Basic Delivery Using SSH In Bitbucket Pipelines - ssh

Here's what I've got so far:
I've generated an SSH key pair inside my repo and also added the public key to my ~/.ssh/authorized_keys on the remote host.
My remote host has root user and password login disabled for security. I put the SSH username I use to log in manually inside an environment variable called SSH_USERNAME.
Here's where I'm just not sure what to do. How should I fill out my bitbucket-pipelines.yml?
Here is the raw contents of that file... What should I add?
# This is a sample build configuration for JavaScript.
# Check our guides at https://confluence.atlassian.com/x/14UWN for more examples.
# Only use spaces to indent your .yml configuration.
# -----
# You can specify a custom docker image from Docker Hub as your build environment.
image: samueldebruyn/debian-git
pipelines:
branches:
master:
- step:
script: # Modify the commands below to build your repository.
- sftp $FTP_USERNAME#192.241.216.482

First of all: you should not add a key pair to your repo. Credentials should never be in a repo.
Defining the username as an environment variable is a good idea. You should do the same with the private key of your keypair. (But you have to Bas64-encode it – see Bb Pipelines documentation – and mark it as secure, so it is not visible in the repo settings.)
Then, before you actually want to connect, you have to make sure the private key (of course, Base64-decoded) is known to your pipeline’s SSH setup.
Basically, what you need to do in your script (either directly or in a shell script) is:
- echo "$SSH_PRIVATE_KEY" | base64 --decode > ~/.ssh/id_rsa
- chmod go-r ~/.ssh/id_rsa
BTW, I’d suggest also putting also the host’s IP in an env variable.

Related

Add a remote node in rundeck

I want to be able to execute shell commands on remote nodes using Rundeck and I found this video that explains how to do that but I don't understand the private-key part and how to configure it. I keep getting the following error:
Authentication failure connecting to node: "test-001". Make sure your
resource definitions and credentials are up to date. Failed:
AuthenticationFailure: Authentication failure connecting to node:
"test-001". Make sure your resource definitions and credentials are up
to date.
I have a remote server set up and I configured the resource.xml file like the following:
<node name="test-001" description="demo for test" tags="demo" hostname="10.10.10.10:22" osFamily="unix" osName="Linux" osVersion="2.6.32" username="demo" />
Do I need to add the ssh-key value to the xml file? If so, do I have to copy the public or private keys from the Rundeck server to the host server?
Also, the username demo has a password too, so how can I define it?
Rundeck host server connects to the node by means of private key authentication which is exactly similar to SSH private key authentication. Follow these steps to add a node to your server rundeck.
Open up the resources.xml file and add the following.
<node name="rundeck node2" description="Rundeck node2" tags="node2" hostname="10.1.0.1" osArch="amd64" osFamily="unix" osName="Linux" osVersion="3.11.10-03111015-generic" username="leo" ssh-keypath="/var/lib/rundeck/node2.key"/>
You can change the SSH user name in node and private key file name. In addition to that, you can change all the other naming parameters too like node name and tags etc.
Now get into your node server.
Create a ssh user, here its leo
switch to user leo. Generate a SSH key
ssh-keygen
Append the public key to authorized_keys
leo#c1a5f48a6c4c:~/.ssh$ pwd
/home/leo/.ssh
leo#c1a5f48a6c4c:~/.ssh$ cat id_rsa.pub >> authorized_keys
leo#c1a5f48a6c4c:~/.ssh$ chmod g-w authorized_keys
Copy the private key
leo#c1a5f48a6c4c:~/.ssh$ cat id_rsa
Save the private key to the file "/var/lib/rundeck/node2.key" on rundeck host. Now the authentication is okay and ready to execute adhoc commands from rundeck dashboard
Documentation is fairly all over the place with different versions having different keywords and there being no warnings in case you are using the wrong one.
The relevant documentation is here:
https://docs.rundeck.com/2.11.3/plugins-user-guide/ssh-plugins.html
You need to specify:
ssh-authentication: privateKey
...and:
ssh-keypath: /path/directly/to/.ssh/id_rsa
(Assuming you are using filesystem key storage.)
Remove passphrase from your keys with:
ssh-keygen -p -m PEM -f /path/to/your/.ssh/id_rsa
...and do not forget to mke sure the id_rsa file is owned by rundeck and has suitably restricted permissions.
In my case I had a passpharse in my private key. Make sure your private key passpharse is empty.

How to specify a different location for ssh keys loading during rhc setup?

I am using rhc cli tool for OpenShift projects. I have encountered a problem with default rhc ssh key.
On any ssh related action (setup, app-create, etc..) rhc creates ~/.ssh/id_rsa key if it does not exist. I do not like that behaviour, and I would like it to use something like ~/.ssh/OpenShift-SSH-Keys/my_id_rsa.
Because during rhc setup, it did not ask me from which location I wanted to load the keys. Thus I also looked in ~/.openshift/express.conf and I only saw the configurations for ssl; not ssh.
So I found on the internet this following configuration line to add to ~/.openshift/express.conf:
ssh_key_file='~/.ssh/OpenShift-SSH-Keys/my_id_rsa'
I added it and also modified my ~/.ssh/config file:
# Openshift *.rhcloud.com ssh-key config
Host *.rhcloud.com
IdentityFile ~/.ssh/OpenShift-SSH-Keys/my_id_rsa
IdentitiesOnly yes
VerifyHostKeyDNS yes
StrictHostKeyChecking no
PasswordAuthentication no
UserKnownHostsFile ~/.ssh/known_hosts
To finish I setup my account like that:
rhc setup --config ~/.openshift/express.conf -l myusername#gmail.com
Output of this command line:
OpenShift Client Tools (RHC) Setup Wizard
This wizard will help you upload your SSH keys, set your application namespace, and check that other programs like Git are
properly installed.
If you have your own OpenShift server, you can specify it now. Just hit enter to use the server for OpenShift Online:
openshift.redhat.com.
Enter the server hostname: |openshift.redhat.com|
You can add more servers later using 'rhc server'.
Using myusername#gmail.com to login to openshift.redhat.com
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
Password: ************************
OpenShift can create and store a token on disk which allows to you to access the server without using your password. The
key is stored in your home directory and should be kept secret. You can delete the key at any time by running 'rhc
logout'.
Generate a token now? (yes|no) yes
Generating an authorization token for this client ... RSA 1024 bit CA certificates are loaded due to old openssl compatibility
lasts 29 days
Saving configuration to /Users/theuser/.openshift/express.conf ... done
No SSH keys were found. We will generate a pair of keys for you.
Created: /Users/theuser/.ssh/id_rsa.pub
Your public SSH key must be uploaded to the OpenShift server to access code. Upload now? (yes|no) no
You can upload your public SSH key at a later time using the 'rhc sshkey' command
Checking for git ... found git version 2.5.0
Checking common problems .. done
Checking for a domain ... mydomainz1955
Checking for applications ... found 1
myapp http://myapp-mydomainz1955.rhcloud.com/
You are using 2 of 3 total gears
The following gear sizes are available to you: small
Your client tools are now configured.
As you can see in the output of the command line: No SSH keys were found. We will generate a pair of keys for you., although I specified in the ~/.openshift/express.conf that I already had ssh keys generated, rhc setup did not take them in consideration or did not find them.
So according to you guys, is it possible to somehow specify a different location for ssh keys loading during rhc setup?
Note: I know how to add additional ssh key, but I would like to stop rhc creating/using ~/.ssh/id_rsa
As far as I see you just want rhc to not use your default ssh key. So here is how you create a separate key and configure rhc to use it instead of the default one.
Key points are that:
you select no to generating and uploading ssh key during rhc
setup
you add your key separately with rhc sshkey add
you configure ssh to use the different key for that domain as you
list in your original example
Does this cover your concerns?
[crackit#koTapaH ~]$ mkdir /home/crackit/my_key_location
[crackit#koTapaH ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/crackit/.ssh/id_rsa): /home/crackit/my_key_location/key.rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/crackit/my_key_location/key.rsa.
Your public key has been saved in /home/crackit/my_key_location/key.rsa.pub.
The key fingerprint is:
c5:20:15:fb:17:96:86:8f:88:28:18:17:2a:b8:eb:51 crackit#koTapaH
The key's randomart image is:
+--[ RSA 2048]----+
| . ..+. |
|.. . . + . . |
|= . . + = |
|.= . . + = . |
|o .E. . S o o |
| ... . |
|.. |
|. . |
| . |
+-----------------+
[crackit#koTapaH ~]$ rhc setup
OpenShift Client Tools (RHC) Setup Wizard
This wizard will help you upload your SSH keys, set your application namespace,
and check that other programs like Git are properly installed.
If you have your own OpenShift server, you can specify it now. Just hit enter to
use the server for OpenShift Online: openshift.redhat.com.
Enter the server hostname: |openshift.redhat.com|
You can add more servers later using 'rhc server'.
Login to openshift.redhat.com:
Login to openshift.redhat.com: asdfgg#example.com
Password: *************
OpenShift can create and store a token on disk which allows to you to access the
server without using your password. The key is stored in your home directory and
should be kept secret. You can delete the key at any time by running 'rhc
logout'.
Generate a token now? (yes|no) yes
Generating an authorization token for this client ... lasts about 1 month
Saving configuration to /home/crackit/.openshift/express.conf ... done
No SSH keys were found. We will generate a pair of keys for you.
Created: /home/crackit/.ssh/id_rsa.pub
Your public SSH key must be uploaded to the OpenShift server to access code.
Upload now? (yes|no)
no
You can upload your public SSH key at a later time using the 'rhc sshkey'
command
Checking for git ... found git version 2.1.0
Checking common problems .. done
Checking for a domain ... foobar
Checking for applications ... found 2
jenkins http://jenkins-foobar.rhcloud.com/
tmp http://tmp-foobar.rhcloud.com/
You are using 2 of 3 total gears
The following gear sizes are available to you: small, medium
Your client tools are now configured.
[crackit#koTapaH ~]$ rhc sshkey add mykey my_key_location/key.rsa.pub
RESULT:
SSH key my_key_location/key.rsa.pub has been added as 'mykey'
[crackit#koTapaH ~]$ vi .ssh/config
<.. do your modifications here ..>
[crackit#koTapaH ~]$ rhc ssh tmp
Connecting to 550000a0e0b8cdca4c000040#tmp-foobar.rhcloud.com ...
*********************************************************************
You are accessing a service that is for use only by authorized users.
If you do not have authorization, discontinue use at once.
Any use of the services is subject to the applicable terms of the
agreement which can be found at:
https://www.openshift.com/legal
*********************************************************************
Welcome to OpenShift shell
This shell will assist you in managing OpenShift applications.
!!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!
Shell access is quite powerful and it is possible for you to
accidentally damage your application. Proceed with care!
If worse comes to worst, destroy your application with "rhc app delete"
and recreate it
!!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!
Type "help" for more info.
[tmp-foobar.rhcloud.com 550000a0e0b8cdca4c000040]\> exit
exit
Connection to tmp-foobar.rhcloud.com closed.
[crackit#koTapaH ~]$
Update: I didn't notice keys are generated. But I am sure that the generated keys during rhc setup are not actually used. First because the keys from default location are never added to openshift. And you can see a quick proof below. Another way to see is rhc sshkeys list.
Another thing is that if you already have keys in default location, then no keys are generated (in which case you still select no to not upload them). But it is actually a minor bug IMO in rhc that ssh keys are generated without asking the user. It might be a very rare use case - you don't have default key and you want to use a key from non-standard location (this is not your use case where you have a key in standard location, just don't want to use it) but still IMO one shouldn't generate something user did not request. So here's how I show you that only my desired custom key is used:
[crackit#koTapaH ~]$ rm -rf .ssh/id_rsa*
[crackit#koTapaH ~]$ rhc ssh tmp
Connecting to 550000a0e0b8cdca4c000040#tmp-foobar.rhcloud.com ...
<...>
Type "help" for more info.
[tmp-foobar.rhcloud.com 550000a0e0b8cdca4c000040]\> exit
exit
Connection to tmp-foobar.rhcloud.com closed.
[crackit#koTapaH ~]$ ls .ssh/
config known_hosts
[crackit#koTapaH ~]$
Update 2 Of course token cannot help you with ssh:
[crackit#koTapaH ~]$ rm -rf my_key_location
[crackit#koTapaH ~]$ rhc ssh tmp
Connecting to 550000a0e0b8cdca4c000040#tmp-foobar.rhcloud.com ...
no such identity: /home/crackit/my_key_location/key.rsa: No such file or directory
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
SSH key is used for ssh. Token is used for API requests. These are different use cases. rhc uses the ssh executable underneath so using a custom key means to edit ~/.ssh/config to set your default key to another location or set different keys for different hosts. This is not handled well by rhc setup. But once you have your key set, you don't have to run rhc setup anymore.

How prevent HG Workbench to ask for user name by using subrepositories?

I use HG Workbench and subrepositories over a ssh connection. I use also ssh-rsa to avoid typing my password every time. This works great for the main repository. But if I push or pull HG Workbench (or command shell) promt's with a dialog to typing my login name for every subreposititory. Can I prevent this?
Update:
I use windows. Also I have a [ui] section with username in my global mercurial.ini and in hgrc of every subrepositories.
Simple way is to use SSH keys and follow setup sets by this post: Set up SSH for Mercurial. Key step is to add the following content to mercurial.ini (TortoiseHg’s global setting file):
[ui]
# Name data to appear in commits
username = -name-you-want-to-show- <-email-#email.com>
ssh = "C:\Program Files\TortoiseHg\TortoisePlink.exe" - ssh - 2 - batch - C
Also, make sure Pageant.exe is running in background in order to make it work (Add key > load > your input passphrase file).
On windows edit the global mercurial.ini settings file and add ssh key to the ui section:
[ui]
ssh = tortoiseplink.exe -l <username>
You don't say what OS you are using, but if you are on Linux the hg-ssh command ought to work. There's more info on the Mercurial site here. If you don't get any better answers it might be a good workaround.

Mercurial: How to clone using SSH and .ppk file?

hg clone ssh://denis#medsecop.com//var/www/vhosts/medsecop.com/stage/symphony
returns
remote: Permission denied (publickey).
abort: no suitable response from remote hg!
I have the .ppk file but I don't know how to add options to the ssh command above to use (it says "hg clone doesn't take more arguments")
-i /path/to/keys.ppk
I connect to SSH with this:
sudo ssh -v denis#medsecop.com -i /home/denis/Desktop/MedSec/my-openssh-key
Any ideas?
If you tag question with putty tag, I suppose, you use Windows at your side (and some Win-specific details I'll mention later)?
I don't know how to add options to the ssh command above to use
Well, for any ssh-powered repositories you must to define used ssh-client in (global, user- or repository-specific) config file. For key-based authorization you can define private-key file as parameter of used command or use special additional tool (ssh-agent in *Nix or pageant in Win or...)
Sample
Windows-box with Mercurial (TortoiseHG), full Putty, without Cygwin
Key-based authorization for ssh-repositories: Plink + Pageant
Global mercurial.ini part
[ui]
merge = ...
username = ...
ssh = "PATH\TO\TortoisePlink.exe"
Also Pageant is running and (putty-type) private keys for published public keys loaded into it
When I connect to any ssh-repo, authorization happens automagically
Pageant-less version may include
-i KEYFILE option for TortoisePlink at the repository level - in the .hg\hgrc
--load SESSION option for TortoisePlink (same location as above) for using previously created Putty's session, which have all needed authorization predefined
I solved it by adding the public key
ssh-add file.ppk

Automatically cd to a given remote path when connecting via ssh

I have a bunch of remote servers that I regularly connect to via ssh; which I've setup in my ~/.ssh/config file. I was wondering if it was possible to specify a remote path to cd to when I connect to some of these servers?
For example, I may have something like this in my config file:
Host testbox
HostName 192.123.456.789
User root
And when I ssh in to testbox, I'd like to also cd to /var/www/apps/myapp.
I've had a look around but cannot see an option that would do that via the .ssh/config file.
Cheers,
Diego
You can do this with a tool I've open sourced that allows you to SSH and CD – aptly named sshcd. For the example you've given, you'd simply use:
sshcd root#testbox:/var/www/apps/myapp
Hope this helps!
There's an option in the authorized_keys file.
Do a man on sshd, look under the heading "AUTHORIZED_KEYS FILE FORMAT". You can add various options to each authorized key - one is command="command". As the manpage says, "Specifies that the command is executed whenever this key is used for authentication."