英文:
SCP from GitLab pipeline fails (Permission denied)
问题
我需要从GitLab流水线中将一些文件scp到服务器上。以下是我完成此操作的步骤以及我收到的错误。
在我的本地机器上,我创建了一个专门用于此目的的公钥和私钥,没有其他用途。私钥用于我的GitLab流水线中的一个变量,而公钥则放在服务器的授权密钥文件中:
ssh-keygen -t rsa -b 2048 -C "Pipeline";
Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_rsa_pipeline
这将成功创建公钥(id_rsa_pipeline.pub)和私钥(id_rsa_pipeline)。
然后,我将密钥添加到远程服务器:
ssh-copy-id -i id_rsa_temp user@server.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa_pipeline.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'user@server.com'"
and check to make sure that only the key(s) you wanted were added.
然后,我使用密钥测试登录,命令是 ssh -i id_rsa_pipeline user@server.com,它按预期工作。使用密钥登录时没有问题。
接下来,我在流水线中添加了一个名为 IDENTITY 的变量。
我流水线中执行工作的阶段具有如下的 before_script:
before_script:
- 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
- eval $(ssh-agent -s)
- echo "$IDENTITY" | tr -d '\r' | ssh-add - > /dev/null
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
我在流水线中使用的scp命令如下:
after_script:
- scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null /path/to/my/file.txt user@development:/home/user/
当我运行流水线时,我收到以下错误:
Running after script...
$ scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null /path/to/my/file.txt user@development:/home/user/
Warning: Permanently added 'user,192.168.1.50' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
user@server: Permission denied (publickey,password).
lost connection
我尝试过的事项:
- 重新创建密钥。
- 确保在复制/粘贴到GitLab时没有空格或回车字符进入密钥。
- 在不同的服务器上创建密钥。
- 使用不同的用户。
- 进行一般的Google搜索。
我在尝试过的每个用户上,都可以使用密钥ssh登录服务器,也可以使用密钥scp文件而无需密码。感谢您的帮助。
英文:
I need to scp some files from a gitlab pipeline to a server. Here are the steps I took to accomplish this, and the error I've received.
On my local machine, I create a public and private key to use specifically for this, and nothing else. The private key is for a variable in my gitlab pipeline, and the public key goes in the server's authorized key files.:
ssh-keygen -t rsa -b 2048 -C "Pipeline"
Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_rsa_pipeline
This creates the public (id_rsa_pipeline.pub) and private (id_rsa_pipeline) key successfully.
I then add the key to the remote server:
ssh-copy-id -i id_rsa_temp user@server.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa_pipeline.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'user@server.com'"
and check to make sure that only the key(s) you wanted were added.
I then test the login, using the key ssh -i id_rsa_pipeline user@server.com, and it works as expected. No issues logging in using key, without password.
I then add a variable in my pipeline named IDENTITY.
My stage that does the work in my pipeline has a before_script like this.
before_script:
- 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
- eval $(ssh-agent -s)
- echo "$IDENTITY" | tr -d '\r' | ssh-add - > /dev/null
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
My scp command I'm using in the pipeline looks like this:
after_script:
- scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null /path/to/my/file.txt user@development:/home/user/
When I run the pipeline, I'm getting the following:
Running after script...
$ scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null /path/to/my/file.txt user@development:/home/user/
Warning: Permanently added 'user,192.168.1.50' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
user@server: Permission denied (publickey,password).
lost connection
Things I've tried:
- Creating the keys again.
- Making sure no whitespaces or return characters got into the key when copy/pasting into gitlab.
- Creating the keys on different servers.
- Using different users.
- General googling.
On every user I've tried this with, I can ssh into the server using the key, and I can scp files without passwords using the keys. Any help is appreciated.
答案1
得分: 2
用于测试,我会:
- 创建一个新的密钥对,但不设置密码。
- 创建一个新的 文件类型 CI/CD 变量。在
Key中输入名称SSH_PRIVATE_KEY,在Value字段中粘贴之前创建的私钥的内容。 - 按照“在使用 Docker 执行程序时的 SSH 密钥”中的相同流程进行。
before_script:
##
## 如果尚未安装,请安装 ssh-agent,Docker 需要它。
## (如果使用基于 RPM 的映像,请将 apt-get 更改为 yum)
##
- 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
##
## 运行 ssh-agent(在构建环境内部)
##
- eval $(ssh-agent -s)
##
## 授予权限,否则 ssh-add 将拒绝添加文件
## 将存储在 SSH_PRIVATE_KEY 文件类型的 CI/CD 变量中的 SSH 密钥添加到代理存储区
##
- chmod 400 "$SSH_PRIVATE_KEY"
- ssh-add "$SSH_PRIVATE_KEY"
##
## 创建 SSH 目录并授予正确权限
##
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
##
## 可选地,如果将使用 Git 命令,请设置用户名和电子邮件。
##
# - git config --global user.email "user@example.com"
# - git config --global user.name "用户名"
确保验证私有服务器的 SSH 主机密钥。
英文:
For testing, I would:
- create a key pair again, but without passphrase.
- create a new file type CI/CD variable. As
Key, enter the nameSSH_PRIVATE_KEY, and in theValuefield, paste the content of your private key that you created earlier. - follow the same process as in "SSH keys when using the Docker executor"
before_script:
##
## Install ssh-agent if not already installed, it is required by Docker.
## (change apt-get to yum if you use an RPM-based image)
##
- 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
##
## Run ssh-agent (inside the build environment)
##
- eval $(ssh-agent -s)
##
## Give the right permissions, otherwise ssh-add will refuse to add files
## Add the SSH key stored in SSH_PRIVATE_KEY file type CI/CD variable to the agent store
##
- chmod 400 "$SSH_PRIVATE_KEY"
- ssh-add "$SSH_PRIVATE_KEY"
##
## Create the SSH directory and give it the right permissions
##
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
##
## Optionally, if you will be using any Git commands, set the user name and
## and email.
##
# - git config --global user.email "user@example.com"
# - git config --global user.name "User name"
Make sure the private server’s SSH host keys are verified.
答案2
得分: 1
你可以尝试在afterScript scp命令之后添加-o IdentityFile=/path/to/private/ssh/key,以明确要使用哪个SSH密钥。
英文:
You can try adding the -o IdentityFile=/path/to/private/ssh/key over the afterScript scp command to be precise on which ssh keys has to be used.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论