I have a private docker registry hosted on GitLab.
I need to support accessing this registry automatically (via Gitlab CI), but I don't want to use developer credentials (insecure and requires changing them every time a dev leaves the company).
How are others authenticating?
Do you create an "API Account" to authenticate with? Docker doesn't seem to support service account keys or other methods of authentication.
Thank you
Edit:
GitLab CI ssh registry login
The accepted answer here answered the question for GitLab.
However, I would like to know if there is any alternatives, since this still only allows ephemeral keys while doing the deployment via GitLab CI
Related
Repos missing suddenly in azure container registry instance.
There were lots of repos in ACR instance and now i am seeing its not available.
Can you help here.
It says "unable to send request to fetch repositories"
If your repositories or tags not available in azure portal I would suggest you use the Firefox or Chrome to list all of your registry's repositories.
To unable to send request to fetch repositories
It's possible to fetch repositories but the browser may be unable to send the server's request to fetch repositories.
Make sure the registration portal you are using from a public network it's allows only private access.
To prevent these issues, Ensure your network connectivity is sufficient, DNS mistakes & Ads blockers.
And check whether you have enabled firewall.
Try to run this command az acr check-health -n yourRegistry using Azure CLI to determine whether your environment can connect to the Container Registry. To avoid any expired cookie, try to use incognito or private session in your browser.
Reference: Azure Container Registry | Microsoft Docs
I tried reading Artifactory user guide but the instructions on SSH authentication were not clear. Can someone explain how to do SSH authentication in Artifactory?
Actually, enabling SSH on Artifactory is fairly straight forward, the client is what may require some additional debugging if it is unable to connect for any reason. The steps for enabling SSH on Artifactory are available in the online documentation for SSH Integration. You simply need to create a key pair on any machine with ssh-keygen installed (most linux distros will have this by default), then click on Admin, select Security -> SSH Server, click Enable SSH and add in the private and public key just created. Select a port and set the custom base url if necessary and Save.
Now, the user in Artifactory that wishes to authenticate with SSH needs to add his public key to his profile. This can be done by simply logging in and clicking your username in the top right corner of Artifactory. Under this section, you will need to add your password again and then you can simply paste the public key in the SSH section, you can read about this process in Updating Your Profile.
That's it, Artifactory is now ready for SSH for that particular user, and any other user can add their public key to their profile to use SSH authentication.
Configuring the client depends on which client you are attempting to setup. The most common use case is GitLFS, so I will share some documentation for setting up Git LFS with SSH to Artifactory.
Most of what you need to setup Git LFS can be found in JFrog's Git LFS Repository Authenticating with SSH documentation, or in JFrog's public solution on Git LFS Authentication. The latter contains an example of what the git config file should look like and also contains relevant information on setting up SSH authentication with an nginx reverse proxy (if you have one configured and running).
If this doesn't answer your question, can you please provide some more details on which client you are using to authenticate and specifically what is not working (any relevant error messages or log output), both Artifactory and client-side.
Is there anyway to add multiple ssh keys for one user in JFrog Artifactory? I am administrating multiple servers and want to use Artifactory CLI with ssh-key to access artifacts in the repository.
EDIT: I'm using Artifactory to publish multiple instance of one application into different servers. On each server there exists some users and some running applications where each user has access to deploy newer versions of some of those applications. The problem is that I do not want to share my public-private key for my user on different servers (Of course I'm not a security expert and don't really know whether this is a right decision or not :) )
The solution for the use case described would be creating Artifactory user accounts for all the users who needs to deploy. Then you can grant the users deployment permissions for the applications they are working on.
For each of these users you can configure its own SSH key, so you will not need to share your own key.
I have currently installed gsutil on a server to access my GCS buckets. I followed the instructions under the section 'How to convert gsutil to use OAuth 2.0' from https://cloud.google.com/storage/docs/gsutil_install
The intermediate steps in the instructions require that a URL is copy pasted in the browser to generate a code that you have to enter again on the terminal. You also need to enter proxy server details (if any).
I am looking for ways to automate this set up and configuration process for gsutil.
Any ideas/references/suggestions/comments are welcome.
Thanks.
Can you say more about what you're trying to do? Are you looking to create distinct credentials for each of a set of users, or are you trying to set up gsutil running on multiple machines all as part of an application that authenticates as that application to Google Cloud Storage?
For the former you need users to set up their own credentials. The web-based dialog for OK'ing the creation of OAuth2 credentials was designed to make it unlikely that a customer could grant long lasting credentials without being aware that they are doing so (for security reasons).
For the latter you should use a service account (see https://cloud.google.com/storage/docs/authentication#service_accounts). You create those credentials once and then deploy them on your production machines along with gsutil - which is a valid security approach because all instances of those machines are authenticating on behalf of an application, not distinct users.
Our current infrastructure uses ssh keys for passwordless login to our Linux servers.
As our infrastructure grows, managing these authorised keys is getting harder.
As we also have an Active Directory (AD) server, I would like to authenticate the users over ssh using this mechanism, but maintain the passwordless nature of ssh keys.
Is it possible to authenticate the users over ssh without password, using some AD mechanism?
This is usually done via SSH key certificates in order to keep the password-less nature and at the same time have a Central Authority that can be trusted to generate new certificates for each account.
LDAP/Active directory use on login is not advised - apart from having to use passwords, it also becomes a single point of failure for access to any system it manages.
See RedHat documentation on how to do this and also Facebook's good write up on their use of certificate authentication with SSH.
Option 1
This is a good article explaining how to do this.
Storing SSH keys in Active Directory for easy deployment
Basically, it will allow people to post their public keys to your Active Directory and then you can set up a cron script on your servers to fetch a copy of the public keys every 5 minutes or so.
Option 2
You could also use a file server that has all your keys and get each server to fetch from there using a cron script. Obviously, you need a way to verify each key's authenticity especially if you are using FTP or some other insecure protocol. This could be achieved using GPG. You could have a company master GPG key that signs all the employee keys.
Personally, I like option 2 the best because I think it is more secure, but either method should work. Hope this helps!
My approach would be to reduce the problem to an already solved one by
Use active directory to authenticate without password and establish an HTTPS connection using Kerberos. The Dzone Tutorial Configuring Tomcat 7 Single Sign-on with SPNEGO might be a good starting point for that approach.
Wrap SSH into the https-protocol like, see section Wrapping SSH in HTTP(S) at https://unix.stackexchange.com/questions/190490/how-to-use-ssh-over-http-or-https