SSH from Docker image using Drone

Question

I've been trying for far too long to get an SSH command working from Drone, which runs in a Docker container called bb. I've added RUN echo " IdentityFile /root/.ssh/id_rsa" >> /etc/ssh/ssh_config in my Dockerfile per some recommendations in other threads.

I've used docker run -it bb /bin/bash to check that SSH keys are there, and I can successfully SSH into a remote host using that interactive terminal.

However, when I try to do the same command using the .drone.yml build script like this:

image: bb
script:
  - whoami
  - ssh -vvv -t -t 192.0.2.1 "whoami"

...I get "Permission denied" errors after being bumped down to password-based identification. (The whoami runs inside the container, outputs root, and continues to the ssh command.)

I've boiled down the verbose output to this relevant piece:

debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp f2:...
debug3: sign_and_send_pubkey: RSA f2:...
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

...where it clearly says "we did not send a packet, disable method". I've checked the key's fingerprint with ssh-keygen -lf /root/.ssh/id_rsa and it matches the one in the output.

I then watched the auth logs (/var/log/auth.log) on the remote host and I can see my successful tests, but when Drone runs its container the logs report that `RSA_public_decrypt failed'. Here are the logs.

Successful (interactive container) login:

Accepted publickey for root from 192.0.2.1 port 59472 ssh2: RSA f2:...
pam_unix(sshd:session): session opened for user root by (uid=0)
Received disconnect from 192.0.2.1: 11: disconnected by user
pam_unix(sshd:session): session closed for user root

Failed (Drone container) login:

error: RSA_public_decrypt failed: error:04067084:lib(4):func(103):reason(132)
Failed password for root from 192.0.2.1 port 54172 ssh2
Failed password for root from 192.0.2.1 port 54172 ssh2
Connection closed by 192.0.2.1 [preauth]

So it looks like my key is not sent by the Drone container. I've run whoami in the build script, and it reports that it's running as root, which is what I expect.

How can I get this to work?

Do you get the same result when you run `docker run -ti bb ssh -vvv -t -t 192.0.2.1 "whoami"`? — Chris McKinnel, Dec 07 '15 at 17:12
@ChrisMcKinnel - just ran that and it returns `root` as expected, which matches the `whoami`. I also just tried `root@192.0.2.1` - no dice. — Ben, Dec 07 '15 at 18:19
Also tried `ssh -vvv -t -t -i /root/.ssh/id_rsa root@192.0.2.1 "whoami"`. — Ben, Dec 07 '15 at 22:56
Hm, `reason(132)` means `RSA_F_RSA_NULL_PRIVATE_DECRYPT` so it seems that it can't get the private key. Have you set the correct permissions on `/root/.ssh/id_rsa`? Maybe add `- chmod 600 /root/.ssh/id_rsa` to your .drone.yml. — Chris McKinnel, Dec 08 '15 at 00:07
The other thing you could try is forward the output of your ssh command to a file somewhere to see if you can inspect the actual error it's returning. — Chris McKinnel, Dec 08 '15 at 00:08
Also, the output of `- ls -la /root/.ssh` and `- cat /root/.ssh/id_rsa` might shed some more light on whether or not your drone container is successfully getting the private key. — Chris McKinnel, Dec 08 '15 at 00:20
Thanks @ChrisMcKinnel! Your support helped me through this difficult time :) — Ben, Dec 08 '15 at 03:45

score 2 · Accepted Answer · answered Dec 08 '15 at 03:42

GOT IT. While digging around in the settings for that repository, I noticed a "Public Key" field:

I tried adding that to the authorized_keys file, and running my .drone.yml, and what do you know - it worked. Went back and checked the docs - it's nowhere to be found. Undocumented super secret field FTW.

SSH from Docker image using Drone

1 Answers1