I have a problem with my Bitbucket multiple accounts.
This is my current situation:
MacOS Catalina 10.15.5
My ~/.ssh folder has this:
-rw-------+ 1 myuser mygroup 1679 12 oct 2016 id_rsa
-rw-r--r--# 1 myuser mygroup 411 12 oct 2016 id_rsa.pub
-rw-------+ 1 myuser mygroup 1823 25 feb 13:50 mycompany
-rw-r--r--# 1 myuser mygroup 394 25 feb 13:50 mycompany.pub
I have a Bitbucket company account whose SSH key is the same as mycompany.pub
I have a Bitbucket personal account whose SSH Key is the same as id_rsa.pub
Whenever I do anything related with my Bitbucket personal account (git clone, push...) everything works fine.
On the other hand, to do things with my Bitbucket company account I have to add my username to the commands, for example:
git clone https://mycompany#bitbucket.org/blablabla
If I don't add my username I get permission errors.
This is a big problem using scripts that I cannot modify (for example with "pod lib lint" and things that access bitbucket private repositories of my company).
What I've tried so far:
Checking if my ssh-agent is running:
$ eval `ssh-agent -s`
Agent pid 5788
Checking my ssh-agent shows this:
$ ssh-agent sh -c 'ssh-add; ssh-add -l'
Identity added: /path/to/my/user/.ssh/id_rsa (/path/to/my/user/.ssh/id_rsa)
2048 SHA256:... /path/to/my/user/.ssh/id_rsa (RSA)
Since I see my ssh-agent doesn't include my company key I add it:
$ ssh-add ~/.ssh/mycompany
Identity added: /path/to/my/user/.ssh/mycompany (mycompany)
But if I check my ssh-agent again, the key has not been included:
$ ssh-agent sh -c 'ssh-add; ssh-add -l'
Identity added: /path/to/my/user/.ssh/id_rsa (/path/to/my/user/.ssh/id_rsa)
2048 SHA256:... /path/to/my/user/.ssh/id_rsa (RSA)
I've tried too changing my ~/.ssh config file from this:
Host *
UseKeychain yes
To this:
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
Host mycompanybitbucket
Hostname bitbucket.org
User mycompany
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/mycompany
Restarted the shell and trying all again, with the same results: I have no permissions to access my company bitbucket repos.
What am I missing?
EDIT:
I've tried another thing that make things more confusing.
If I overwrite id_rsa and id_rsa.pub with mycompany and mycompany.pub and run this:
ssh-agent sh -c 'ssh-add; ssh-add -l'
The output is this:
Identity added: /path/to/my/user/.ssh/id_rsa (mycompany)
2048 SHA256:... mycompany (RSA)
This made me thing that the certificate was this time the correct one and everything should work well. But not, after this, all git commands keep returning permission error.
Well, I finally figured it out. My problem was with all access to https://bitbucket.org, they needed to include the username but in some places I wasn't able to edit these URLs.
So I was studying how to add a default username to these URLs and it worked.
Just running these 2 commands fixed my problem:
$ git config --global credential.helper cache
$ git config --global credential.https://bitbucket.org.username mycompany
Related
So, I want to deploy my Gitlab pipelines onto a server with SSH. This is my script .gitlab-ci :
test_job:
stage: test
variables:
GIT_STRATEGY: none # Disable Gitlab auto clone
before_script:
- 'command -v ssh-agent > /dev/null || ( apk add --update openssh )'
- eval $(ssh-agent -s)
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- echo "${SSH_PRIVATE_KEY}" | tr -d '\r' > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
- ssh-add ~/.ssh/id_rsa
# Add server to known hosts
- ssh-keyscan ${VM_IPADDRESS} >> ~/.ssh/known_hosts
- chmod 644 ~/.ssh/known_hosts
# Verify that key has been registered
- ls ~/.ssh -al
# Verify server connection
- echo "Ping server"
- ping ${VM_IPADDRESS} -c 5
script:
# Pull Git project on remote server
- echo "Git clone from repository"
- ssh -o PreferredAuthentications=publickey ${SSH_USER}#${VM_IPADDRESS} "
rm -rf /tmp/src/${CI_PROJECT_NAME}/ &&
git clone https://gitlab-ci-token:${CI_BUILD_TOKEN}#gitlab.my-domain.fr/user/project.git /tmp/src/${CI_PROJECT_NAME}/
"
$SSH_PRIVATE_KEY contains my private SSH key I use daily to connect on that server. It works perfectly in normal time. ${SSH_USER} and ${VM_IPADDRESS} contain my username and the server address. I already checked that all the values in these parameters are correct on worker.
This is the message I have when trying this script :
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
I'm quite stuck with this actually :(. Any help :) ?
Adding my public key id_rsa.pub to ssh authorized_keys file in the server has solved the problem for me. And you need to make sure of adding your public key to your SSH keys in your Gitlab profile.
Also, it's good to note that:
"Add the public key to the services that you want to have an access to from within the build environment. If you are accessing a private GitLab repository you must add it as a deploy key."
I’ve an automated tests repository and want to put that in a step of build, before to do a deploy.
But the clone repository steps fails (only last run step):
automation:
executor: web-app-executor
steps:
- add_ssh_keys:
fingerprints:
- '<my_fingerprint>'
- run:
name: Trust github ssh
command: >-
GIT_SSH_COMMAND='ssh -i ~/.ssh/id_rsa_myfingerprint'
mkdir -p ~/.ssh
echo 'github.com ssh-rsa <key>
bitbucket.org ssh-rsa <key>
' >> ~/.ssh/known_hosts
- run:
name: Github host
command: ssh-keyscan -p 443 ssh.github.com >> ~/.ssh/known_hosts
- run:
name: Clone automation repository
command: git clone git#github.com:<Domain>/tests-cypress.git
Error:
#!/bin/bash -eo pipefail
git clone git#github.com:Onyo/tests-cypress.git
Cloning into 'tests-cypress'...
The authenticity of host 'github.com (140.82.113.3)' can't be established.
RSA key fingerprint is SHA256:<finger>.
A typical ssh preparation step would involve setting the right protection:
# Prepare SSH
mkdir -p .ssh
chmod 700 .ssh
pushd .ssh
touch authorized_keys # Edit to add allowed connections
touch id_rsa # Edit to add private key
touch id_rsa.pub # Edit to add public key
chmod 600 authorized_keys
chmod 600 id_rsa
chmod 644 id_rsa.pub
popd
In your case, the chmod are missing, which could cause the issue (but the exact error message would be helpful)
Regarding the host authentication, adds as in here:
##
## Use ssh-keyscan to scan the keys of your private server. Replace gitlab.com
## with your own domain name. You can copy and repeat that command if you have
## more than one server to connect to.
##
- ssh-keyscan github.com >> ~/.ssh/known_hosts
- ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts
- chmod 644 ~/.ssh/known_hosts
I'm constantly setting up passwordless ssh environments. And, while there are many howTos out there, most are rather long. This is going to be very short and without much explanation. Read the load documents for the details. I plan to add screen-shots, but that has to wait until after my wrist heals. I broke it badly just the day before yesterday.
PuTTY doesn't natively support the private key format (.pem)
You must convert your private key into a .ppk file
before you can connect to your instance using PuTTY
ssh-keygen generates 2 files.
- id_rsa: The private key
- id_rsa.pub: The public key
PuTTYgen will genrate the ppk for use with PuTTY.
On Linux (I’m using CentOS 8)
=================================
mkdir -p ~/.ssh
chmod 700 ~/.ssh
cd ~/.ssh
ssh-keygen -t rsa -b 4096 -N '' -f ~/.ssh/id_rsa -C "yourEmailAddr#yahoo.com"
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 400 ~/.ssh/*
cp ~/.ssh/* /VMShare/ssh/ #a common mount between my virtual machines and windows
on Windows
----------
1. open PuTTYgen Click Load and open the private file (normally id_rsa)
2. Click “Save Private Key” and choose a name. I use id_rsa.ppk
3. Open Putty
3.1. Set Connection->Data->Auto-login username as appropriate
3.2. set the Connection->SSH->Auth->”Private key file for authentication” to the ppk file.
To setup 1 way ssh between 2 Linux machines
-------------------------------------------
copy the id_rsa file to ~/.ssh on the second machine
Next: chmod 400 ~/.ssh/id_rsa
Now you can ssh from the second machine to the first
To setup 1 way ssh between 2 Linux machines
-------------------------------------------
Copy the id_rsa and id_rsa.pub file to ~/.ssh on the second machine
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 400 ~/.ssh/authorized_keys ~/.ssh/id_rsa ~/.ssh/id_rsa.pub
To Test the ssh use:
--------------------
ssh -i id_rsa.pub user#host1
<https://help.dreamhost.com/hc/en-us/articles/215464758-How-do-I-set-up-passwordless-login-in-PuTTY->
Is there a way to add root's ssh private key in ssh-agent, with a standard sudo user?
I'm not really sure, but is this the restriction with this command?
In the ssh-add man page I found this:
Identity files should not be readable by anyone but the user. Note that ssh-add ignores identity files if they are accessible by others.
Thats the output:
sudouser#myhost:/ $ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-Yppfd3Xp0Yrm/agent.2429; export SSH_AUTH_SOCK;
SSH_AGENT_PID=2430; export SSH_AGENT_PID;
echo Agent pid 2430;
sudouser#myhost:/ $ eval $(ssh-agent)
Agent pid 2435
sudouser#myhost:/ $ ssh-add /home/sudouser/.ssh/id_rsa
Enter passphrase for /home/sudouser/.ssh/id_rsa:
Identity added: /home/sudouser/.ssh/id_rsa (/home/sudouser/.ssh/id_rsa)
Works as expected.
But with root's key i get:
sudouser#myhost:/ sudo ssh-add /root/.ssh/ansible/id_rsa
or
sudouser#myhost:/ sudo sh -c 'ssh-add /root/.ssh/ansible/id_rsa'
Could not open a connection to your authentication agent.
sudo clears environment variables. ssh-add needs SSH_AUTH_SOCK and SSH_AGENT_PID in order to know how to speak to ssh-agent. So you must trick it by adding them back in the command:
sudo sh -c 'export SSH_AUTH_SOCK="'"$SSH_AUTH_SOCK"'"; export SSH_AGENT_PID="'"$SSH_AGENT_PID"'"; ssh-add /path/to/roots/private/key'
Possible alternative answer, sudo has a option to preserve environment variables:
sudo --preserve-env=SSH_AUTH_SOCK -i
Alternatively you can add this line to the sudoers file to get the same effect:
Defaults env_keep+=SSH_AUTH_SOCK
For an application I'm making I have to use GPG in a root process on machine #1. On some other machine (#2) I want to run a shell script, that creates keys (secret and public) in GPG for user root on machine #1.
First I create a file, key.scr, where I define characteristics for the new key.
When I run
gpg --batch --gen-key /hdd/myfolder/key.scr"
via ssh for user , a perfect key-pair is created and saved in /home//.gnupg
But my goal is to create keys for the user root, who must use these keys in some crontab-job.
I tried the following:
echo "<MyPassword>" | sudo -S gpg --batch --gen-key /hdd/myfolder/key.scr
and
sudo -u root gpg --batch --gen-key /hdd/myfolder/key.scr
I also placed
gpg --batch --gen-key /hdd/myfolder/key.scr
in a shell command file , and ran
sudo <BatchFile>
but I only messed up the .gnupg folder for (the access rights for several files in this folder are changed to root - root, so they are not readable any longer by .
So, what is the proper way to create via ssh GPG keys which can be used by user root, while root access is not possible via ssh?