I'm running a CI machine on AppCenter and need to allow read/write access to a private BitBucket repository but I can't figure out how to do this.
My approach is to create an ssh key and during CI builds add the private key to the machine ssh-agent using ssh-add -K (mac machine).
I've created an ssh key on my local computer (mac) using ssh-keygen and uploaded the .pub key to BitBucket. Then as my CI runs I'm trying to take the private key and add it to the ssh-agent but I'm being prompt to enter a password and can't figure out how to inject it in a non-interactive shell mode.
Is this the right approach to grant access to BitBucket in CI? if so, how can I add an ssh key without being prompt to enter a password?
Scripts are in Ruby or Bash.
The repo contains certificates used for Fastlane Match
Answering my own question...
I ended up using BitBucket AppPasword and cloning via https. I think there has to be a better way but this work for my needs at the moment.
I needed access from my CI to a private BitBucket certificates repo to use with Fastlane Match, the value in my MatchFile forgit_url that allows me to clone the repo is:
git_url "https://{BITBUCKET_USER}:{BITBUCKET_APP_PASSWORD}#bitbucket.org/{BITBUCKET_USER}/{REPO}.git"
You can obtain a bitbucket app password by clicking your profile (Avatar) -> Settings -> App Passwords
Related
I have various GitHub accounts and for each account I have SSH set up. So under ~/.ssh I have a public and private key for each account.
I want to use the GitHub CLI, but I am not sure how I can tell the CLI to use a particular SSH key.
In case it is relevant, this is what I get when I run ssh-add -l:
Example Scenario
I want to run gh repo create on GitHub account B, but for some reason, the repo got created on GitHub account A. Is there a way I can tell gh what account to use?
if you have different GitHub users the gh-cli won't be very effective. as #phd commands like gh repo create require logging in via an auth token. https://cli.github.com/manual/gh_auth_login
Switching contexts between accounts (i.e. github.com/user1 and github.com/user2) def doesn't seem supported so you'd have to hack around loging in and out each time every time you switched.
But configuring which ssh key git should use can be configured easily enough in some combo of ~/.ssh/config .gitconfig and/or setting the GIT_SSH_COMMAND env var before running git commands.
i can't get a point and understand how it works and what is necessary to do.
I have an account by GitLab and successfully generated private and public certificate in order to provide access to it. I done all steps as describes the https://gitlab.com/help/ssh/README#generating-a-new-ssh-key-pair . Now i decided to create a new project and synchronize the state between gitLab project and one i created local by me. Because i have access to machine, which i used to create both certificate, i simply copied the public key from one machine (located in ~/.ssh folder) to current machine i am working in (in ~/.ssh folder). But it doesn't take any effect. I can't even execute the git clone command.
~> git clone git#gitlab.com:[myUser]/[myProject].git
Cloning into 'gate-controller'...
git#gitlab.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
i tried to figure out the reason and executed
~> ssh -vT git#gitlab.com
but to be a honest i can't interpret that response. I don't see in response any reference to my public keys file in ssh folder.
Could you please support me to solved the issue and understand, what is the problem ?
many thanks in advance
UPDATE:
You need the private key on any machine you're attempting to pull/push from. When authenticating with a service that has your public key (which any git service like Github, Gitlab, etc. will have) you need to use your private key when authenticating.
You can read more about ssh (which git uses when you don't use HTTPS auth) and PKI (Public Key Infrastructure) here https://www.ssh.com/pki/
I am provisioning a nixos instance on AWS. The instance has to download a repositiory from a private github repo. Currently I just run a shell script on the remote box using ssh-forwarding to download the repository. In this way I don't have to copy my private key, which gives me access to the repo, to the remote box.
I would like to change this procedure to be more Nix-like. I want to write a nix expression which downloads the repo and put it in /etc/nixos/configuration.nix. At the same time I don't want to copy my private key to the remote machine. Is this possible? Can nixos-rebuild use ssh forwarding?
You can explore --build-host and --target-host options of nixos-rebuild command. That is, make your local machine a build-machine, and remote one - target. You need root passwordless ssh access to remote though.
We use Vagrant boxes for development. For every project or small snippet we simply start a new box and provision it with Ansible. This is working fantastic; however, we do get into trouble when connecting to a private Bitbucket repository within a bower install run.
The solution we have now is to generate a new key (ssh-keygen), accept all defaults (pressing <return>, <return>, <return>) and then grab the public key (cat ~/.ssh/id_rsa.pub). Copy it, go to Bitbucket, view your account and add this new ssh key. And repeat for every new box you instantiate.
We have to do this because of some closed source packages (hosted on Bitbucket) we install via Bower. We do have another experience, which is much better: composer (php's package manager) and private Github repositories. With that setup, you have to enter your username/password/2fa token via the command line and an OAuth token is generated for you. This works great.
So, is there a way we can mitigate this bower/bitbucket/ssh issue? For obvious reasons I don't want to provision the boxes with a standard private key, but there has to be another solution?
While I'm not sure that my situation is as complex as yours (I'm not using Ansible or Bower), I solved this problem by using the Vagrant ssh forward agent. This blog post gives you the details on how to get it working:
Cloning from GitHub in Vagrant using SSH agent forwarding
So as long as each of the developers has access on their local machines to the bitbucket repos, it should work.
I've set up my local system for working with GitHub how descrided in the "Generating SSH Keys" How-To.
The key files and the known_hosts have been created, the public key has been added to the GitHub account, and I get the message "Hi ***! You've successfully authenticated, but GitHub does not provide shell access."
But all my attempts to do something, what needs a connection to the server (EDIT: with writing access) -- git clone, git push etc. -- end with an error:
fatal: The remote end hung up unexpectedly
EDIT:
I can clone, but only via HTTP (https://github.com/account/reponame.git) or Git Read-Only (git://github.com/account/reponame.git).
EDIT:
***#**** ~/.ssh
$ ssh-add -l
Could not open a connection to your authentication agent.
Although an ssh-agent daemon (ssh-agent.exe) is running.
Probably that is the problem.
The only instance where that error message pops up, while your public ssh key is correctly recorded by GitHub, is when
you try to clone a repo with a wrong case or an improper ssh url.
It should be:
git clone git#github.com:user/repo.git
you try to clone a repo for which you don't have write access (public repo), or any access (private repo).
From the GitHub page "Which remote URL should I use?"
To use these URLs, you must have write access to a public repo or any access to a private repo.
These URLs will not work with a public repo you do not have write access to.
the private key is passphrase protected and your authentication agent doesn't run properly:
$ ssh-add -l
Could not open a connection to your authentication agent.
For the last case, consider "How to run (git/ssh) authentication agent?" or "ssh-add complains: Could not open a connection to your authentication agent"
It works!
I've started the Pageant (PuTTY SSH authentication agent) and added my PuTTY private key id_rsa.pkk (exported with PuTTYgen (PuTTY Key Generator) from id_rsa) to it. Now I can write to my repos.
A small how-to for everyone, who has the same troubles I had:
0) Set up the local system for working with GitHub, how descrided in the "Generating SSH Keys" How-To.
1) Open PuTTYgen, load/import the (OpenSSH) private key id_rsa and save it (button Save private key) as id_rsa.pkk (in the same folder, where id_rsa is saved, -- ~/.ssh). You need this PuTTY variant of the key for PuTTY authentification with Pageant and (if you use it) TortoiseGit.
2a) Open Pageant (on my computer it's C:\Program Files (x86)\PuTTY\pageant.exe) and add the PuTTY private key. Or just open the PuTTY private key file (id_rsa.pkk) with Pageant.
2b) For TrtoiseGit I had only to set the SSH client (C:\Program Files (x86)\Git\bin\ssh.exe) in the global TrtoiseGit settings.
That's it.
I've got it working, but I don't have a deep understanding of this
thema and cannot provide a low level explanation of the solution and
the causes of this problem (and e.g why it was working in some clients
and wasn't in some others). So feel free to edit/comment this post, if
you can explain all this better.