SCP from GitLab pipeline fails (Permission denied)

huangapple go评论63阅读模式
英文:

SCP from GitLab pipeline fails (Permission denied)

问题

我需要从GitLab流水线中将一些文件scp到服务器上。以下是我完成此操作的步骤以及我收到的错误。

在我的本地机器上,我创建了一个专门用于此目的的公钥和私钥,没有其他用途。私钥用于我的GitLab流水线中的一个变量,而公钥则放在服务器的授权密钥文件中:

ssh-keygen -t rsa -b 2048 -C "Pipeline";

Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_rsa_pipeline

这将成功创建公钥(id_rsa_pipeline.pub)和私钥(id_rsa_pipeline)。

然后,我将密钥添加到远程服务器:

ssh-copy-id -i id_rsa_temp user@server.com

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa_pipeline.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'user@server.com'"
and check to make sure that only the key(s) you wanted were added.

然后,我使用密钥测试登录,命令是 ssh -i id_rsa_pipeline user@server.com,它按预期工作。使用密钥登录时没有问题。

接下来,我在流水线中添加了一个名为 IDENTITY 的变量。

我流水线中执行工作的阶段具有如下的 before_script

before_script:
  - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
  - eval $(ssh-agent -s)
  - echo "$IDENTITY" | tr -d '\r' | ssh-add - > /dev/null
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh

我在流水线中使用的scp命令如下:

after_script:
    - scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null /path/to/my/file.txt user@development:/home/user/

当我运行流水线时,我收到以下错误:

Running after script...
$ scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null /path/to/my/file.txt user@development:/home/user/
Warning: Permanently added 'user,192.168.1.50' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
user@server: Permission denied (publickey,password).
lost connection

我尝试过的事项:

  1. 重新创建密钥。
  2. 确保在复制/粘贴到GitLab时没有空格或回车字符进入密钥。
  3. 在不同的服务器上创建密钥。
  4. 使用不同的用户。
  5. 进行一般的Google搜索。

我在尝试过的每个用户上,都可以使用密钥ssh登录服务器,也可以使用密钥scp文件而无需密码。感谢您的帮助。

英文:

I need to scp some files from a gitlab pipeline to a server. Here are the steps I took to accomplish this, and the error I've received.

On my local machine, I create a public and private key to use specifically for this, and nothing else. The private key is for a variable in my gitlab pipeline, and the public key goes in the server's authorized key files.:

ssh-keygen -t rsa -b 2048 -C "Pipeline"


Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_rsa_pipeline

This creates the public (id_rsa_pipeline.pub) and private (id_rsa_pipeline) key successfully.

I then add the key to the remote server:

ssh-copy-id -i id_rsa_temp user@server.com

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa_pipeline.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'user@server.com'"
and check to make sure that only the key(s) you wanted were added.

I then test the login, using the key ssh -i id_rsa_pipeline user@server.com, and it works as expected. No issues logging in using key, without password.

I then add a variable in my pipeline named IDENTITY.

My stage that does the work in my pipeline has a before_script like this.

  before_script:
  - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
  - eval $(ssh-agent -s)
  - echo "$IDENTITY" | tr -d '\r' | ssh-add - > /dev/null
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh

My scp command I'm using in the pipeline looks like this:

after_script:
    - scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null /path/to/my/file.txt user@development:/home/user/

When I run the pipeline, I'm getting the following:

Running after script...
$ scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null /path/to/my/file.txt user@development:/home/user/
Warning: Permanently added 'user,192.168.1.50' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
user@server: Permission denied (publickey,password).
lost connection

Things I've tried:

  1. Creating the keys again.
  2. Making sure no whitespaces or return characters got into the key when copy/pasting into gitlab.
  3. Creating the keys on different servers.
  4. Using different users.
  5. General googling.

On every user I've tried this with, I can ssh into the server using the key, and I can scp files without passwords using the keys. Any help is appreciated.

答案1

得分: 2

用于测试,我会:

before_script:
  ##
  ## 如果尚未安装,请安装 ssh-agent,Docker 需要它。
  ## (如果使用基于 RPM 的映像,请将 apt-get 更改为 yum)
  ##
  - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'

  ##
  ## 运行 ssh-agent(在构建环境内部)
  ##
  - eval $(ssh-agent -s)

  ##
  ## 授予权限,否则 ssh-add 将拒绝添加文件
  ## 将存储在 SSH_PRIVATE_KEY 文件类型的 CI/CD 变量中的 SSH 密钥添加到代理存储区
  ##
  - chmod 400 "$SSH_PRIVATE_KEY"
  - ssh-add "$SSH_PRIVATE_KEY"

  ##
  ## 创建 SSH 目录并授予正确权限
  ##
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh

  ##
  ## 可选地,如果将使用 Git 命令,请设置用户名和电子邮件。
  ##
  # - git config --global user.email "user@example.com"
  # - git config --global user.name "用户名"

确保验证私有服务器的 SSH 主机密钥

英文:

For testing, I would:

before_script:
  ##
  ## Install ssh-agent if not already installed, it is required by Docker.
  ## (change apt-get to yum if you use an RPM-based image)
  ##
  - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'

  ##
  ## Run ssh-agent (inside the build environment)
  ##
  - eval $(ssh-agent -s)

  ##
  ## Give the right permissions, otherwise ssh-add will refuse to add files
  ## Add the SSH key stored in SSH_PRIVATE_KEY file type CI/CD variable to the agent store
  ##
  - chmod 400 "$SSH_PRIVATE_KEY"
  - ssh-add "$SSH_PRIVATE_KEY"

  ##
  ## Create the SSH directory and give it the right permissions
  ##
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh

  ##
  ## Optionally, if you will be using any Git commands, set the user name and
  ## and email.
  ##
  # - git config --global user.email "user@example.com"
  # - git config --global user.name "User name"

Make sure the private server’s SSH host keys are verified.

答案2

得分: 1

你可以尝试在afterScript scp命令之后添加-o IdentityFile=/path/to/private/ssh/key,以明确要使用哪个SSH密钥。

英文:

You can try adding the -o IdentityFile=/path/to/private/ssh/key over the afterScript scp command to be precise on which ssh keys has to be used.

huangapple
  • 本文由 发表于 2023年6月4日 23:29:34
  • 转载请务必保留本文链接:https://go.coder-hub.com/76401133.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定