Summary:
As I'm integrating CI to the development workflow, I'm also trying to move the executions of Bitrise workflows to our local iOS Mac Computer which is setup as a Jenkins slave.
The projects that I'm trying to build therefore needs to be built on this iOS Computer.
Problem:
I'm trying to establish an ssh connection to an integration user (a GitHub account that has access to my repositories) and I have created a key and added it to the GitHub user as well as to the .bitrise.secrets.yml file.
But when the initial step, the activate-ssh-key step is executed, it results with an error that I can't add the SSH key to the ssh-agent with empty passphrase. (Is this somehow configurable? Can I just evade this?)
Here is the output log:
https://pastebin.com/FCHhZNDb
Step in bitrise.yml:
- activate-ssh-key#4.0.2: {getenv "SSH_RSA_PRIVATE_KEY"}
.bitrise.secrets.yml:
envs:
- SSH_RSA_PRIVATE_KEY: ssh-rsa *KEY*
|------------------------------------|
I have also tried putting the ssh key directly in the .ssh directory which did not work.
Any help is really appreciated! :)
TL;DR
Trying to connect bitrise cli with github via ssh, doesn't work.
The SSH key you used seem to be protected with a passphrase. You should generate one that does not require a passphrase to be specified, and register that for the repository.
How to generate such an SSH key: https://devcenter.bitrise.io/faq/how-to-generate-ssh-keypair/
ssh-keygen -t rsa -b 4096 -P '' -f ./bitrise-ssh -m PEM
Alternatively you can replace the Activate SSH Key step with a script one and activate the SSH key any way you like.
Or if you prefer to not to use SSH keys you could switch to using https:// git clone urls (instead of the SSH / git# one) and replace the Activate SSH Key step with the Authenticate with GitHub OAuth one (https://www.bitrise.io/integrations/steps/authenticate-with-github-oauth).
Related
In Azure DevOps Pipelines I want to SSH to a private repo with dependencies. I am getting following error:
Host key verification failed. fatal: Could not read from remote repository.
Despite uploading private key to secure files and public key is set in project variables.
see below
steps:
- task: InstallSSHKey#0
inputs:
hostName: $(hostname)
sshPublicKey: $(testkey.pub)
sshPassphrase: $(passphrase)
sshKeySecureFile: testkey
- script: |
git clone git#github.xxxxxx.com:xxxx/xxxxx.git
displayName: 'clone repo'
Host key verification failed
This doesn't refer to the SSH key you're trying to use to connect. It refers to the server's SSH public key fingerprint. This is the thing you see (and should check) when you first connect to a new machine.
Verifying the host key fingerprint protects against man-in-the-middle attacks, where a malicious third party could sit between you and your target server passing communication back and forth while observing or modifying said communication. The Azure documentation discusses this as well.
Manually SSH to the machine once, check that the fingerprint is what you expect it to be, and accept it. Subsequent connections should work unless the fingerprint changes.
Maybe not the best solution:
bash: ssh-keyscan -t rsa < host_name > >> ~/.ssh/known_hosts
Can't comment on the previous post 'cause I've got less than 50 rep, but what anca was saying is paste from the following into the known_hosts file:
On Windows, this involves:
Run Bash
Copy the output starting "ssh.dev.azure.com ssh-rsa..."
Paste into C:\Users<username>.ssh\known_hosts
I'm trying to use the Settings Repository feature in Intellij 2017.1 but I want to use an ssh url for the repo instead of https. I don't like to deal with those personal access tokens that then you can't copy after they get created for the first time. So i'm trying to use ssh but when I click "Override Local", I get the following error
Failed to set upstream repository: Read-only file system
Am I forced to use https or there's a way to configure it to work with ssh? my ssh key works fine in the terminal to push and it is in the normal location ~/.ssh
This answer possibly doesn't solve your issue but I'll still add it because this page was a first result in Google by "intellij settings repository auth fail" request.
I had an issue with "Auth fail" error when adding settings repository. I faced it after upgrade to macOS Mojave 10.14.1 which provides new version of ssh-keygen binary.
The cause was a new ssh key which I generated with ssh-keygen -t rsa -C "Michael Ledin" -b 4096 command.
Check your private SSH key (usually ~/.ssh/id_rsa). If it starts with
-----BEGIN OPENSSH PRIVATE KEY-----
then it has new RFC4716 key format which is currently not supported by JGit used by IntelliJ based IDEs.
To solve this issue you can:
either generate new key in old "PEM" format, add -m "PEM" option:
ssh-keygen -t rsa -C "Michael Ledin" -b 4096 -m "PEM"
or if you already added your public key to ssh remotes and repositories and it's hard to replace it with new key everywhere, then you have two options to convert it to old PEM format:
a) with ssh-keygen (it will ask for a new passphrase - use the old one or leave it empty):
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa
b) with putty
first install putty and convert private key to SSH2 format (I presume that your current key is stored at ~/.ssh/id_rsa):
brew install putty
mv ~/.ssh/id_rsa ~/.ssh/id_openssh
puttygen ~/.ssh/id_openssh -O private-sshcom -o ~/.ssh/id_ssh2
next convert SSH2 key to PEM:
ssh-keygen -i -f ~/.ssh/id_ssh2 > ~/.ssh/id_rsa
rm ~/.ssh/id_ssh2
now you have your private key ~/.ssh/id_rsa in old PEM format that can be used by IntelliJ based IDEs; the original key is stored in ~/.ssh/id_openssh file and can be removed:
rm ~/.ssh/id_openssh
Links that were used to create this answer:
Convert OpenSSH private keys to RSA PEM
ssh-keygen does not create RSA private key
Does not and cannot work for certain SSH setups
The "Settings Repository" support for ssh is limited to the Java jgit implementation. Whereas you can configure new and existing projects to use your OS native ssh, this preference is ignored by the "Settings Repository" feature.
As such any jgit limitations which prevent it from working with your SSH setup will prevent the "Settings Repository" feature from working with no possible workaround.
Settings repository is a separate feature based on the JGit, and it is not related to the Version control - Git, that is why changing settings there has no effect.
Settings repository does not have a Native SSH mode and does not benefit from the ssh-agent.
Dmitriy Smirnov (JetBrains) — Settings Repository feature always asks for SSH key password even though key is in my SSH agent already
I downloaded and was in the process of setting up IntelliJ on a new machine when I ran into problems trying to overwrite my local settings from a settings repository. It seems like it is a problem with how Git is used internally by the settings repository. Below are examples of trying to use the Settings Repository feature and also Clone Repository with both Built-in and Native SSH. I'm not sure how to get this working correctly now.
Vladimir Krivosheev — Settings repository - add Native SSH mode (IDEA-173223)
Settings repository does work with the SSH keys.
Make sure you specify the URL correctly, as git#github.com:username/Repo.git
If your ssh keys are not called id_rsa/id_rsa.pub, make sure they are correctly referenced in the .ssh/config
Also, the error might occur because for some reasons IDE cannot overwrite local config files. Check the IDE logs for any related errors.
Anybody has any problems deploying with Laravel's envoy when using private Github repos?
When manually cloning my repo from the production server, the ssh key seems to be accessible but when using Envoy, I always get a "Permission denied (publickey) error.
Thanks
It is probably because the ssh key on your remote server requires a password.
If you change the Envoy.blade.php to perform some other task you should be able to establish whether you are connecting to your remote correctly.
#servers(['web' => 'user#domain.com'])
#task('deploy')
cd /path/to/site
git status
#endtask
Should return something like:
[user#domain.com]: On branch master
Your branch is up-to-date with 'origin/master'.
nothing to commit, working directory clean
If you are connecting using a Mac or Linux you probably don't have to enter your password because your terminal is using ssh-agent which silently handles your authentication.
Wikipedia article on ssh-agent
When connecting over ssh, ssh-agent isn't running and the script is being prompted for a password which is where it is failing.
To get around this you could to generate a new key on the remote machine that doesn't use a password.
If you want to restrict the ssh key to a single repository on GitHub have a look at deploy keys
You need to pass the -A (as per the man page it - Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file) in you ssh string.
You will also need add your ssh key for agent forwarding (on the machine which can access the git remote which I assume be your localhost)
ssh-add -K ~/.ssh/your_private_key
Something like this
#servers(['web' => '-A user#domain.com'])
#task('deploy')
cd /path/to/site
git status
#endtask
Git remote commands should now work.
In my Microsoft.PowerShell_profile.ps1 document, I've had to add ssh-add ~/.ssh/github_rsa following the poshgit examples in order for it to connect to my GitHub repos.
# Load posh-git example profile
. 'C:\tools\poshgit\dahlbyk-posh-git-8aecd99\profile.example.ps1'
ssh-add ~/.ssh/github_rsa
If I don't have that in my profile, I Github gives me permissions errors when I try to connect.
If I do it manually, it will work for the entire duration of my desktop session, but as soon as I reboot my computer, I need to re-run the command.
Why doesn't poshgit and ssh-add remember the rsa that I've added? It seems wrong to have to re-add it every time.
It's because your rsa key is not the default name ( id_rsa ) so you either need to use ssh-add (which adds it to a running service that remembers the key decrypted with your passphrase) or just add an entry into your ~\.shh\config
~\.ssh\config (create or edit):
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/github_rsa
Or, if github is the only thing you use ssh keys for, just rename the key to id_rsa and then git (well ssh.exe) will find it for you automatically AND poshgit will ssh-add it for you (to handle passphrases).
Here is my setup:
Jenkins is running on my linux machine as 'jenkins' user.
I have generated a ssh key-pair as described in Linux - Setup Git, for the 'jenkins' user.
When I sudo su jenkins and try ssh -vT git#github.com, I am always asked my passphrase, but I am always eventually authenicated. (the verbose option shows which key is used, among others).
I could clone my repo from GitHub using jenkins:
Thusly:
jenkins#alpm:~/jobs/test git/workspace$ git pull
Enter passphrase for key '/var/lib/jenkins/.ssh/id*_rsa':
Already up-to-date.
Up to this point I have followed the instructions to the letter. The problem is that the Jenkins job fails with the following error:
status code 128:
stdout:
stderr: Permission denied (publickey).
fatal: The remote end hung up unexpectedly
This is same error as I get when I typo the passphrase (but of course, Jenkins does not ask me for the passphrase). The following pages:
GitHub - SSH Issues
Using SSH Agent Forwarding
indicate to me that ssh-agent could help remember the passphrase, which it does when I am using my own user, but not the jenkins id. Note that while running as my normal user yields:
echo "$SSH_AUTH_SOCK"
/tmp/keyring-nQlwf9/ssh
While running the same command as my 'jenkins' yields nothing (not even permission denied)
My understanding of the problem is that the passphrase is not remembered.
Do you have any idea?
Shall I start a ssh-agent or key ring manager for the jenkins user? How?
Or is ssh forwarding suitable when forwarding to the same machine?
Any brighter idea?
ps: I never sudo gitted, I always used jenkins or my user account (as mentioned in this SO post - Ubuntu/GitHub SSH Key Issue)
Since nobody wrote the answer from the comments for several months, I will quickly do so.
There are 2 possible problems/solutions:
id_rsa created with wrong user
Create id_rsa as the jenkins user (see hudson cannot fetch from git repository)
Leave passphrase empty
To summarise what must be done on the Jenkins server:
# 1. Create the folder containing the SSH keys if necessary
if [ ! -e ~jenkins/.ssh ]; then mkdir ~jenkins/.ssh; fi
cd ~jenkins/.ssh/
# 2. Create the SSH pair of keys
# The comment will help to identify the SSH key on target systems
ssh-keygen -C "jenkins" -f ~jenkins/.ssh/id_rsa -P ""
# 3. Assign the proper access rights
chown -R jenkins ~jenkins/.ssh/
chmod 700 ~jenkins/.ssh
chmod 600 ~jenkins/.ssh/*
Remember:
Please keep the default "id_rsa" name when generating the keys, as other such as "id_rsa_jenkins" won't work, even if correctly set up.
Do not use a passphrase for your key
Check that the public key (id_rsa.pub) has been uploaded on the git server (GitHub, Bitbucket, etc). Once done, test your SSH key by running: ssh -vvv git#github.com (change address according to your git server)
I got around this problem by simply leaving the passphrase empty when creating the keys.
I would add that if you created the keys by hand, they might still be owned by you and not readable by jenkins, try:
sudo chown jenkins -R /var/lib/jenkins/.ssh/*
To check are the following:
if the right public key (id_rsa.pub) is uploaded to the git-server.
jenkins user will access to github -> to CHECK if the right private key (id_rsa) is copied to /var/lib/jenkins/.ssh/
if the known_hosts file is created inside ~/.ssh folder. Try ssh -vvv git#github.com to see debug logs. If thing goes well, github.com will be added to known_hosts.
if the permission of id_rsa is set to 755 (chmod 755 id_rsa)
After all checks -> try ssh -vvv git#github.com
Dont try to do config in jenkins until ssh works!
If you are running jenkins as a service in windows, you need to verify the user running the service. If you created the keys using the user "MACHINENAME\user", change the service so the user running it can match
For Mac users, the issue can be solved by removing the existing keys and creating new Private and Public Keys by following these steps:
1.Remove all Public and Private keys located at /Users/Username/.ssh
2.Remove all the credentials saved under the Credentials tab in Jenkins.
3.Remove the existing Public SSH keys defined in the Github Repository Settings.
4.Create new SSH keys (private and public: id_rsa and id_rsa.pub) by following the steps from https://confluence.atlassian.com/bitbucketserver/creating-ssh-keys-776639788.html#CreatingSSHkeys-CreatinganSSHkeyonLinux&MacOSX
5.Set the newly created public SSH key (id_rsa.pub) in Github or an equivalent Repository Settings.
6.In Jenkins,create new credentials by adding the private SSH key(id_rsa) for your Github username.
7.The Error should be removed now.
keys need to generated from jenkins user.
sudo su jenkins
ssh-keygen
once the key is generated, it should be added as ssh key in bitbucket or github.