I can add pem files to my SSH agent very easily using ssh-add, like so:
$ ssh-add /home/jsmith/keys/mytest.pem
But I can't seem to remove them:
$ ssh-add -d /home/jsmith/keys/mytest.pem
Bad key file /home/jsmith/keys/mytest.pem: No such file or directory
The pem file still exists though... I haven't moved or changed it in any way. Why am I having so much trouble removing this pem file from my SSH agent that I just added a moment ago? What's the correct way to do this?
I want to avoid using ssh-add -D (with a capital "D") because that would delete all of the identities from my SSH agent, and I only want to delete the one I've specified.
You have to use the public key for this. So first extract the public key and then remove it from the agent.
ssh-keygen -y -f /home/jsmith/keys/mytest.pem > /home/jsmith/keys/mytest.pub
ssh-add -d /home/jsmith/keys/mytest.pub
The man page mentions the "public" key as well: "if no public key is found at a given path, ssh-add will append .pub and retry".
The best alternative I've found is to re-add the same file but with a life-time of 1 second:
ssh-add -t 1 myfile.pem
It is easier to remember than extracting the public key.
If you know the comment associated with the key you can simply get the public key from the agent and pipe it back in to delete it.
ssh-add -L | grep -F 'test#example.com' | ssh-add -d -
I would like run deploy script with gitlab-ci, but step ssh-add $SSH_PRIVATE_KEY return an error :
echo "$SSH_PRIVATE_KEY" | ssh-add -
Error loading key "(stdin)": invalid format
You can see my .gitlab-ci.yml :
deploy:
image: node:9.11.1-alpine
stage: deploy
before_script:
# Install ssh-agent if not already installed, it is required by Docker.
# (change apt-get to yum if you use a CentOS-based image)
- 'which ssh-agent || ( apk add --update openssh )'
# Add bash
- apk add --update bash
# Add git
- apk add --update git
# Run ssh-agent (inside the build environment)
- eval $(ssh-agent -s)
# Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
- echo "$SSH_PRIVATE_KEY"
- echo "$SSH_PRIVATE_KEY" | ssh-add -
# For Docker builds disable host key checking. Be aware that by adding that
# you are suspectible to man-in-the-middle attacks.
# WARNING: Use this only with the Docker executor, if you use it with shell
# you will overwrite your user's SSH config.
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
# In order to properly check the server's host key, assuming you created the
# SSH_SERVER_HOSTKEYS variable previously, uncomment the following two lines
# instead.
# - mkdir -p ~/.ssh
# - '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts'
script:
- npm i -g pm2
- pm2 deploy ecosystem.config.js production
# only:
# - master
On my project setting, i've been add SSH_PRIVATE_KEY variable, with the id_rsa from my production server cat ~/.ssh/id_rsa.pub.
Anyone can help me ?
In my case, it was because I had made my SSH_PRIVATE_KEY variable protected. When I disabled the Protected state, it worked without any error.
In my case I had to put a new line at the end of the SSH_PRIVATE_KEY variable
I made a stupid mistake and added the key without -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- clauses.
Summing up, you should add:
-----BEGIN RSA PRIVATE KEY-----
<< the key itself goes here >>
-----END RSA PRIVATE KEY-----
Also, ensure the newline after the closing is present.
for all people reaching this post not finding a solution yet.
Try to make the branch protected, because its a must for protected variables.
Protected: Only exposed to protected branches or protected tags.
Add a CI/CD variable to a project
It works with variable expansion (curly brackets in double string quotation):
- echo "${SSH_PRIVATE_KEY}" | ssh-add -
While keeping the SSH_PRIVATE_KEY variable protected!
This approach is simply a less ambiguous method for printing variables; in this case it prevents trimming of the last line break.
Make sure that the newline after the end of the file variable is present. If not, the following error would have appeared:
Load key "/home/.../....tmp/ID_RSA": invalid format
[MASKED]#...: Permission denied (publickey).
The ID_RSA was my file variable in this example.
It is the SSH public key in ~/.ssh/id_rsa.pub by default.
The private key is contained in ~/.ssh/id_rsa
If you export key from PuTTYgen, to get key content use its command Conversations - Export OpenSSH key (force new file format)
And trim last spaces and add new line.
You must copy the entire contents of the file(id_rsa), including the final blank line. I solve the problem this way.
I got it working with a protected variable.
If the variable is file, echo won't work anymore:
cat "$SSH_PRIVATE_KEY" | ssh-add -
Otherwise; if variable is NOT file, use the following:
echo "$SSH_PRIVATE_KEY" | ssh-add -
I had this issue on gitlab and bitbucket, both were solved adding a \n by the end of the key file.
echo $'' >> ~/.ssh/id_rsa
In my case, it was because I had made my SSH_PRIVATE_KEY variable available in a specific enviroment. I changed it to the one I was using (or you can change it to All, depending on your setup).
it possible you didn't copy the content of the public key to the authorized_keys
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
I had the same problem and after spending some hours trying to understand what was wrong I found that my private key was encrypted (and my computer had the password in cache for so long that I had forgotten that it was encrypted). It's not so easy to understand if it's encrypted or not by just looking at the key.
You should decrypt the key (set an empty password) and then paste it on a GitLab variable. Then in your .gitlab-ci.yml you can have a similar configuration:
before_script:
- 'which ssh-agent || ( apt-get install -qq openssh-client )'
- mkdir -p ~/.ssh
- touch ~/.ssh/id_rsa
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
- echo -e "Host *\nStrictHostKeyChecking no\n" > ~/.ssh/config
- eval "$(ssh-agent -s)"
- ssh-add ~/.ssh/id_rsa
*** Note that if you don't want to write the key in a file, you can just put it inside the ssh agent with:
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
*** Note 2: In the Gitlab panel, make sure you have created a variable (and not a file); normally, it should be protected if you want to make it visible in the main branch.
*** Important: For security reasons change the following line:
- echo -e "Host *\nStrictHostKeyChecking no\n" > ~/.ssh/config
putting only your host/s (and don't permit all connections like this).
If you put:
StrictHostKeyChecking no
when connecting to any host, the ssh-agent will not check the signature and this can be a big vulnerability!
In my case, the stupid me was using inconsistent variable name.
I defined SSH_PRIVATE_KEY in GitLab's variables and was using OWNER_PRIVATE_KEY in .gitlab-ci.yml.
That's why I hate working straight after lunch..
What worked for me was to put '\n' on every line break and storing the key as ONE LINE in my variables and then using '-e' switch in echo:
echo -e $SECRET_KEY > key.pem
This worked and it also helped me to add the identity to ssh-add directly like this:
echo -e "$SSH_PRIVATE_KEY" | ssh-add -
hope this helps someone.
Use
SSH_PRIVATE_KEY: |
-----BEGIN OPENSSH PRIVATE KEY-----
instead of
SSH_PRIVATE_KEY: >
-----BEGIN OPENSSH PRIVATE KEY-----
'|' would save the line break '\n'
I am very new to bash scripting and learning on my own.
So, I am writing a simple script to add pass phrase to ssh-agent.
So I do:
#!/bin/bash
echo "Type your passphrase(followed by ENTER)"
read -s pass
echo ${pass}
ssh-agent bash
Now this is where I am confused.
Next, I want to enter the command ssh-add ~/.ssh/id_rsa that takes the input from read and executes itself.
How do I do that?
So the echo $pass was just to verify if the read was successful. That will be removed and has no meaning here. I just want to simplify the steps of doind this daily:
ssh-agent bash
ssh-add ~/.ssh/id_rsa
(Asks for pass phrase)
I would like to run this script where it directly asks for passphrase, which will be taken as variabe "pass" & it executes both commands for me.
ssh-agent bash
ssh-add ~/.ssh/id_rsa
The travis website seems to say:
But when I try to do that
sudo: required
language: node_js
node_js:
- '5'
after_success:
- cat deploy_key.pem
- eval "$(ssh-agent -s)"
- chmod 600 deploy_key.pem
- ssh-add deploy_key.pem
before_install:
- openssl aes-256-cbc -K $encrypted_3dd6b0b56dad_key -iv $encrypted_3dd6b0b56dad_iv
-in deploy_key.pem.enc -out deploy_key.pem -d
I get
$ cat deploy_key.pem
$ eval "$(ssh-agent -s)"
Agent pid 3716
$ chmod 600 deploy_key.pem
$ ssh-add deploy_key.pem
Enter passphrase for deploy_key.pem:
Is there some better way to do this? My end goal is just to push a my Docker container to my Digital Ocean server once the build passes
it is because when you create the key pair you entered something (if you enter a passphrase, you will be asked to input it later, just as you mentioned).
you can try to create another key pair without entering any passphrase, just tap enter until the key pair created.
This is my code:
ssh-keygen -t rsa -C "$APP"
This works perfectly. However it then asks me to specify location and password. I was hoping I can automate this all in one go, however this command fails:
ssh-keygen -t rsa -C "$APP" -P "$SSHKEYPASS" -T ~/.ssh/id_rsa.pub
This command seems to fail though, when I specify the password I want for the key and location in the same line. I don't really understand the man page:
http://linux.die.net/man/1/ssh-keygen
Can anyone tell me where I have gone wrong?
-P is for the old passphrase, to create a key I assume you want -N for the new passphrase.
-T is for DH group test output it appears (not that I know what that is exactly).
You want -f to specify the key filename. And you specify the private key file not the public key file.
So try:
ssh-keygen -t rsa -C "$APP" -N "$SSHKEYPASS" -f ~/.ssh/id_rsa