3

I followed this link to try to SSH to my server in Gitlab-CI. For the SSH keys, I went into the server, and generate the public & private keys. Private key is extracted into GitLab CI/CD env variables.

YAML template is as below, copied mostly from the link.

    image: docker:19.03.8
      services:
        - docker:19.03.8-dind

    deployment:
      variables:
        ip: <ip-address>
      script:
        - apk add --update openssh-client sshpass
        - eval $(ssh-agent -s)
        - echo "$SSH_PRIVATE_KEY" | ssh-add - > /dev/null
        - mkdir -p ~/.ssh
        - chmod 700 ~/.ssh
        - export SSHPASS=$AWS_PASSWORD
        - sshpass -e ssh -o StrictHostKeyChecking=no -vvv ubuntu@$ip echo testing

However, I encountered an error on trying to access the private key.

    debug1: Authentications that can continue: publickey,password
    debug1: Trying private key: /root/.ssh/id_rsa
    debug3: no such identity: /root/.ssh/id_rsa: No such file or directory
    debug1: Trying private key: /root/.ssh/id_dsa
    debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
    debug1: Trying private key: /root/.ssh/id_ecdsa
    debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
    debug1: Trying private key: /root/.ssh/id_ed25519
    debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
    debug1: Trying private key: /root/.ssh/id_xmss
    debug3: no such identity: /root/.ssh/id_xmss: No such file or directory
    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup password
    debug3: remaining preferred: ,password
    debug3: authmethod_is_enabled password
    debug1: Next authentication method: password
    debug3: send packet: type 50
    debug2: we sent a password packet, wait for reply
    debug3: receive packet: type 51
    debug1: Authentications that can continue: publickey,password
    Permission denied, please try again.

I am using gitlab shared runners, if that helps.

[Update]

Forgot to add that in the server that I want to connect, I added the public keys I generated id_rsa.pub into the authorized_keys files.

[Edit 1]

As suggested, I have added the known hosts using ssh-keyscan to copy the output as a variable $SSH_KNOWN_HOSTS. Below the updated yaml file. However I encountered the same error.

    deployment:
      variables:
        ip: <ip-address>
      script:
        - apk add --update openssh-client sshpass
        - eval $(ssh-agent -s)
        - echo "$SSH_PRIVATE_KEY" | ssh-add - > /dev/null
        - mkdir -p ~/.ssh
        - chmod 700 ~/.ssh
        - touch ~/.ssh/known_hosts
        - echo "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        - chmod 644 ~/.ssh/known_hosts
        - export SSHPASS=$AWS_PASSWORD
        - sshpass -e ssh -o StrictHostKeyChecking=no -vvv ubuntu@$ip echo testing
Jake
  • 2,482
  • 7
  • 27
  • 51
  • Have you tried https://stackoverflow.com/questions/52425064/sshpass-failed-to-run-command-no-such-file-or-directory/57091973 and https://superuser.com/questions/1222574/sshpass-not-working-permision-denied ? – DV82XL Aug 18 '20 at 03:20
  • @DV82XL tried ur previous suggestion on SSH_KNOWN_HOST (edits). The two other links u added I have tried b4 too. Now to think about it if I use the public-private keys method, I shouldn't need to use sshpass login, not sure why it doesn't work. – Jake Aug 18 '20 at 04:29
  • What is your end goal? Are you trying to SSH into a remote server to run Linux commands or bash scripts? What about firewalls or proxies? Are you on a corporate network? – DV82XL Aug 18 '20 at 04:53
  • goal is to run a bash script in the server to deploy my containers. no, I am not on a corporate network. there should not be anything blocking it since I can use ssh/sshpass normally from my local machine – Jake Aug 18 '20 at 05:05

1 Answers1

4

I'm not sure about sshpass, since I usually use public/private keys. Here's an example of a job I would setup to run SCP/SSH commands on remote servers:

deploy:
  stage: deploy
variables:
  hostname: app-dev
before_script:
  # optional step if you decide to use a hostname instead of IP address
  - cp -f ./network/etc/hosts /etc/hosts
  # Setup SSH
  - which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
  - eval $(ssh-agent -s)
  - ssh-add <(cat $SSH_PRIVATE_KEY)
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh
  - ssh-keyscan $HOSTNAME >> ~/.ssh/known_hosts
  - chmod 644 ~/.ssh/known_hosts
script:
  # Copy files and execute commands
  - scp ./scripts/install_package.sh root@$HOSTNAME:/tmp/deploy
  - ssh root@$HOSTNAME "/tmp/deploy/install_package.sh && exit"

Before running the pipeline, you need to do the following:

  1. Generate ssh key pairs using ssh-keygen. Don't use a passphrase. Public key ends in .pub, private key has no extension.
  2. SSH onto remote server, copy contents of public key into ~/.ssh/authorized_keys
  3. Copy contents of your private key into a GitLab File Environment Variables called SSH_PRIVATE_KEY
  4. If you use a $HOSTNAME environment variable, define the variable in your pipeline and add the IP/hostname to the /etc/hosts file in your pipeline container. Otherwise, just use an IP address instead.
DV82XL
  • 5,350
  • 5
  • 30
  • 59
  • thanks for the help~ for the ssh-keygen, where do I generate it at? local machine? or the remote server I wanted to connect to? I did the latter previously – Jake Aug 18 '20 at 06:33
  • @Jake ssh-keygen is a CLI tool, part of OpenSSH, which [comes with windows](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview) and available on Linux. All that matters is the 2 output keys (text files), so doesn't matter where you run it. I usually run it on Windows. – DV82XL Aug 18 '20 at 12:04
  • oh ok, I thought it would matter, cos the public key contains the host name at the end – Jake Aug 18 '20 at 12:18
  • @Jake I usually generate the key on my personal laptop, which will copy my personal hostname, so other people on my team know I created the key in authorized_keys. Shouldn't matter. What error do you get when you try this approach? – DV82XL Aug 18 '20 at 12:37
  • Thanks! managed to get it working~ appreciate your patience for walking me through with my questions :D – Jake Aug 19 '20 at 02:46
  • @Jake Thanks for selecting my answer... what was the problem? Please share so others may benefit, even if it's something totally mundane (especially if). Good luck on your project! – DV82XL Aug 19 '20 at 04:37
  • 1
    I think it appears that I missed out adding the authorised keys in the server somehow... apparently I put it in the wrong server~ :x but at least now have a clearer pic of how Ssh work in Gitlab with ur help – Jake Aug 19 '20 at 09:41
  • 1
    Make sure to add a line break at the end of the variable of type file in the GitLab UI – Roel4811 Dec 16 '20 at 10:44
  • @DV82XL can you take a look at this question: https://stackoverflow.com/questions/69302699/gitlab-returns-permission-denied-publickey-password-for-digitalocean-server please! – Abdul Rehman Sep 24 '21 at 04:38