I have stored my SSH password in the GitHub Secret. With the keyname PASSWORD. When I use it with ${{secrets.PASSWORD}} I get no output. And therefore no access to the server via SSH. What do I have to do to use my secret as password?
- name: Run a multi-line script
run: |
echo Echo my secret
echo ${{secrets.PASSWORD}}
- name: executing remote ssh commands using password
uses: appleboy/ssh-action#master
with:
host: '12234.myserver.com'
username: 'ssh-user'
password: ${{secrets.PASSWORD}}
port: '22'
script: |
cd www/htdocs/src/
I found out what the problem was. For all those who have the same or similar problems in the future. With GitHub Secrets I made the mistake of storing the password under Environments. But it has to be stored under Repository Secret.
The next question I had was what is the difference between Repository and Enviroment Secret? For the short answear take a look to the comment below from #jessehouwing. Or / and take a look to the posted link from #Nasir Rabbani https://stackoverflow.com/a/65958690/13889413.
Related
Let's say, I want to setup my deploy process using GitHub actions, and pull strategy.
So I have an Ubuntu server, I copy public ssh key of the server, add it to my GitHub account, and then I can clone from Ubuntu server, build and run the app.
That is great, but I feel here is small trap.
Keys are added to account, not to the repo.
What happen if I will leave the organization that is owner of repository?
Server will lost ability to do proper CI, right?
The organization owner could create account that is holder of SSH keys and will never leave organization, but what if repository ownership is transferred?
I probably miss something here, but why not allow adding keys directly to repository, not to user account?
Or this option is there and I missed it somehow?
Keys are added to account, not to the repository.
That is why you have deploy keys, per repository.
A GitHub Action like webfactory/ssh-agent for instance does have support for Deploy keys.
To support picking the right key in this use case, this action scans key comments and will set up extra Git and SSH configuration to make things work.
When creating the deploy key for a repository like git#github.com:owner/repo.git or https://github.com/owner/repo, put that URL into the key comment. (Hint: Try ssh-keygen ... -C "git#github.com:owner/repo.git".)
After keys have been added to the agent, this action will scan the key comments.
For key comments containing such URLs, a Git config setting is written that uses url.<base>.insteadof. It will redirect git requests to URLs starting with either https://github.com/owner/repo or git#github.com:owner/repo to a fake hostname/URL like git#...some.hash...:owner/repo.
An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to github.com, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com.
You get then a GitHub Action configuration like this example:
name: Deploy
on:
push:
tags:
- 'GA*'
# ...
- name: Install SSH Client 🔑
uses: webfactory/ssh-agent#v0.4.0
with:
ssh-private-key: ${{ secrets.DEPLOY_KEY }}
- name: Deploy 🚀
uses: JamesIves/github-pages-deploy-action#3.5.9
with:
BASE_BRANCH: master
BRANCH: gh-pages
CLEAN: true
FOLDER: .
SSH: true
# ...
In command line, since GitHub CLI gh 2.5.0 (Feb. 2022): gh repo deploy_key
gh repo deploy-key add <key-file> [flags]
# generate a passwordless SSH key and add it as a deploy key to a repository
$ ssh-keygen -t ed25519 -C "my description" -N "" -f ~/.ssh/gh-test
$ gh repo deploy-key add ~/.ssh/gh-test.pub
See issue 4242 from context.
In my workflow I can clone the repos and submodules fine and the build starts but when a recipe that pulls from our GitHub private repos run, I get an error (all out repos are peers to one another in the same Organization). Note that the recipes that clone from the Internet are working fine and it builds fine when I clone and build locally. It's just when I use GitHub Actions I get the following error.
Cloning into bare repository '/home/runner/yocto_cache/downloads/git2/github.com.xxxxx.yyyyy.git'...
fatal: could not read Username for 'https://github.com': No such device or address
Recipe is like...
SRC_URI = "git://github.com/xxxxx/yyyyy.git;protocol=https;nobranch=1;subpath=<folder>/<folder>;rev=${BUILD_REV}"
Workflow
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
with:
token: ${{ secrets.REPO_ACCESS }}
submodules: recursive
- name: Configure Git
run: |
git config --unset-all "http.https://github.com/.extraheader"
git config --add "http.https://github.com/.extraheader" "AUTHORIZATION: \
Basic $(base64 <<< ${{ secrets.REPO_ACCESS }}:x-oauth-basic)"
- name: Running on VM
env:
CC: gcc-9
run: |
sudo apt-get install -y diffstat
gcc --version
./yocto-setup.sh
source ./poky/oe-init-build-env
bitbake image
I'm having issues finding answers to this specific failure and wondering if someone out there has run into something similar and can provide some assistance.
Judging from the error message
fatal: could not read Username for 'https://github.com': No such device or address
it seems that your private repository located at $SRC_URI wants the Git client (used internally by BitBake) to authenticate itself so it asked for credentials to be provided on the terminal input. GitHub actions are run in a non-interactive mode so there's no terminal input available (thus the error message):
No such device or address
To overcome this, if you want to access your private Git repository by HTTP(S) protocol without providing the credentials on the terminal input then you have to configure git to include basic access authentication header in the HTTP request.
The authentication header can be configured using http.extraHeader git-config option. You can do it directly in your build job by simply adding this extra step before Running on VM:
- name: Configure Git
run: |
git config --unset-all "http.https://github.com/.extraheader"
git config --add "http.https://github.com/.extraheader" \
"AUTHORIZATION: Basic $(base64 <<< ${{ secrets.REPO_ACCESS }}:x-oauth-basic)"
- name: Running on VM
...
After adding the above the Running on VM step should succeed with git cloning operation.
(I'm assuming that provided GitHub REPO_ACCESS secret is the access token with at least read access to the private repository denoted by $SRC_URI).
You can read more about access tokens here and here.
I use traefik 1.7.14 and I want use basic auth for my grafana-docker-compose service.
I followed e.g. https://medium.com/#xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f
but I also looked at other sources.
In my docker-compose.yml I have for grafana:
grafana:
image: grafana/grafana
labels:
- "traefik.enable=true"
- "traefik.backend=grafana"
- "traefik.port=3000"
- "traefik.frontend.rule=Host:grafana.my-domain.io"
- "traefik.frontend.entryPoints=http,https"
- "traefik.frontend.auth.basic.users=${ADMIN_CREDS}
ADMIN_CREDS is in my .env file. I created the content with htpasswd -nbm my_user my_password I also tried htpasswd -nbB my_user my_password for not md5 but bcrypt encryption.
In .env
ADMIN_CREDS=test:$apr1$f0uSe/rs$KGSQaPMD.352XdXIzsfyY0
You see: I did not escape $ signs in the .env file.
When I inspect my container at runtime I see exactly the same encrypted password as in my .env file!
docker inspect 47aa3dbc3623 | grep test
gives me:
"traefik.frontend.auth.basic.users": "test:$apr1$f0uSe/rs$KGSQaPMD.352XdXIzsfyY0",
I also tried to put the user/password string directly into the docker-compose.yml. this time by escaping the $ sign.
The inspect command was successful too.
BUT: When I call my grafana-URL I get a basic auth dialog-box and when I type in my user/password combination I get always a
{"message":"Invalid username or password"}
What could be still wrong here? I have currently no idea.
This message actually means that you passed the basic auth of traefik. Because the basic auth window would pop up again if you would enter invalid credentials.
Grafana on its own uses basic auth and this one is failing.
DO NOT DO IT IN PRODUCTION: To prove it you could configure grafana to ask for the same user and password. Then it will accept the forwarded basic auth of traefik and would allow access.
However, you should either setup basic auth using traefik OR using the grafana basic auth.
You also might want to check the information on running grafana behind a reverse proxy: https://grafana.com/tutorials/run-grafana-behind-a-proxy/#1
and escpecially https://grafana.com/docs/grafana/latest/auth/auth-proxy/
Another option besides forwarding the auth headers would be to disable forwording it:
labels:
...
- "traefik.http.middlewares.authGrafana.basicauth.removeheader=true"
Now you should see the grafana login page.
In Azure DevOps Pipelines I want to SSH to a private repo with dependencies. I am getting following error:
Host key verification failed. fatal: Could not read from remote repository.
Despite uploading private key to secure files and public key is set in project variables.
see below
steps:
- task: InstallSSHKey#0
inputs:
hostName: $(hostname)
sshPublicKey: $(testkey.pub)
sshPassphrase: $(passphrase)
sshKeySecureFile: testkey
- script: |
git clone git#github.xxxxxx.com:xxxx/xxxxx.git
displayName: 'clone repo'
Host key verification failed
This doesn't refer to the SSH key you're trying to use to connect. It refers to the server's SSH public key fingerprint. This is the thing you see (and should check) when you first connect to a new machine.
Verifying the host key fingerprint protects against man-in-the-middle attacks, where a malicious third party could sit between you and your target server passing communication back and forth while observing or modifying said communication. The Azure documentation discusses this as well.
Manually SSH to the machine once, check that the fingerprint is what you expect it to be, and accept it. Subsequent connections should work unless the fingerprint changes.
Maybe not the best solution:
bash: ssh-keyscan -t rsa < host_name > >> ~/.ssh/known_hosts
Can't comment on the previous post 'cause I've got less than 50 rep, but what anca was saying is paste from the following into the known_hosts file:
On Windows, this involves:
Run Bash
Copy the output starting "ssh.dev.azure.com ssh-rsa..."
Paste into C:\Users<username>.ssh\known_hosts
I am using Ansible (1.9.2) to deploy some files to a Redhat 6.4 server.
The playbook looks something like this
- name: deploy files
hosts: web
tasks:
- name sync files
sudo: no
synchronize:
src={{ local_path }}
dest={{ dest_path }}
And to kick this off I run something like the following
ansible-playbook -i myinventory myplaybook.yml -u DOMAIN\\user --ask-pass
When I start the play I enter my password at the prompt, facts are then obtained successfully, however as soon as the synchronize task is reached another prompt asks for my password again, like the following
DOMAIN\user#hostname's password:
If I enter my password again the deploy completes correctly.
My questions are
How can I fix or work around this, so that I do not have to enter my password for every use of the synchronize module?
Is this currently expected behaviour for the synchronize module? Or is this a bug in Ansible?
I cannot use ssh keys due to environment restrictions.
I do not want to use the copy module for scalability reasons.
Things I have tried
I have seen a number of other questions on this subject but I have
not been able to use any of them to fix my issue or understand if
this is expected behavior.
Ansible synchronize prompts passphrase even if already entered at the beginning
Ansible prompts password when using synchronize
https://github.com/ansible/ansible/issues/5934
https://github.com/ansible/ansible/issues/7071
The Ansible docs are generally excellent but I have not been able to find anything about this on the offical docs.
I have tried specifiying the user and password in the inventory file and not using the --ask-pass and -u parameters. But while I then do not have to enter the password to collect facts, the synchronize module still requests my password.
I have tried setting the --ask-sudo-pass as well, but it did not help
I have been using a CentOS 7 control box, but I have also tried an Ubuntu 14.04 box
Can anyone help?
Why not use inventory like below encrypted with Vault (ansible-playbook –ask-vault-pass …)?:
[targets]
other1.example.com ansible_connection=ssh ansible_ssh_user=mpdehaan ansible_ssh_pass=foobar
other2.example.com ansible_connection=ssh ansible_ssh_user=mdehaan ansible_ssh_pass=foobar123
Synchronize will ask you for password if your ansible server credential is different from you target host. I've tried many proposed workarounds however none of them worked...
Eventually I had to go back to file module using --sftp-extra-args to achieve what I needed. It did the trick.
To pass a password to synchronize module you can use --password-file option like so.
tasks:
- name: test_rsync
synchronize:
mode: pull
src: rsync://user#host/your/remote/path
dest: /your/local/path/
rsync_opts:
- "--password-file=/path/to/password_file"
I used the Shell for that.
- name: test_rsync
shell: rsync -a --delete --rsh='/usr/bin/sshpass -p "{{ pass }}" ssh -o StrictHostKeyChecking=no -l $RemoteUser' {{ local_path }} $RemoteUser#{{ inventory_hostname }}:/{{ dest_path }}
become: false
delegate_to: localhost #If needed
The password is encrypted with Ansible-Vault and saved under /vars/main.yml