Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
.gitlab.ci.yml for SSH with private key.
# Image neeeds to have ssh-client
image: docker:git
services:
- docker:dind
stages:
- staging
before_script:
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN $CI_REGISTRY
- mkdir -p ~/.ssh
# Paste the PRIVATE key into a gitlab variable. Pay attention to the linebreak at the end when pasting
- echo "$DEPLOY_SERVER_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
- eval "$(ssh-agent -s)"
- ssh-add ~/.ssh/id_rsa
- ssh-keyscan -H 'your.server.hostname' >> ~/.ssh/known_hosts
staging:
stage: staging
tags:
- docker
only:
- staging
script:
- docker build --pull -t $CI_REGISTRY_IMAGE:staging .
- docker push $CI_REGISTRY_IMAGE:staging
# your own server details here
- ssh $SERVER_USER@$SERVER_HOSTNAME < deploy.sh
@zacksleo

This comment has been minimized.

Copy link

zacksleo commented Apr 13, 2017

I tried the code, but have some problem

Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
@Altiano

This comment has been minimized.

Copy link

Altiano commented Jun 27, 2017

I don't think this part of line 13 is necessary: tr -d '\r' > ~/.ssh/id_rsa

@wysow

This comment has been minimized.

Copy link

wysow commented Jul 26, 2017

Hello, just tried and ssh-add tells me that my key is in invalid format... :(

@karser

This comment has been minimized.

Copy link

karser commented Nov 14, 2017

@wysow I managed to solve "invalid format" issue https://stackoverflow.com/a/47291376/1642477

@holms

This comment has been minimized.

Copy link

holms commented Mar 5, 2018

@karser and how did you solve it? in that question there's nothing about fixing this issue.

@amatiash

This comment has been minimized.

Copy link

amatiash commented Apr 22, 2018

Worked perfectly, thanks!

before_script:
  - mkdir -p ~/.ssh
  - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
  - chmod 700 ~/.ssh/id_rsa
  - eval "$(ssh-agent -s)"
  - ssh-add ~/.ssh/id_rsa
  - ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
  - npm install
@jimmyadaro

This comment has been minimized.

Copy link

jimmyadaro commented May 21, 2018

Thanks @amatiash !

@YAOHAO9

This comment has been minimized.

Copy link

YAOHAO9 commented May 30, 2018

Thanks @amatiash !

@van4oza

This comment has been minimized.

Copy link

van4oza commented Jun 2, 2018

$ echo "$TEST_SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - >/dev/null
Error loading key "(stdin)": invalid format

(((((

@diego-vieira

This comment has been minimized.

Copy link

diego-vieira commented Jun 13, 2018

I had to also run this on the deployment server

https://stackoverflow.com/questions/44363537/gitlab-ci-ssh-permission-denied-publickey-password

cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys
@hnykda

This comment has been minimized.

Copy link

hnykda commented Sep 1, 2018

Probably obvious, but you need to install socat and docker-compose on the deploy machine, of course.

@BrianBMN

This comment has been minimized.

Copy link

BrianBMN commented Sep 1, 2018

I know this is 2 years old but just wanted post what worked for me:

  before_script:
  - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
  - eval $(ssh-agent -s)
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh
  - echo "$SSH_PRIVATE_KEY" | ssh-add - > ~/.ssh/id_rsa
  - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
@richardhj

This comment has been minimized.

Copy link

richardhj commented Sep 7, 2018

@van4oza

$ echo "$TEST_SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - >/dev/null
Error loading key "(stdin)": invalid format

I have had the same error.
You added TEST_SSH_PRIVATE_KEY as protected variable to the GitLab CI/CD config. This is fine. But the variable then only gets exposed to protected branches (master for example is per default) and protected tags. I configured the v* wildcard (matches my use case) as protected tags and it did run.

@TobiGa

This comment has been minimized.

Copy link

TobiGa commented Sep 20, 2018

I ran run gitlab-runner exec locally and since Variables are not accessible there at the time,
i got invalid format, nice to know maybe...

@tim-hub

This comment has been minimized.

Copy link

tim-hub commented Oct 1, 2018

@van4oza

$ echo "$TEST_SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - >/dev/null
Error loading key "(stdin)": invalid format

I have had the same error.
You added TEST_SSH_PRIVATE_KEY as protected variable to the GitLab CI/CD config. This is fine. But the variable then only gets exposed to protected branches (master for example is per default) and protected tags. I configured the v* wildcard (matches my use case) as protected tags and it did run.

Hi, there, same error,

@fgilio

This comment has been minimized.

Copy link

fgilio commented Oct 22, 2018

In case it helps someone:
Just had the Error loading key "(stdin)": invalid format error and solved by adding a line break at the end of the variable in GitLab's UI

@fgilio

This comment has been minimized.

Copy link

fgilio commented Oct 22, 2018

In case it helps someone:
Just had the Error loading key "(stdin)": invalid format error and solved by adding a line break at the end of the variable in GitLab's UI

@xd2

This comment has been minimized.

Copy link

xd2 commented Nov 14, 2018

Hi. I've written a SSH helper for .gitlab-ci.yml.
Check it out : https://gitlab.com/x4v13r/gitlab-ci

Just include: it to your .gitlab-ci.yml and then you can go with:

ssh_run root myhostname $MYHOST_PKEY "touch foo; cp foo bar; ls -al; rm foo bar; ls -al"

@pagolina

This comment has been minimized.

Copy link

pagolina commented Dec 5, 2018

@amatiash i followed your method but i got the following response

Running hooks in /etc/ca-certificates/update.d...
done.
$ mkdir -p ~/.ssh
$ echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
$ chmod 700 ~/.ssh/id_rsa
$ eval $(ssh-agent -s)
Agent pid 3067
$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /root/.ssh/id_rsa: ERROR: Job failed: exit code 1

Why does it request for passphrase?

@ALTELMA

This comment has been minimized.

Copy link

ALTELMA commented Jan 4, 2019

So now it fixes or not?

@skyrim61

This comment has been minimized.

Copy link

skyrim61 commented Jan 16, 2019

echo ${ID_RSA_DEVELOP} > id_rsa
now id_rsa file is one line,
run this command to check , openssl rsa -in id_rsa -text -noout
output unable to load Private Key

@skyrim61

This comment has been minimized.

Copy link

skyrim61 commented Jan 16, 2019

我解决这个问题:

  • echo ${ID_RSA_DEVELOP} > id_rsa
    此时, id.pub 文件格式为1行, job运行时, 报出 密钥文件 出错
    此时, 我更改如下:
  • echo "${ID_RSA_DEVELOP}" > id_rsa
    问题得到解决
    cat ~/.ssh/id.pub , 格式正确
@willcooley

This comment has been minimized.

Copy link

willcooley commented Feb 2, 2019

@amatiash i followed your method but i got the following response

Running hooks in /etc/ca-certificates/update.d...
done.
$ mkdir -p ~/.ssh
$ echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
$ chmod 700 ~/.ssh/id_rsa
$ eval $(ssh-agent -s)
Agent pid 3067
$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /root/.ssh/id_rsa: ERROR: Job failed: exit code 1

Why does it request for passphrase?

yo, it looks like the ssh key you created to use was created with a password, you might want to create a new ssh key that doesn't use a password. It is recommended that you don't use a password for SSH keys for server communication because it will error out the process since you can't put the password in manually when it ask for it when Gitlab's runner process is going. I had this issue a few weeks ago; so this is why I am suggesting that to you.

@willcooley

This comment has been minimized.

Copy link

willcooley commented Feb 2, 2019

this worked for me:
`

 deploy:

   image: docker:stable

     - services: docker/dind

   stage: deploy

   script:

     - echo "$RELEASE_IMAGE"

     - 'which ssh-agent || ( apk --update add openssh-client )'

     - eval $(ssh-agent -s)

     - mkdir -p ~/.ssh

     - echo "$SERVER_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa

     - chmod 700 ~/.ssh/id_rsa

     - eval "$(ssh-agent -s)"

     - ssh-add ~/.ssh/id_rsa

     - ssh-keyscan -H 'YOUR_IP_ADDRESS' >> ~/.ssh/known_hosts

     - ssh-keyscan YOUR_IP_ADDRESS | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts

     - '[[ -f /.dockerinit ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'

`

@subhakant0

This comment has been minimized.

Copy link

subhakant0 commented Mar 30, 2019

If you need to enter the password, then you have to. I found a way how to do that.

before_script:
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
    - 'which sshpass || ( apt-get update -y && apt-get install sshpass -y )'
    - mkdir -p ~/.ssh
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
    - chmod 700 ~/.ssh/id_rsa
    - eval $(ssh-agent -s)
    - ssh-add ~/.ssh/id_rsa
    - ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
    - ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
    - rm -rf .git
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
  script:
    - sshpass -p "<your password goes here>" ssh  username@hostname "your commands"

I used sshpass

@etarndt

This comment has been minimized.

Copy link

etarndt commented Apr 11, 2019

I generated ssh keys that didn't need a password so I used that code above without sshpass, but am receiving this issue:

Warning: Permanently added the ECDSA host key for IP address '##.##.###.##' to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).

Code:

before_script:
 - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
 - mkdir -p ~/.ssh
 - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
 - chmod 700 ~/.ssh/id_rsa
 - eval $(ssh-agent -s)
 - ssh-add ~/.ssh/id_rsa
 - ssh-keyscan -H 'host.host.com' >> ~/.ssh/known_hosts
 - ssh-keyscan host.host.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
 - rm -rf .git
 - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'

testSSH:
  script:
    - ssh host@host.host.com "cd Desktop/testssh && git pull origin master"

I have been troubleshooting for hours and cannot resolve the issue. Could anyone please help?

@isdiop

This comment has been minimized.

Copy link

isdiop commented May 28, 2019

If you need to enter the password, then you have to. I found a way how to do that.

before_script:
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
    - 'which sshpass || ( apt-get update -y && apt-get install sshpass -y )'
    - mkdir -p ~/.ssh
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
    - chmod 700 ~/.ssh/id_rsa
    - eval $(ssh-agent -s)
    - ssh-add ~/.ssh/id_rsa
    - ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
    - ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
    - rm -rf .git
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
  script:
    - sshpass -p "<your password goes here>" ssh  username@hostname "your commands"

I used sshpass

how can i use a different ssh port (like 2222) ??

@taozhi8833998

This comment has been minimized.

Copy link

taozhi8833998 commented Jul 3, 2019

useful tip, thanks

@Porkts

This comment has been minimized.

Copy link

Porkts commented Jul 25, 2019

If you need to enter the password, then you have to. I found a way how to do that.

before_script:
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
    - 'which sshpass || ( apt-get update -y && apt-get install sshpass -y )'
    - mkdir -p ~/.ssh
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
    - chmod 700 ~/.ssh/id_rsa
    - eval $(ssh-agent -s)
    - ssh-add ~/.ssh/id_rsa
    - ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
    - ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
    - rm -rf .git
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
  script:
    - sshpass -p "<your password goes here>" ssh  username@hostname "your commands"

I used sshpass

how can i use a different ssh port (like 2222) ??

Use

script:
    - sshpass -p "<your password goes here>" ssh -p2222  username@hostname "your commands"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.