I want to start a docker container that adds a ssh key at startup :
My entrypoint looks like this :
#!/bin/bash
set -e
service ssh start
su anotherUser -s /bin/bash -c "eval \"$(ssh-agent)\" && ssh-add /Keys/id_rsa"
I've seen many posts that use sudo, but I do not have sudo available. I've found this solution but at the startup it shows me :
[....] Starting OpenBSD Secure Shell server: sshd 7[ ok 8.
Agent pid 36
Error connecting to agent: Permission denied
But when I execute the same lines at the promp everythings is ok :
xxx# su anotherUser
anotherUser#xxx:~$ eval $(ssh-agent)
Agent pid 47
anotherUser#xxx:~$ ssh-add /keys/id_rsa
Identity added: /keys/id_rsa (yyy#yyy-HP-EliteBook-850-G4)
You are running ssh-agent before su runs. The $ needs to be escaped so that the literal command substitution is passed to bash for execution.
su anotherUser -s /bin/bash -c 'eval $(ssh-agent) && ssh-add /Keys/id_rsa'
(Untested; probably needs more details about how the container is run and why ssh-add needs to be run as a different user.)
It may be simpler, though, to run your entry point with ssh-agent. For example,
# In the Dockerfile...
ENTRYPOINT ["ssh-agent", "entry.sh"]
Inside entry.sh, your environment will already have access to the agent.
#!/bin/bash
set -e
service ssh start
su anotherUser -s ssh-add /Keys/id_rsa
I'm trying to copy some files from gitlab ci to my host. I'm currently using open-sshclient with scp but its throwing an error:
user#ip: Permission denied (publickey,password).
I don't know how to pass the password to the script.
Here's my .gitlab-ci.yml file:
image: node:9.6.1
cache:
paths:
- node_modules/
- build/
- docker-compose.yml
- Dockerfile
- nginx.conf
stages:
- build
- dockerize
build-stage:
stage: build
script:
- npm install
- CI=false npm run build
artifacts:
untracked: true
paths:
- build/
- docker-compose.yml
- nginx.conf
dockerize-stage:
stage: dockerize
image: tmaier/docker-compose:latest
services:
- docker:dind
dependencies:
- build-stage
tags:
- docker
script:
- apk update
- apk add --no-cache openssh-client
- mkdir ~/.ssh
- eval $(ssh-agent -s)
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
- echo "${USER_PASS}" || ssh-add -
- ssh -p22 user#ip "mkdir /home/test"
- scp -P22 -r build/* user#ip:/home/test
While this is the output from gitlab ci:
$ apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
v3.8.4-9-g931e9aefbb [http://dl-cdn.alpinelinux.org/alpine/v3.8/main]
v3.8.4-4-gc27a9a0149 [http://dl-cdn.alpinelinux.org/alpine/v3.8/community]
OK: 9550 distinct packages available
$ apk add --no-cache openssh-client
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
(1/2) Installing openssh-keygen (7.7_p1-r4)
(2/2) Installing openssh-client (7.7_p1-r4)
Executing busybox-1.28.4-r1.trigger
OK: 67 MiB in 28 packages
$ mkdir ~/.ssh
$ eval $(ssh-agent -s)
Agent pid 20
$ [[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
$ echo "${USER_PASS}" || ssh-add -
"IT SHOWS THE PASSWORD"
$ ssh -p22 user#ip "mkdir /home/test"
Warning: Permanently added 'ip' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
user#ip: Permission denied (publickey,password).
I dont know if I need to add a publickey too or only the password. And if so how can I do it?
Or is there any other way to send files to another server by providing password
Add your password to Gitlab secret variable, for example - DEPLOY_SSH_PASSWORD (somewhere in settings of the project) and use it:
sshpass -p $DEPLOY_SSH_PASSWORD ssh user#ip
But I suggest you to use private keys, it is more secure.
Add your private key to Gitlab secret variable, for example - DEPLOY_SSH_KEY, copy private key to temporary file on the runner:
- echo "$DEPLOY_SSH_KEY" > ~/.ssh/id_rsa
And just use it:
- ssh -i ~/.ssh/id_rsa user#ip
You need to have the private key of the server
scp -C -i <link to your private key> -r <source_directory> username#ip:<target_directory>
If you just want to ssh
ssh -i <link to your private key> username#ip
I would like run deploy script with gitlab-ci, but step ssh-add $SSH_PRIVATE_KEY return an error :
echo "$SSH_PRIVATE_KEY" | ssh-add -
Error loading key "(stdin)": invalid format
You can see my .gitlab-ci.yml :
deploy:
image: node:9.11.1-alpine
stage: deploy
before_script:
# Install ssh-agent if not already installed, it is required by Docker.
# (change apt-get to yum if you use a CentOS-based image)
- 'which ssh-agent || ( apk add --update openssh )'
# Add bash
- apk add --update bash
# Add git
- apk add --update git
# Run ssh-agent (inside the build environment)
- eval $(ssh-agent -s)
# Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
- echo "$SSH_PRIVATE_KEY"
- echo "$SSH_PRIVATE_KEY" | ssh-add -
# For Docker builds disable host key checking. Be aware that by adding that
# you are suspectible to man-in-the-middle attacks.
# WARNING: Use this only with the Docker executor, if you use it with shell
# you will overwrite your user's SSH config.
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
# In order to properly check the server's host key, assuming you created the
# SSH_SERVER_HOSTKEYS variable previously, uncomment the following two lines
# instead.
# - mkdir -p ~/.ssh
# - '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts'
script:
- npm i -g pm2
- pm2 deploy ecosystem.config.js production
# only:
# - master
On my project setting, i've been add SSH_PRIVATE_KEY variable, with the id_rsa from my production server cat ~/.ssh/id_rsa.pub.
Anyone can help me ?
In my case, it was because I had made my SSH_PRIVATE_KEY variable protected. When I disabled the Protected state, it worked without any error.
In my case I had to put a new line at the end of the SSH_PRIVATE_KEY variable
I made a stupid mistake and added the key without -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- clauses.
Summing up, you should add:
-----BEGIN RSA PRIVATE KEY-----
<< the key itself goes here >>
-----END RSA PRIVATE KEY-----
Also, ensure the newline after the closing is present.
for all people reaching this post not finding a solution yet.
Try to make the branch protected, because its a must for protected variables.
Protected: Only exposed to protected branches or protected tags.
Add a CI/CD variable to a project
It works with variable expansion (curly brackets in double string quotation):
- echo "${SSH_PRIVATE_KEY}" | ssh-add -
While keeping the SSH_PRIVATE_KEY variable protected!
This approach is simply a less ambiguous method for printing variables; in this case it prevents trimming of the last line break.
Make sure that the newline after the end of the file variable is present. If not, the following error would have appeared:
Load key "/home/.../....tmp/ID_RSA": invalid format
[MASKED]#...: Permission denied (publickey).
The ID_RSA was my file variable in this example.
It is the SSH public key in ~/.ssh/id_rsa.pub by default.
The private key is contained in ~/.ssh/id_rsa
If you export key from PuTTYgen, to get key content use its command Conversations - Export OpenSSH key (force new file format)
And trim last spaces and add new line.
You must copy the entire contents of the file(id_rsa), including the final blank line. I solve the problem this way.
I got it working with a protected variable.
If the variable is file, echo won't work anymore:
cat "$SSH_PRIVATE_KEY" | ssh-add -
Otherwise; if variable is NOT file, use the following:
echo "$SSH_PRIVATE_KEY" | ssh-add -
I had this issue on gitlab and bitbucket, both were solved adding a \n by the end of the key file.
echo $'' >> ~/.ssh/id_rsa
In my case, it was because I had made my SSH_PRIVATE_KEY variable available in a specific enviroment. I changed it to the one I was using (or you can change it to All, depending on your setup).
it possible you didn't copy the content of the public key to the authorized_keys
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
I had the same problem and after spending some hours trying to understand what was wrong I found that my private key was encrypted (and my computer had the password in cache for so long that I had forgotten that it was encrypted). It's not so easy to understand if it's encrypted or not by just looking at the key.
You should decrypt the key (set an empty password) and then paste it on a GitLab variable. Then in your .gitlab-ci.yml you can have a similar configuration:
before_script:
- 'which ssh-agent || ( apt-get install -qq openssh-client )'
- mkdir -p ~/.ssh
- touch ~/.ssh/id_rsa
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
- echo -e "Host *\nStrictHostKeyChecking no\n" > ~/.ssh/config
- eval "$(ssh-agent -s)"
- ssh-add ~/.ssh/id_rsa
*** Note that if you don't want to write the key in a file, you can just put it inside the ssh agent with:
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
*** Note 2: In the Gitlab panel, make sure you have created a variable (and not a file); normally, it should be protected if you want to make it visible in the main branch.
*** Important: For security reasons change the following line:
- echo -e "Host *\nStrictHostKeyChecking no\n" > ~/.ssh/config
putting only your host/s (and don't permit all connections like this).
If you put:
StrictHostKeyChecking no
when connecting to any host, the ssh-agent will not check the signature and this can be a big vulnerability!
In my case, the stupid me was using inconsistent variable name.
I defined SSH_PRIVATE_KEY in GitLab's variables and was using OWNER_PRIVATE_KEY in .gitlab-ci.yml.
That's why I hate working straight after lunch..
What worked for me was to put '\n' on every line break and storing the key as ONE LINE in my variables and then using '-e' switch in echo:
echo -e $SECRET_KEY > key.pem
This worked and it also helped me to add the identity to ssh-add directly like this:
echo -e "$SSH_PRIVATE_KEY" | ssh-add -
hope this helps someone.
Use
SSH_PRIVATE_KEY: |
-----BEGIN OPENSSH PRIVATE KEY-----
instead of
SSH_PRIVATE_KEY: >
-----BEGIN OPENSSH PRIVATE KEY-----
'|' would save the line break '\n'
Linux environment: Debian 9.1, with Gnome desktop
I have both ECDSA and ED25519 identities, but from command line, ssh-add command gives error:
Could not add identity
How to solve?
according to:
https://bugzilla.gnome.org/show_bug.cgi?id=641082#c22
the bug is relative to gnome-keyring support with ECDSA keys.
The fix which works for me is:
mkdir -p ~/.config/autostart
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/
echo "X-GNOME-Autostart-enabled=false" >> ~/.config/autostart/gnome-
keyring-ssh.desktop
After reboot, ssh-add works correctly from command line:
marco#cluster:~$ ssh-add
Enter passphrase for /home/marco/.ssh/id_rsa:
Identity added: /home/marco/.ssh/id_ecdsa (/home/marco/.ssh/id_ecdsa)
Identity added: /home/marco/.ssh/id_ed25519 (marco#cluster)
I am working on a continuous integration with Travis CI.
This is my configuration:
before_install:
- echo -e "Host *\n\tStrictHostKeyChecking no\n" > ~/.ssh/config
- echo -e $id_rsa.pub > ~/.ssh/id_rsa.pub
- echo -e $id_rsa > ~/.ssh/id_rsa
- sudo chmod 600 ~/.ssh/*
- sudo chmod 644 ~/.ssh/config
- eval `ssh-agent -s`
- ssh-add ~/.ssh/id_rsa
...
$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/travis/.ssh/id_rsa:
On the ssh-add step, it ask me the passphrase and it's stop the deployment. I have tested with an other ssh key without passphrase but it don't fix my issue.
I have tested lot of solution like yes $MY_PASSWORD | ssh-add ~/.ssh/id_rsa or echo "$MY_PASSWORD" | ssh-add ~/.ssh/id_rsa but it don't works.
I have added to my .ssh/config (you can see it in my config):
Host *
StrictHostKeyChecking no
isn't it supposed to make it don't ask me the passphrase ?
Maybe someone have an idea ?
Thanks :)
You are using encrypted private key (which is good), but it needs the passphrase (which is bad for scripting). There are several possibilities you can proceed:
Remove the passphrase from the key and use it unencrypted (less secure)
ssh-keygen -p -P "old_passphrase" -N "" -f ~/.ssh/id_rsa
Use sshpass tool to unlock the key (storing the passphrase next to the key in the script basically defeats the security of encrypted key)
sshpass -p passphrase ssh-add ~/.ssh/id_rsa
I had resolved my problem.
I had different problem in basic utilisation of environment variables and echo.
My environment variables names were not good. "$id_rsa.pub" in travis was interpreted by $id_rsa . ".pub" so it added some wrong characters to my content. I renamed it to id_rsa_pub.
I forget to transform " " in "\ " and newlines by "\n" and with travis and his environment variables, you must write "\\n" instead of just "\n".
My issue was in part because bad ssh files, and because I use a rsa key with password. In my case it's not important to have a password so i deleted it.
For that i use the answer of jakuje. My ssh key is now installed correctly in each builds.
Thank you for your help !