Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Gitlab CI/Docker: ssh-add keeps asking for passphrase

What I'm currently trying to do, is triggering an script on a remote machine from the Gitlab CI/CD Docker container. The job is configured as follows:

stages:
  - deploy

image: maven:3.3.9

server-deploy:
  stage: deploy
  allow_failure: false
  script:
    ## Install ssh agent
    - apt update && apt install openssh-client -y
    - eval $(ssh-agent -s)
    ## Create SSH key file
    - "echo \"-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACByjJBGT21Arna/pirWVXQqGAr/aszqQ5HzvrA2MzVDZAAAAJiGKEEKhihB
CgAAAAtzc2gtZWQyNTUxOQAAACByjJBGT21Arna/pirWVXQqGAr/aszqQ5HzvrA2MzVDZA
AAAEAKbObQgJGXbrKQt4wdCy3YQfpVBqkT5RNEt2IYU5pv3HKMkEZPbUCudr+mKtZVdCoY
Cv9qzOpDkfO+sDYzNUNkAAAAFHN2ZW5AREVTS1RPUC0xTjVKUjRSAQ==
-----END OPENSSH PRIVATE KEY-----\" > deploy-key"
    ## Fix permissions on key file and .ssh folder
    - chmod 700 deploy-key; mkdir -p ~/.ssh; chmod 700 ~/.ssh
    ## Import SSH key
    - ssh-add -k deploy-key
    ## Make sure that ssh will trust the new host, instead of asking
    - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
    ## Run script on the remote server
    - ssh -t [email protected] "./deploy-master"

(The SSH key is just a temporary one, specifically generated for the SO question) Now the job fails when it arrives at the "ssh-add -k deploy-key" command, asking for a passphrase, as such:

$ ssh-add -k deploy-key
Enter passphrase for deploy-key: ERROR: Job failed: exit code 1

The SSH key obviously has no passphrase attached to it, I can verify this by running the exact same commands on my own Linux machine, where they just work as they should.

So my question is: how can I prevent ssh-add from asking for a passphrase? And I'm also quite curious why this is only occurring on the Gitlab CI Docker container and not on my own PC.

Thanks in advance!

like image 782
sven25519 Avatar asked Mar 02 '19 11:03

sven25519


People also ask

How do I stop SSH from prompting key passphrase?

Use ssh-add to add the keys to the list maintained by ssh-agent. After you add a private key password to ssh-agent, you do not need to enter it each time you connect to a remote host with your public key.

Why does SSH keep asking for passphrase?

SSH passphrases protect your private key from being used by someone who doesn't know the passphrase. Without a passphrase, anyone who gains access to your computer has the potential to copy your private key.

Should you add passphrase for SSH key?

Using passphrases increases the security when you are using SSH keys. Using a key without a passphrase can be risky. If someone obtains a key (from a backup tape, or a one-time vulnerability) that doesn't include a passphrase, the remote account can be compromised.


1 Answers

Okay, I got it working. It turns out that ssh-add is very picky about the format of the file and especially the newlines. The newlines in the .gitlab-ci.yml are not transferred directly to the command and so the key ended up being one big line.

Here is how I solved it:

- echo -----BEGIN OPENSSH PRIVATE KEY----- >> deploy-key
- echo b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW >> deploy-key
- echo QyNTUxOQAAACByjJBGT21Arna/pirWVXQqGAr/aszqQ5HzvrA2MzVDZAAAAJiGKEEKhihB >> deploy-key
- echo CgAAAAtzc2gtZWQyNTUxOQAAACByjJBGT21Arna/pirWVXQqGAr/aszqQ5HzvrA2MzVDZA >> deploy-key
- echo AAAEAKbObQgJGXbrKQt4wdCy3YQfpVBqkT5RNEt2IYU5pv3HKMkEZPbUCudr+mKtZVdCoY >> deploy-key
- echo Cv9qzOpDkfO+sDYzNUNkAAAAFHN2ZW5AREVTS1RPUC0xTjVKUjRSAQ== >> deploy-key
- echo -----END OPENSSH PRIVATE KEY----- >> deploy-key

This way the newlines in the file automatically get created, and now ssh-add pick up the format.

like image 81
sven25519 Avatar answered Oct 07 '22 11:10

sven25519