy"}

Description: Even with a different key, scap searches for the specified key in scap.cfg, fails, and attempts SSH without a key.

Deleted keyholder_key parameter from /etc/scap.cfg:

• Output: Same as above.
• Description: scap looks for the key specified in the project's scap.cfg (e.g., phabricator), fails to find it, and attempts SSH without a key.

Removed keyholder_key parameter from project/scap.cfg:

• Output: Same as above.
• Description: scap defaults to key_safe_name based on ssh_user, fails to find it, and attempts SSH without a key.