We Keep Coding

Gitlab CI/CD using ssh / knownhosts error

I'm trying to use gitlab CI/CD to auto deploy my code, after push on an specific branch (in my case 'staging' branch)
after push on 'staging' branch I see following error on jobs section in gitlab UI:
Running with gitlab-runner 15.0.0 (xxxxxx)
on deploy xxxxxx
Preparing the "ssh" executor
00:36
Using SSH executor...
ERROR: Preparation failed: ssh command Connect() error: ssh Dial() error: ssh: handshake failed: knownhosts: key is unknown
I can see gitlab from my VM and gitlab-runner registered successfully before.
I've also created ssh key and add it to gitlab-runner installation steps.

You need to check what SSH URL is used in your case.
Something like git#gitlab.com:me/myProject would look for gitlab.com SSH host keys fingerprints in an ~/.ssh/known_hosts file.
Make sure to add first in gitlab-runner server the following to ~/.ssh/known_hosts:
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
That will skip manual fingerprint confirmation in SSH.
In other words, no more "knownhosts: key is unknown".
Note that with GitLab 15.3 (August 2022), you will have an easier time finding those:
New links to SSH fingerprints
Your GitLab SSH fingerprints are now easier to find, thanks to new links on the SSH configuration page and in the documentation.
Thank you Andreas Deicha for your contribution!
See Documentation and Issue.

For people who still encounter this issue: in our case the cause was a difference between the host name in the known_host file and the one in the toml file. They must be both fully qualified or both non qualified.

Add a remote node in rundeck

I want to be able to execute shell commands on remote nodes using Rundeck and I found this video that explains how to do that but I don't understand the private-key part and how to configure it. I keep getting the following error:
Authentication failure connecting to node: "test-001". Make sure your
resource definitions and credentials are up to date. Failed:
AuthenticationFailure: Authentication failure connecting to node:
"test-001". Make sure your resource definitions and credentials are up
to date.
I have a remote server set up and I configured the resource.xml file like the following:
<node name="test-001" description="demo for test" tags="demo" hostname="10.10.10.10:22" osFamily="unix" osName="Linux" osVersion="2.6.32" username="demo" />
Do I need to add the ssh-key value to the xml file? If so, do I have to copy the public or private keys from the Rundeck server to the host server?
Also, the username demo has a password too, so how can I define it?

Rundeck host server connects to the node by means of private key authentication which is exactly similar to SSH private key authentication. Follow these steps to add a node to your server rundeck.
Open up the resources.xml file and add the following.
<node name="rundeck node2" description="Rundeck node2" tags="node2" hostname="10.1.0.1" osArch="amd64" osFamily="unix" osName="Linux" osVersion="3.11.10-03111015-generic" username="leo" ssh-keypath="/var/lib/rundeck/node2.key"/>
You can change the SSH user name in node and private key file name. In addition to that, you can change all the other naming parameters too like node name and tags etc.
Now get into your node server.
Create a ssh user, here its leo
switch to user leo. Generate a SSH key
ssh-keygen
Append the public key to authorized_keys
leo#c1a5f48a6c4c:~/.ssh$ pwd
/home/leo/.ssh
leo#c1a5f48a6c4c:~/.ssh$ cat id_rsa.pub >> authorized_keys
leo#c1a5f48a6c4c:~/.ssh$ chmod g-w authorized_keys
Copy the private key
leo#c1a5f48a6c4c:~/.ssh$ cat id_rsa
Save the private key to the file "/var/lib/rundeck/node2.key" on rundeck host. Now the authentication is okay and ready to execute adhoc commands from rundeck dashboard

Documentation is fairly all over the place with different versions having different keywords and there being no warnings in case you are using the wrong one.
The relevant documentation is here:
https://docs.rundeck.com/2.11.3/plugins-user-guide/ssh-plugins.html
You need to specify:
ssh-authentication: privateKey
...and:
ssh-keypath: /path/directly/to/.ssh/id_rsa
(Assuming you are using filesystem key storage.)
Remove passphrase from your keys with:
ssh-keygen -p -m PEM -f /path/to/your/.ssh/id_rsa
...and do not forget to mke sure the id_rsa file is owned by rundeck and has suitably restricted permissions.

In my case I had a passpharse in my private key. Make sure your private key passpharse is empty.

How to get the correct format key file for Jenkins CLI?

So I am working with Jenkins and I need to use the Jenkins CLI, but I cannot get the authentication figured out.
I was following their rather short description here: https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+CLI which said I need to convert my .ppk file from Putty into openssh format. They link you to this post here How to convert SSH keypairs generated using PuttyGen(Windows) into key-pairs used by ssh-agent and KeyChain(Linux) and I followed those instructions and tried with the file it generated, but I end up with a file that is a single line and looks like:
ssh-rsa [KEY]
When I use this file with the Jenkins CLI I get this error:
Exception in thread "main" java.io.IOException: Invalid PEM structure, '-----BEGIN...' missing
at com.trilead.ssh2.crypto.PEMDecoder.parsePEM(PEMDecoder.java:138)
at com.trilead.ssh2.crypto.PEMDecoder.decode(PEMDecoder.java:313)
at hudson.cli.PrivateKeyProvider.loadKey(PrivateKeyProvider.java:143)
at hudson.cli.PrivateKeyProvider.loadKey(PrivateKeyProvider.java:126)
at hudson.cli.PrivateKeyProvider.readFrom(PrivateKeyProvider.java:107)
at hudson.cli.CLI._main(CLI.java:440)
at hudson.cli.CLI.main(CLI.java:387)
I am really not familiar with ssh keys at all and have been searching around for a while with no luck. Can anyone instruct me on how to get my .ppk file into the correct format to use with the Jenkins CLI? Thanks!

You have to generate a public SSH key on your machine and to declare this SSH key on your Jenkins server.
To generate a public key on your machine (with no passphrase):
ssh-keygen -t rsa
The default location for your public key is:
/Users/your.user/.ssh/id_rsa.pub
Copy your public SSH key (ssh-rsa XXXXXXXX your.email#domain.com).
Next, go on your Jenkins server and edit your Jenkins user information (via the top right corner, by clicking on your username).
Go to the "SSH Public Keys" section and paste your public key.
You should be able to access your Jenkins server with the CLI.
I've tested this configuration on my Jenkins server and it works.
brunolavit#MBP ~/Downloads$ java -jar jenkins-cli.jar -s http://myjenkinsserver.mydomain.com:8080/ version
1.577

Configuring SFTP in Pycharm

I'm trying to setup Pycharm such that my local changes are automatically deployed to a remote server.
I can ssh remoteserver and also sftp remoteserver from the terminal so access is not an issue. But if I try to setup deployment in Pycharm using SFTP, it can't establish the connection.
My best guess is that it's an authentication issue. When running the ssh or sftp commands separately, I've never needed to enter a username or password, so I suppose the auth is happening via Private Key. But the problem is that I'm not sure where the Private Key actually is (I'm in an unfamiliar dev environment).
So either
How do I know which Private Key I'm using when running ssh or sftp?
Any other way to resolve the problem.
Thanks!

As to (1), the SSH man page says (under the -i option) "The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file."
The configuration file is ~/.ssh/config, and the key file for a particular host is specified with IdentityFile.

You can also run ssh with -vvv parameter. The location of the private key file will be printed out (if key authentication is used).

Satis - error with ssh2.sftp protocol

I am trying to host private composer repository with satis (http://getcomposer.org/doc/articles/handling-private-packages-with-satis.md)
It works fine through http protocol.
I want to secure it with ssh connection as described in security section (http://getcomposer.org/doc/articles/handling-private-packages-with-satis.md#security)
But having errors when connecting with ssh2.sftp:// protocol.
Composer\Downloader\TransportException]
The "ssh2.sftp://192.168.10.30/packages.json" file could not be downloaded: Error starting up SSH connection(-43): Failed getting banner
failed to open stream: operation failed
I have already generated key pair
I added pub key to authorized_keys file on satis server.
I can connect with ssh to satis server without entering pass, so keys are working.
What i am missing or doing wrong?
UPDATE
Also i had installed ssh2 module extention. It appears on output of the command php -m | grep ssh2

Found solution myself:
I was using ssh key pair with password. Apparently ssh2.sftp do not like this. Generated new key pair without password.
Secondly need to use full path from root directory. For example:
ssh2.sftp://192.168.10.30/home/[username]/path/to/location/packages.json
source: http://us3.php.net/manual/en/function.ssh2-sftp.php#94651)