I have a website which commits to a git local repository all the changes done.
I need to automatically push them directly from the web server to a remote Bitbucket repository.
The authentication method I use to do it is by passwordless SSH key stored on the Web Server, but I think this could be not so secure.
So the question is... do you know a more secure (or simply better) method to automatically push changes from a Web Server to a Git-Bitbucket private repository?
Related
Repos missing suddenly in azure container registry instance.
There were lots of repos in ACR instance and now i am seeing its not available.
Can you help here.
It says "unable to send request to fetch repositories"
If your repositories or tags not available in azure portal I would suggest you use the Firefox or Chrome to list all of your registry's repositories.
To unable to send request to fetch repositories
It's possible to fetch repositories but the browser may be unable to send the server's request to fetch repositories.
Make sure the registration portal you are using from a public network it's allows only private access.
To prevent these issues, Ensure your network connectivity is sufficient, DNS mistakes & Ads blockers.
And check whether you have enabled firewall.
Try to run this command az acr check-health -n yourRegistry using Azure CLI to determine whether your environment can connect to the Container Registry. To avoid any expired cookie, try to use incognito or private session in your browser.
Reference: Azure Container Registry | Microsoft Docs
I have a private docker registry hosted on GitLab.
I need to support accessing this registry automatically (via Gitlab CI), but I don't want to use developer credentials (insecure and requires changing them every time a dev leaves the company).
How are others authenticating?
Do you create an "API Account" to authenticate with? Docker doesn't seem to support service account keys or other methods of authentication.
Thank you
Edit:
GitLab CI ssh registry login
The accepted answer here answered the question for GitLab.
However, I would like to know if there is any alternatives, since this still only allows ephemeral keys while doing the deployment via GitLab CI
I tried reading Artifactory user guide but the instructions on SSH authentication were not clear. Can someone explain how to do SSH authentication in Artifactory?
Actually, enabling SSH on Artifactory is fairly straight forward, the client is what may require some additional debugging if it is unable to connect for any reason. The steps for enabling SSH on Artifactory are available in the online documentation for SSH Integration. You simply need to create a key pair on any machine with ssh-keygen installed (most linux distros will have this by default), then click on Admin, select Security -> SSH Server, click Enable SSH and add in the private and public key just created. Select a port and set the custom base url if necessary and Save.
Now, the user in Artifactory that wishes to authenticate with SSH needs to add his public key to his profile. This can be done by simply logging in and clicking your username in the top right corner of Artifactory. Under this section, you will need to add your password again and then you can simply paste the public key in the SSH section, you can read about this process in Updating Your Profile.
That's it, Artifactory is now ready for SSH for that particular user, and any other user can add their public key to their profile to use SSH authentication.
Configuring the client depends on which client you are attempting to setup. The most common use case is GitLFS, so I will share some documentation for setting up Git LFS with SSH to Artifactory.
Most of what you need to setup Git LFS can be found in JFrog's Git LFS Repository Authenticating with SSH documentation, or in JFrog's public solution on Git LFS Authentication. The latter contains an example of what the git config file should look like and also contains relevant information on setting up SSH authentication with an nginx reverse proxy (if you have one configured and running).
If this doesn't answer your question, can you please provide some more details on which client you are using to authenticate and specifically what is not working (any relevant error messages or log output), both Artifactory and client-side.
Our current infrastructure uses ssh keys for passwordless login to our Linux servers.
As our infrastructure grows, managing these authorised keys is getting harder.
As we also have an Active Directory (AD) server, I would like to authenticate the users over ssh using this mechanism, but maintain the passwordless nature of ssh keys.
Is it possible to authenticate the users over ssh without password, using some AD mechanism?
This is usually done via SSH key certificates in order to keep the password-less nature and at the same time have a Central Authority that can be trusted to generate new certificates for each account.
LDAP/Active directory use on login is not advised - apart from having to use passwords, it also becomes a single point of failure for access to any system it manages.
See RedHat documentation on how to do this and also Facebook's good write up on their use of certificate authentication with SSH.
Option 1
This is a good article explaining how to do this.
Storing SSH keys in Active Directory for easy deployment
Basically, it will allow people to post their public keys to your Active Directory and then you can set up a cron script on your servers to fetch a copy of the public keys every 5 minutes or so.
Option 2
You could also use a file server that has all your keys and get each server to fetch from there using a cron script. Obviously, you need a way to verify each key's authenticity especially if you are using FTP or some other insecure protocol. This could be achieved using GPG. You could have a company master GPG key that signs all the employee keys.
Personally, I like option 2 the best because I think it is more secure, but either method should work. Hope this helps!
My approach would be to reduce the problem to an already solved one by
Use active directory to authenticate without password and establish an HTTPS connection using Kerberos. The Dzone Tutorial Configuring Tomcat 7 Single Sign-on with SPNEGO might be a good starting point for that approach.
Wrap SSH into the https-protocol like, see section Wrapping SSH in HTTP(S) at https://unix.stackexchange.com/questions/190490/how-to-use-ssh-over-http-or-https
I want to create a repository on the remote server .
Access constraint that I have :
(a) IP address (of server)
(b) username/pw
I am following this tutorial and stuck in the first step :"Initial access to mercurial-server"
I am not able to understand those "ssh connection" syntax (specially the my-key)
How could I connect to remote server(using ssh-agent ) i order to create new repo .
This is the same problem we see again and again. mercurial-server isn't a part of Mercurial. It's a separate, third party, not generally necessary piece of software that tries to make mercurial administration easier without really succeeding.
Start here: https://www.mercurial-scm.org/wiki/PublishingRepositories/
and pick the type of access you want, http or ssh and then use either hgweb.cgi + apache (for http) or nothing at all if you just want to use ssh.
Specifically, for any server that has the mercurial client on it (apt-get install mercurial on debian or ubuntu and yum install mercurial on redhat, fedora, or centos) you don't need any extra software at all for hosting mercurial repositories over ssh. You can just do:
hg clone myLocalrepo ssh://you#thatserver/myRemoteRepo
and poof you're hosting there.