(Note: I know that a personal access token will work, but external reasons require me to do this via an SSH Deploy Key. Both the source repo and the target repo are private.)
I need to use CircleCI to push every commit from the source repo to the target repo. Assume the repos are named source and target. I am configuring CircleCI to run my custom push script but it's saying that the key is read-only.
What I've done:
Created a new key pair with ssh-keygen on my PC and compress the private key.
Uploaded the public key id_rsa.pub to the target repo as a Deploy Key, with "allow push access with this key" ticked.
Put the compressed private key in the repository Environment Variables on CircleCI
Wrote this script:
#!/bin/bash
set -e
if [ -z "$SSH_KEY_E" ]; then
echo "No SSH key found in environment, set it as \$SSH_KEY_E" >&2
exit 1
fi
echo "$SSH_KEY_E" |
base64 -d |
gunzip -c > ~/.ssh/m.id_rsa
set -x # debug
cat >> ~/.ssh/config << EOF
Host GHMirror
HostName github.com
User git
Port 22
IdentityFile ~/.ssh/m.id_rsa
EOF
git remote add mirror GHMirror:iBug/circleci-target.git
git push mirror +master
The output log indicates that the key restored from environment is valid, but it doesn't seem like it's used to push to GitHub.
Some points I'd like to point out:
At the beginning, I overwrote ~/.ssh/id_rsa and used directly git#github.com:iBug/target.git as the remote URL for mirror, but it didn't work, saying the key is read-only
Then, thinking that the default key (by CircleCI) might be located at somewhere else, I changed the remote host to GHMirror and wrote this rule to ~/.ssh/config, as seen in the shell script. Still it complains that the key is read-only
I changed the key to another path ~/.ssh/m.id_rsa, but no luck.
I have verified that everything by running the script locally, and it successfully pushed to the target repository, so there must be something on CircleCI that I'm missing.
Update 1
I added the environment variable GIT_SSH_COMMAND="ssh -vv" and got this result:
debug1: key_load_public: No such file or directory
debug1: identity file /home/circleci/.ssh/id_rsa type -1
...
debug2: key: (0xREDACTED), agent
debug2: key: /home/circleci/.ssh/id_rsa ((nil))
debug2: key: /home/circleci/.ssh/id_dsa ((nil))
debug2: key: /home/circleci/.ssh/id_ecdsa ((nil))
debug2: key: /home/circleci/.ssh/id_ed25519 ((nil))
However, ls -l ~/.ssh/id_rsa shows that the file is there, with permission 0600.
I believe the problem you are experiencing is due to the ssh-agent offering the CircleCI key, which is read-only. I've hit this problem as well in the past. To debug you can use the following:
export GIT_SSH_COMMAND="ssh -vv"
This will print out details about which key is being used.
I was able to fix the problem with something like this:
# Disable the ssh-agent
export SSH_AUTH_SOCK=none
# Tell ssh to use the specific SSH key
export GIT_SSH_COMMAND="ssh -i path/to/key"
Also make sure that you chmod 0600 path/to/key. SSH will not use keys if they are readable by other users.
Related
Summary:
As I'm integrating CI to the development workflow, I'm also trying to move the executions of Bitrise workflows to our local iOS Mac Computer which is setup as a Jenkins slave.
The projects that I'm trying to build therefore needs to be built on this iOS Computer.
Problem:
I'm trying to establish an ssh connection to an integration user (a GitHub account that has access to my repositories) and I have created a key and added it to the GitHub user as well as to the .bitrise.secrets.yml file.
But when the initial step, the activate-ssh-key step is executed, it results with an error that I can't add the SSH key to the ssh-agent with empty passphrase. (Is this somehow configurable? Can I just evade this?)
Here is the output log:
https://pastebin.com/FCHhZNDb
Step in bitrise.yml:
- activate-ssh-key#4.0.2: {getenv "SSH_RSA_PRIVATE_KEY"}
.bitrise.secrets.yml:
envs:
- SSH_RSA_PRIVATE_KEY: ssh-rsa *KEY*
|------------------------------------|
I have also tried putting the ssh key directly in the .ssh directory which did not work.
Any help is really appreciated! :)
TL;DR
Trying to connect bitrise cli with github via ssh, doesn't work.
The SSH key you used seem to be protected with a passphrase. You should generate one that does not require a passphrase to be specified, and register that for the repository.
How to generate such an SSH key: https://devcenter.bitrise.io/faq/how-to-generate-ssh-keypair/
ssh-keygen -t rsa -b 4096 -P '' -f ./bitrise-ssh -m PEM
Alternatively you can replace the Activate SSH Key step with a script one and activate the SSH key any way you like.
Or if you prefer to not to use SSH keys you could switch to using https:// git clone urls (instead of the SSH / git# one) and replace the Activate SSH Key step with the Authenticate with GitHub OAuth one (https://www.bitrise.io/integrations/steps/authenticate-with-github-oauth).
I use my project at work, but I would like to work with him from home as I can log into my home machine to work with my project.
However, from home, I see the following message:
The authenticity of host 'github.com (ip)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)?
How can I get past it?
You should simply be able to answer 'yes', which will update your ~/.ssh/known_hosts file.
A better approach, to avoid any MITM (Man-In-The-Middle) attack, would be (as commented below by Mamsds) to verify Github's public key first (see "GitHub's SSH key fingerprints") and, if you find a match, then you can answer 'yes'.
Example:
ssh-keyscan -t ecdsa github.com 2>&1 |ssh-keygen -lf -
256 SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM github.com (ECDSA)
After that, you can use a GitHub SSH URL (provided you have generated the SSH public/private keys, and registered the public one to your GitHub profile)
Note: the ssh key generation should use the base64 old PEM format (option -m PEM), rather than the new current 70 chars OpenSSH one.
See "What is the correct format for private key in Credentials":
ssh-keygen -m PEM -t rsa -P "" -f afile
That or you can switch to an HTTPS URL.
As you are attempting to connect to Github using SSH for the first time (no existing entry for Github in ~/.ssh/known_hosts yet), you are being asked to verify the key fingerprint of the remote host. Because, if an intruder host represents itself as a Github server, it's RSA fingerprint will be different from that of a GitHub server fingerprint.
You have two options.
You may just accept, considering you don't care about the authenticity of the remote host (Github in this case), or,
You may verify that you are actually getting connected to a Github server, by matching the RSA fingerprint you are presented to (in the prompt), with GitHub's SSH key fingerprints in base64 format.
The latter option is usually more preferable.
Just add Github fingerprint to known hosts this way:
mkdir -p ~/.ssh
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts
Use one of the following two solutions:
1) Set up the SSH key
Follow the steps discussed on this GitHub help page.
https://help.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh
2) Clone using git with HTTPS
Type (copy/paste) the following commands in a terminal on the machine where you would like to clone the repository
git config --global url."https://github.com/".insteadOf git#github.com:
git config --global url."https://".insteadOf git://
You can revert this change using the following commands
git config --global url."git#github.com:".insteadOf https://github.com/
git config --global url."git://".insteadOf https://
Try these steps:
Open Git Bash
Check for existing SSH keys:
$ ls -al ~/.ssh
If you already have them, you will see:
id_rsa.pub
id_ecdsa.pub
id_ed25519.pub
If you don't, generate one (Press Enter to accept the default file location):
$ ssh-keygen -t rsa -b 4096 -C "your_email#example.com"
To copy the key to clipboard:
$ clip < ~/.ssh/id_rsa.pub
Go to your account on Github/Settings/SSH and GPG keys/New SSH key
Paste your key there
Next, type:
$ git remote
If you see origin, remove it:
$ git remote remove origin
Continue with the last 2 steps provided on GitHub repo page...
$ git remote add origin git#github.com:USERNAME/REPONAME.git
$ git push -u origin master
Refresh your GitHub repo page
Voila!
1- Create SSH key
if you don't have the ssh-key create it like this:
ssh-keygen -t rsa -b 4096 -C "youremail#example.com"
2- Check your SSH key
For this go to your folder ssh, example:
cd ~/.ssh
after that, run this command line : ls
if you have the files: id_rsa, id_rsa.pub so the all is good
now you need to copy your id_rsa.pub ! (⚠️ NOT the id_rsa)
for this run cat id_rsa.pub and copy the result
3- Github / Gitlab
Go to your github / gitlab.
Follow the step by your hosting:
github: Click on your profile -> Settings -> SSH and GPG Keys -> New SSH key
gitlab: Click on your profile -> preferences -> SSH keys
past your id_rsa.pub that you have already copied !
4- If you have already did it and it's already not working ??
When your enter your ssh-key in github / gitlab your key have a Expiration date so you just need to change it
That it ! Have a good work 😀
You just need to type yes and it will work, for more information you can refer to the Official Github documentation. This will give an output saying
Hi <username>! You've successfully authenticated, but GitHub does not provide shell access.
Is it possible to use both the github and bitbucket repo in personal computer.
if not, Let me know any other possibilities.
Thanks in advance.
Complete Guide to Add SSH keys for both github and bitbucket in single PC
if you already have one ssh key then you must have 2 files public(id_rsa.pub) and Private key(id_rsa) in the .ssh folder You can Skip the Step 2
Step 1. Prepare your default identity it Required for Both Account Before Doing Step 2 and Step 3
Determine your Git clone URL.
$ git remote -v
origin git#bitbucket.org:teamsinspace/bitbucketspacestation.git (fetch)
origin git#bitbucket.org:teamsinspace/bitbucketspacestation.git (push)
Update the remote URL with your Bitbucket username by replacing git#bitbucket.org with <username>#bitbucket.org.
For this step and the ones that follow, enter your username in place of .
$ git remote set-url origin <username>#bitbucket.org:teamsinspace/bitbucketspacestation.git
Step 2 : create the 1st ssh key with default names (id_rsa)
$ssh-keygen
You will see the following text:
Generating public/private RSA key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
you can input the password to secure your file or you can press enter for all the steps and then it will create one ssh key.
By default, the system adds keys for all identities to the /Users/<username>/.ssh directory
You can check the already existing ssh key by following command
$ ls ~/.ssh
id_rsa id_rsa.pub
Two files should be there one with the name of the key(id_rsa) Private key second with the same (ir_rsa.pub) public key.
you can open make it visible by ctrl + h in Home Directory
then it will be shown
Second, Create your known hosts file if you not have already
To create your known hosts files-
touch known_hosts
STEP 3 : Sethup the Multiple account ssh
3.1 : Create 2nd Key With default name
You might be using one SSH key pair for working on your company's internal projects, now but you might be need a diffrent key for accessing a client's servers so you can create the key
By run the same command ssh-keygen again it will create the 2nd ssh key files with the name of [ id_rsa2 and id_rsa2.pub ]
3.2 : Create the 2nd Key with Custom Name
ssh-keygen -f NAME_OF_YOUR_KEY
$ ssh-keygen -f work_key it will create then 2 files
[ work_key, work_key.pub ]
if want to run the one key at a time then you can use this command before connecting to that repo for pull and push .
ssh-add -K ~/.ssh/YOUR_KEY_FILE
ssh-add -K ~/.ssh/work_key
Step 4 : Setup both two Accounts at the same time
You want to Setup both two Accounts at the same time then you will have to use the following command
Third Create your config file
To create your config file
touch config or open directly into any text editor,
Here is Example for One Github and one Bitbucket account
Host : name of your ssh setting you can give custom name
HostName : github domain or bitbucket domain
IdentityFile : path of your ssh file
#Work account
Host pers
HostName github.com
User git
IdentityFile ~/.ssh/id_rsa
UserKnownHostsFile ~/.ssh/known_hosts
IdentitiesOnly yes
#Personal account
Host work
HostName bitbucket.org
User git
IdentityFile ~/.ssh/work_key
UserKnownHostsFile ~/.ssh/known_hosts
IdentitiesOnly yes
Step 5 : Add your public keys to the Bitbucket or github account
For Bitbucket
For Github [Go to Setting of your Account -> SSH and GPG key]
Step 6 : Add your public permanently
ssh HOST(What we written in config file )
like
ssh work
if you got this error make sure you did Step 4 Correctly.
git#bitbucket.org: Permission denied (publickey).
or can be use this way as well
Now you can use
git clone `git#pers/project.git`
git clone `git#work/project.git`
Step 7 : auotmaticly pick by domain name we are requiesting to
Managing SSH keys can become cumbersome as soon as you need to use a second key. Traditionally, you would use ssh-add to store your keys to ssh-agent, typing in the password for each key. The problem is that you would need to do this every time you restart your computer, which can quickly become tedious.
if you have only two account and one in the github and one in the bitbucket you can use the following approch to auotmaticly pick by domain name we are requiesting to
#Work account
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/id_rsa
UserKnownHostsFile ~/.ssh/known_hosts
IdentitiesOnly yes
#Personal account
Host bitbucket.org
HostName bitbucket.org
User git
IdentityFile ~/.ssh/work_key
UserKnownHostsFile ~/.ssh/known_hosts
IdentitiesOnly yes
Here is a link to further guidance on it
https://www.freecodecamp.org/news/the-ultimate-guide-to-ssh-setting-up-ssh-keys/
https://support.atlassian.com/bitbucket-cloud/docs/set-up-additional-ssh-keys/
Yes it is. You tell git where the remote code lives from a per-repository configuration file. You can even push to GitHub and Bitbucket from the same repository if you want to.
See here for more details:
http://blog.lckymn.com/2013/03/11/git-push-to-pull-from-both-github-and-bitbucket/
One important piece will be connecting to each separately with SSH.
Your SSH keys should live in $HOME/.ssh and can contain any number of keys. The default name for an SSH key is id_rsa (or similar, depending on the protocol used to create it).
Try doing:
ls $HOME/.ssh
... to see what's in there.
I do what you are asking about myself and for me that brings up something like:
github-personal
github-personal.pub
bitbucket-work
bitbucket-work.pub
known_hosts
Where known_hosts is a file that contains a list of the servers I connect to and the public keys associated with them. The other files that end in .pub are my own public keys and the rest are my private keys.
You get your GitHub and Bitbucket keys into there by following their appropriate tutorials:
GitHub: https://help.github.com/articles/generating-ssh-keys/
Bitbucket: https://confluence.atlassian.com/display/BITBUCKET/Set+up+SSH+for+Git
Yes, it is possible to use both the github and bitbucket repo in personal computer.
You can setup multiple SSH profiles.
First Generate your SSH keys To generate the first key-from your root folder
$ cd ~/.ssh
$ ssh-keygen -f work_key,
then enter a passphrase of your choice.
To generate the second key
$ ssh-keygen -f personal_key, then enter a passphrase of your choice.
Second, Create your known hosts file
To create your known hosts files-
touch known_hosts
Third Create your config file
To create your config file
touch config, then it would look something like this
#Work account
Host bitbucket.org
HostName bitbucket.org
User git
IdentityFile ~/.ssh/id_rsa
UserKnownHostsFile ~/.ssh/known_hosts
IdentitiesOnly yes
#Personal account
Host bitbucket.org
HostName bitbucket.org
User git
IdentityFile ~/.ssh/id_rsa2
UserKnownHostsFile ~/.ssh/known_hosts
IdentitiesOnly yes
Then add your SSH key to bitbucket. Go to bitbucket, settings, then SSH keys
pbcopy < id_rsa.pub (to copy the key) and paste it in bitbucket
Definitely YES. You can generate ssh key pair first, see How to generate, then go to .ssh directory, copy the content of id_rsa.pub, and paste into your github or bitbucket ssh setting area.
I make use of Sourcefree Desktop Application and My Gitbash prompt
to push my project to Bitbucket and Github repository simultaneously
below is what i did
right click to open bash shell of the folder you want to push
First you need to create key, i will advice make use of the same ssh key
create key
ssh-keygen -t rsa -C "your_email#example.com"
go to the folder directory
right click and click on git bash
then run the below command one after the other
git init
git add .
git commit -m "first"
open your sourcefree desktop app
click on + to open your local
repo file
create repo on bitbucket
then click repo icon
then click on repo icon to add
name: originbit
url: "repo link you created"
For your bitbucket you have to make use of both
public ssh key and private ssh key if you want to make use of
both public and private repository
To make use of ssh key earlier created
go to TOOLS icon of sourcefree App
Click on load tab
then resave it with .ppk extension
save the same key as private key and public key
in the same directory
dont input passhrase yet to avoid difficulties
just save it.
so that it can be loaded to pageant icon
to create new key
go to TOOLS icon of sourcefree
then click on create ssh key
change the bottom number to 2048
but if you are unable to change it
first create a new key then drag your mouse around the colum provided
in a zigzag way or any form once created.
change the 1048 to 2048 so that it can be accepted at bitbucket ssh
then recreate a new key
then save it as public key and private key
add key to the Pageant (check your desktop notification for this Pageant key icon)
add both private ssh key and ssh public key
Goto your bitbucket account seetings
and add the content of the two ssh keys
name them differently
go back to the bash shell
git status
git add -A
git pull originbit master
git commit -m "modified code"
git push originbit master
create repo on github
Open Sourcefree desktop app
copy the repo url
then click repo icon
then click on repo icon to add
then push on Sourcefree
In my Microsoft.PowerShell_profile.ps1 document, I've had to add ssh-add ~/.ssh/github_rsa following the poshgit examples in order for it to connect to my GitHub repos.
# Load posh-git example profile
. 'C:\tools\poshgit\dahlbyk-posh-git-8aecd99\profile.example.ps1'
ssh-add ~/.ssh/github_rsa
If I don't have that in my profile, I Github gives me permissions errors when I try to connect.
If I do it manually, it will work for the entire duration of my desktop session, but as soon as I reboot my computer, I need to re-run the command.
Why doesn't poshgit and ssh-add remember the rsa that I've added? It seems wrong to have to re-add it every time.
It's because your rsa key is not the default name ( id_rsa ) so you either need to use ssh-add (which adds it to a running service that remembers the key decrypted with your passphrase) or just add an entry into your ~\.shh\config
~\.ssh\config (create or edit):
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/github_rsa
Or, if github is the only thing you use ssh keys for, just rename the key to id_rsa and then git (well ssh.exe) will find it for you automatically AND poshgit will ssh-add it for you (to handle passphrases).
Here is my setup:
Jenkins is running on my linux machine as 'jenkins' user.
I have generated a ssh key-pair as described in Linux - Setup Git, for the 'jenkins' user.
When I sudo su jenkins and try ssh -vT git#github.com, I am always asked my passphrase, but I am always eventually authenicated. (the verbose option shows which key is used, among others).
I could clone my repo from GitHub using jenkins:
Thusly:
jenkins#alpm:~/jobs/test git/workspace$ git pull
Enter passphrase for key '/var/lib/jenkins/.ssh/id*_rsa':
Already up-to-date.
Up to this point I have followed the instructions to the letter. The problem is that the Jenkins job fails with the following error:
status code 128:
stdout:
stderr: Permission denied (publickey).
fatal: The remote end hung up unexpectedly
This is same error as I get when I typo the passphrase (but of course, Jenkins does not ask me for the passphrase). The following pages:
GitHub - SSH Issues
Using SSH Agent Forwarding
indicate to me that ssh-agent could help remember the passphrase, which it does when I am using my own user, but not the jenkins id. Note that while running as my normal user yields:
echo "$SSH_AUTH_SOCK"
/tmp/keyring-nQlwf9/ssh
While running the same command as my 'jenkins' yields nothing (not even permission denied)
My understanding of the problem is that the passphrase is not remembered.
Do you have any idea?
Shall I start a ssh-agent or key ring manager for the jenkins user? How?
Or is ssh forwarding suitable when forwarding to the same machine?
Any brighter idea?
ps: I never sudo gitted, I always used jenkins or my user account (as mentioned in this SO post - Ubuntu/GitHub SSH Key Issue)
Since nobody wrote the answer from the comments for several months, I will quickly do so.
There are 2 possible problems/solutions:
id_rsa created with wrong user
Create id_rsa as the jenkins user (see hudson cannot fetch from git repository)
Leave passphrase empty
To summarise what must be done on the Jenkins server:
# 1. Create the folder containing the SSH keys if necessary
if [ ! -e ~jenkins/.ssh ]; then mkdir ~jenkins/.ssh; fi
cd ~jenkins/.ssh/
# 2. Create the SSH pair of keys
# The comment will help to identify the SSH key on target systems
ssh-keygen -C "jenkins" -f ~jenkins/.ssh/id_rsa -P ""
# 3. Assign the proper access rights
chown -R jenkins ~jenkins/.ssh/
chmod 700 ~jenkins/.ssh
chmod 600 ~jenkins/.ssh/*
Remember:
Please keep the default "id_rsa" name when generating the keys, as other such as "id_rsa_jenkins" won't work, even if correctly set up.
Do not use a passphrase for your key
Check that the public key (id_rsa.pub) has been uploaded on the git server (GitHub, Bitbucket, etc). Once done, test your SSH key by running: ssh -vvv git#github.com (change address according to your git server)
I got around this problem by simply leaving the passphrase empty when creating the keys.
I would add that if you created the keys by hand, they might still be owned by you and not readable by jenkins, try:
sudo chown jenkins -R /var/lib/jenkins/.ssh/*
To check are the following:
if the right public key (id_rsa.pub) is uploaded to the git-server.
jenkins user will access to github -> to CHECK if the right private key (id_rsa) is copied to /var/lib/jenkins/.ssh/
if the known_hosts file is created inside ~/.ssh folder. Try ssh -vvv git#github.com to see debug logs. If thing goes well, github.com will be added to known_hosts.
if the permission of id_rsa is set to 755 (chmod 755 id_rsa)
After all checks -> try ssh -vvv git#github.com
Dont try to do config in jenkins until ssh works!
If you are running jenkins as a service in windows, you need to verify the user running the service. If you created the keys using the user "MACHINENAME\user", change the service so the user running it can match
For Mac users, the issue can be solved by removing the existing keys and creating new Private and Public Keys by following these steps:
1.Remove all Public and Private keys located at /Users/Username/.ssh
2.Remove all the credentials saved under the Credentials tab in Jenkins.
3.Remove the existing Public SSH keys defined in the Github Repository Settings.
4.Create new SSH keys (private and public: id_rsa and id_rsa.pub) by following the steps from https://confluence.atlassian.com/bitbucketserver/creating-ssh-keys-776639788.html#CreatingSSHkeys-CreatinganSSHkeyonLinux&MacOSX
5.Set the newly created public SSH key (id_rsa.pub) in Github or an equivalent Repository Settings.
6.In Jenkins,create new credentials by adding the private SSH key(id_rsa) for your Github username.
7.The Error should be removed now.
keys need to generated from jenkins user.
sudo su jenkins
ssh-keygen
once the key is generated, it should be added as ssh key in bitbucket or github.