From bbd0400132be13cef3971873ddfd6ca979cd244a Mon Sep 17 00:00:00 2001 From: Miguel Jacq Date: Tue, 17 Feb 2026 10:56:56 +1100 Subject: [PATCH] Add docs about --ask-key-passphrase and --ssh-key-passphrase-env --- src/content/_index.html | 2 +- src/content/docs.html | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/content/_index.html b/src/content/_index.html index 118773b..253e406 100644 --- a/src/content/_index.html +++ b/src/content/_index.html @@ -200,7 +200,7 @@ enroll single-shot \ --out ./ansible \ --fqdn myhost.example.com -
If you don't want/need sudo on the remote host, add --no-sudo (expect a less complete harvest).
+
If you don't want/need sudo on the remote host, add --no-sudo (expect a less complete harvest). For remote sudo prompts use --ask-become-pass/-K. If your SSH private key is encrypted, use --ask-key-passphrase (interactive) or --ssh-key-passphrase-env ENV_VAR (non-interactive/CI).
diff --git a/src/content/docs.html b/src/content/docs.html index 55cd73c..494cc47 100644 --- a/src/content/docs.html +++ b/src/content/docs.html @@ -108,6 +108,7 @@ description: "How Enroll works: harvest, manifest, modes, and configuration."
  • In terms of safety measures: it doesn't traverse into symlinks, and it has an 'IgnorePolicy' that makes it ignore most binary files (except GPG binary keys used with apt) - though if you specify certain paths with --include-path and use --dangerous, it will skip some policy statements such as what types of content to ignore.
  • It will skip files that are too large, and it also currently has a hardcoded cap of the number of files that it will harvest (4000 for /etc, /usr/local/etc and /usr/local/bin, and 500 files per 'role'), to avoid unintentional 'runaway' situations.
  • If you are using the 'remote' mode to harvest, and your remote user requires a password for sudo, you can pass in --ask-become-pass (or -K) and it will prompt for the password. If you forget, and remote requires password for sudo, it'll still fall back to prompting for a password, but will be a bit slower to do so.
    • +
  • If your SSH private key is encrypted, use --ask-key-passphrase to prompt up-front, or --ssh-key-passphrase-env ENV_VAR for non-interactive/CI runs. If neither is provided and Enroll detects an encrypted key in an interactive session, it will prompt on-demand. (The two key-passphrase flags are mutually exclusive.)
    • @@ -186,7 +187,15 @@ description: "How Enroll works: harvest, manifest, modes, and configuration." $ enroll single-shot --remote-host myhost.example.com --remote-user myuser \ --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible \ - --fqdn myhost.example.com + --fqdn myhost.example.com + +# Encrypted SSH key examples: +$ enroll harvest --remote-host myhost.example.com --remote-user myuser \ + --ask-key-passphrase --out /tmp/enroll-harvest + +$ export ENROLL_SSH_KEY_PASSPHRASE='correct horse battery staple' +$ enroll harvest --remote-host myhost.example.com --remote-user myuser \ + --ssh-key-passphrase-env ENROLL_SSH_KEY_PASSPHRASE --out /tmp/enroll-harvest
    Tip
    @@ -194,6 +203,8 @@ description: "How Enroll works: harvest, manifest, modes, and configuration."
    If your remote user requires a password for sudo, pass --ask-become-pass or -K and you'll be prompted to enter the password. If you forget, Enroll will still prompt for the password if it detects it's needed, but will be slightly slower to do so.

    +
    If your SSH private key is encrypted, use --ask-key-passphrase to prompt up-front. For non-interactive/CI runs, use --ssh-key-passphrase-env ENV_VAR. If neither is set and Enroll detects an encrypted key in an interactive session, it'll still prompt on-demand.
    +
    If your remote host requires additional SSH configuration that you've defined in your ~/.ssh/config, pass --remote-ssh-config ~/.ssh/config. Enroll will understand how to translate the Host alias, IdentityFile, ProxyCommand, ConnectTimeout and AddressFamily values. You must still pass a value for --remote-host that matches the Host value of the entry in the SSH config file.