I followed this link to try to SSH to my server in Gitlab-CI. For the SSH keys, I went into the server, and generate the public & private keys. Private key is extracted into GitLab CI/CD env variables.
YAML template is as below, copied mostly from the link.
image: docker:19.03.8
services:
- docker:19.03.8-dind
deployment:
variables:
ip: <ip-address>
script:
- apk add --update openssh-client sshpass
- eval $(ssh-agent -s)
- echo "$SSH_PRIVATE_KEY" | ssh-add - > /dev/null
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- export SSHPASS=$AWS_PASSWORD
- sshpass -e ssh -o StrictHostKeyChecking=no -vvv ubuntu#$ip echo testing
However, I encountered an error on trying to access the private key.
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /root/.ssh/id_xmss
debug3: no such identity: /root/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
I am using gitlab shared runners, if that helps.
[Update]
Forgot to add that in the server that I want to connect, I added the public keys I generated id_rsa.pub into the authorized_keys files.
[Edit 1]
As suggested, I have added the known hosts using ssh-keyscan to copy the output as a variable $SSH_KNOWN_HOSTS. Below the updated yaml file. However I encountered the same error.
deployment:
variables:
ip: <ip-address>
script:
- apk add --update openssh-client sshpass
- eval $(ssh-agent -s)
- echo "$SSH_PRIVATE_KEY" | ssh-add - > /dev/null
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- touch ~/.ssh/known_hosts
- echo "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
- chmod 644 ~/.ssh/known_hosts
- export SSHPASS=$AWS_PASSWORD
- sshpass -e ssh -o StrictHostKeyChecking=no -vvv ubuntu#$ip echo testing
I'm not sure about sshpass, since I usually use public/private keys. Here's an example of a job I would setup to run SCP/SSH commands on remote servers:
deploy:
stage: deploy
variables:
hostname: app-dev
before_script:
# optional step if you decide to use a hostname instead of IP address
- cp -f ./network/etc/hosts /etc/hosts
# Setup SSH
- which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
- eval $(ssh-agent -s)
- ssh-add <(cat $SSH_PRIVATE_KEY)
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- ssh-keyscan $HOSTNAME >> ~/.ssh/known_hosts
- chmod 644 ~/.ssh/known_hosts
script:
# Copy files and execute commands
- scp ./scripts/install_package.sh root#$HOSTNAME:/tmp/deploy
- ssh root#$HOSTNAME "/tmp/deploy/install_package.sh && exit"
Before running the pipeline, you need to do the following:
Generate ssh key pairs using ssh-keygen. Don't use a passphrase. Public key ends in .pub, private key has no extension.
SSH onto remote server, copy contents of public key into ~/.ssh/authorized_keys
Copy contents of your private key into a GitLab File Environment Variables called SSH_PRIVATE_KEY
If you use a $HOSTNAME environment variable, define the variable in your pipeline and add the IP/hostname to the /etc/hosts file in your pipeline container. Otherwise, just use an IP address instead.
Related
I have a source repository setup in a project. I have my main admin user and I created a second user (did try a service account at first) and gave that user "Project Owner" access on the project with the source repo.
I created an SSH key on my local machine by running: ssh-keygen -t rsa -P "" -C "user#domain.com" -f "mysshfile"
I created a config file in my .ssh folder:
Host source.developers.google.com
HostName source.developers.google.com
Port 2022
IdentityFile /Users/XXXXX/.ssh/mysshfile
I copied the contents of my mysshfile.pub and registered it with Cloud repo SSH keys.
When git clone as the my second user it fails with the error message of: Permission denied (publickey). When I git clone as my main admin user, it works.
So I ran the ssh command with verbose to check: ssh -p 2022 -l admin#domain.com -v source.developers.google.com, I get:
........
debug1: Offering public key: /Users/xxxxxx/.ssh/mysshfile RSA SHA256:U+XREDACTED explicit
debug1: Server accepts key: /Users/xxxxxx/.ssh/mysshfile RSA SHA256:U+XREDACTED explicit
debug1: Authentication succeeded (publickey).
Authenticated to source.developers.google.com ([74.125.197.82]:2022).
When I run the same command as my test user: ssh -p 2022 -l test#domain.com -v source.developers.google.com, I get:
debug1: Offering public key: /Users/xxxxxxx/.ssh/mysshfile RSA SHA256:U+XJREDACTED explicit
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
test#domain#source.developers.google.com: Permission denied (publickey).
I can't figure out why the git clone using ssh works for one user (the one I don't even want) and not another?
You need to add the following line into your config file:
PubkeyAcceptedKeyTypes +ssh-rsa
So it should now be:
Host source.developers.google.com
HostName source.developers.google.com
Port 2022
IdentityFile /Users/XXXXX/.ssh/mysshfile
PubkeyAcceptedKeyTypes +ssh-rsa
On the verbose mode you will see the following lines:
debug1: send_pubkey_test: no mutual signature algorithm
It means that ssh-rsa algorithm was disabled. Which can be re-enabled as explained here.
Why find .ssh/iddsa file. there is no such a file. just id_rsa.
So the issue is that I can login to my server just fine using:
ssh root#SERVER_IP_ADRESS
But when I try to login with a user I created from root:
ssh USERNAME#SERVER_IP_ADRESS5
I get:
Permission denied (publickey).
The steps I went through before this.
SSH generated a key
Created an Ubuntu 16.04 droplet with given SSH key.
SSH into server with root
$ adduser username
usermod -aG sudo username
`$ ssh -vvv root#serverip
OpenSSH7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /etc/ssh/sshconfig
debug1: /etc/ssh/sshconfig line 48: Applying options for *
debug2: sshconnectdirect: needpriv 0
debug1: Connecting to cleanproject port 22.
debug1: Connection established.
debug1: identity file /Users/happy/.ssh/idrsa type 0
....
...
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/happy/.ssh/id_dsa
debug3: no such identity: /Users/happy/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /Users/happy/.ssh/id_ecdsa
debug3: no such identity: /Users/happy/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/happy/.ssh/id_ed25519
debug3: no such identity: /Users/happy/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
root#server: Permission denied (publickey).`
Below steps should help to create and authenticate the new user on the instance.
Ssh into your instance using public key.
Create a new user: $ sudo adduser test123
Change the shell session: $ sudo su test123
Create .ssh folder: $mkdir .ssh
Change the permission: $ chmod 700 .ssh
Confirm $pwd is /home/test123
In .ssh folder, execute these
$ touch authorized_keys
$ chmod 600 authorized_keys
paste your public key here from your local system, id_rsa.pub is the default name if not edited while saving. make sure no extra spaces are copied.
It should work!.
$ssh test123#ip-address
Configuring SSH Keys from ePass2003 to access servers.
I have a guest ubuntu 16.04 on VirtualBox, i am able to SSH server 1 from VM but while SSH to server 2 from server 1, getting below error.
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:M0HzYuvGQ8LcKpJIGPgQDrN6Xs8jpyjH4wRQdslGeV
debug3: sign_and_send_pubkey: RSA SHA256:M0HzYuvGQ8LcKpJIGPgQDrN6Xs8jpyjH4wRQdslGeV
**sign_and_send_pubkey: signing failed: agent refused operation**
When i run ssh-add -l on server 2, i can see the below output.
$ ssh-add -l
error fetching identities for protocol 1: agent refused operation
2048 SHA256:M0HzYuvGQ8LcKpJIGPgQDrN6Xs8jpyjH4wRQdslGeV /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so (RSA)
I have made AllowAgentForwarding yes in /etc/ssh/sshd_config file. But still no luck in getting SSH connection to Server2 from Server1.
If anyone can help me getting through this would be great.
Thanks in Advance !!
I'd just like to add that I saw the same issue (in Ubuntu 18.04) and it was caused by bad permissions on my private key files. I did chmod 600 on the relevant files and the problem was resolved. Not sure why ssh-agent didn't complain about this until today.
I was able to get the fix for connection issue with SSH Keys. I had to make changes in SSH config files at location /etc/ssh/ssh_config and ~/.ssh/config
$ cat ~/.ssh/config
Host *
Compression yes
ForwardAgent yes
ForwardX11Trusted no
GSSAPIAuthentication no
PreferredAuthentications=publickey
and
$ cat /etc/ssh/ssh_config
Host *
ForwardAgent yes
ForwardX11Trusted yes
HashKnownHosts yes
GSSAPIAuthentication no
GSSAPIDelegateCredentials no
After above changes, restart ssh-agent and do ssh-add.
$ eval $(ssh-agent)
$ ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
I hope this should work with you all as well if you come across such issues.
We only need to execute this time.
eval "$(ssh-agent -s)"
Ssh-add
That's OK.
kind of random, but make sure your network isn't blocking it. I was at a hotel and I couldn't ssh into a server. I tried connecting in through my phones hotspot and it worked immediately. Give a different network a try as a quick way to trouble shoot.
I was trying to configure my SSH configs for easier workflows, but I've run against a wall here.
I have a jump host which requires sudo ssh to get to all the other machines.
I've figured out that if I run ssh -tt jumphost sudo ssh desthost that I get asked for my sudo password and I get access to desthost
Now, when I add ProxyCommand ssh -tt jumphost sudo ssh %h to my ssh_config and run ssh desthost then I just get a blank connection.
Debug printout:
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/deiga/.ssh/config
debug1: /Users/deiga/.ssh/config line 34: Applying options for desthost
debug1: /Users/deiga/.ssh/config line 167: Applying options for *
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/tmp/ssh-deiga#desthost:22" does not exist
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec ssh -tt jumphost sudo ssh desthost
debug1: identity file /Users/deiga/.ssh/id_rsa type -1
debug1: identity file /Users/deiga/.ssh/id_rsa-cert type -1
debug1: identity file /Users/deiga/.ssh/id_dsa type -1
debug1: identity file /Users/deiga/.ssh/id_dsa-cert type -1
debug1: permanently_drop_suid: 501
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: ssh_exchange_identification: [sudo] password for deiga:
debug1: ssh_exchange_identification: Sorry, try again.
debug1: ssh_exchange_identification: [sudo] password for deiga:
debug1: ssh_exchange_identification: sudo: 1 incorrect password attempt
This is not how the proxy command work. Basic example how you should do jumphosts is this way:
ProxyCommand ssh -W %h:%p jumphost
which doesn't support running sudo on remote machine. But you can do the same with netcat command:
ProxyCommand ssh jumphost nc %h %p
And to make it working with your sudo requirement, just add the sudo command:
ProxyCommand ssh jumphost sudo nc %h %p
If it will not help, please try to diagnose the problem with verbose logs from ssh (-vvv).
I have a problem connecting with my SSH service,
ssh-agent is running:
ps -e | grep ssh
12163 ? 00:00:00 ssh-agent
and caches my only identity:
ssh-add -l
4096 25:56:f4:9c:09:65:fe:39:b3:17:73:bd:3c:76:3f:8d /home/matthias/.ssh/id_rsa (RSA)
everything exists as it should:
ls ~/.ssh/
id_rsa id_rsa.pub known_hosts
and id_rsa.pub is uploaded to Bitbucket.org SSH-Keys section..
However SSH authentication fails (using the verbose mode, one can see, that it somehow tries to load the non-existing id_dsa file)
ssh -v -T hg#bitbucket.org
[...]
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/matthias/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/matthias/.ssh/id_rsa
debug1: Remote: Forced command: conq username:matthias_hueser
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type
Enter passphrase for key '/home/matthias/.ssh/id_rsa':
debug1: read PEM private key done: type RSA
debug1: Remote: Forced command: conq username:matthias_hueser
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/matthias/.ssh/id_dsa
no such identity: /home/matthias/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/matthias/.ssh/id_ecdsa
no such identity: /home/matthias/.ssh/id_ecdsa: No such file or directory
debug1: No more authentication methods to try.
Permission denied (publickey).
Has somebody else run into the same problem and has
a suggestion?
[Thanks for the Edit]
The output you're seeing looks consistent with the server rejecting your id_rsa key. ssh will check for id_rsa, id_dsa, and id_ecdsa even if you don't specify them on the command-line or have them loaded in your ssh-agent.
If I were troubleshooting this, I'd remove ssh-agent from the picture and specify your private key on the command-line.
Run this in a new shell you'll close afterward, so you don't trash your existing environment:
$ bash
$ unset SSH_AGENT_PID SSH_AUTH_SOCK
$ ssh -v -T -i ~/.ssh/id_rsa hg#bitbucket.org
[...]
$ exit
(ssh-keygen should prompt you for your key's password)
If that works, I'd double-check that the key your ssh-agent is providing is actually the correct one. You can
$ ssh-keygen -y -f ~/.ssh/id_rsa
And check that against what's in your ssh-agent:
$ ssh-add -L
If the identity in your agent is different, you should dump your keys with ssh-add -D and re-load them. If it's not different, I'm not sure what's up. Hope that helps a bit.