CI SSH Permission denied

Hi community,

I would like run SSH script from CI runner on gitlab.com. I’ve add secret variable (project/CI-CD/Settings) with SSH_PRIVATE_KEY key and id_rsa generate from my production server value.

In my .gitlab-ci.yml :

image: node:9.11.1-alpine

deploy:
  stage: deploy
  before_script:
    ##
    ## Install ssh-agent if not already installed, it is required by Docker.
    ## (change apt-get to yum if you use a CentOS-based image)
    ##
    - "which ssh-agent || ( apk add --update openssh )"

    ##
    ## Add bash & git
    ##
    - apk add --update bash git

    ##
    ## Run ssh-agent (inside the build environment)
    ##
    - eval $(ssh-agent -s)

    ##
    ## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
    ## We're using tr to fix line endings which makes ed25519 keys work
    ## without extra base64 encoding.
    ## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
    ##
    - echo "$SSH_PRIVATE_KEY"
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null

    ##
    ## Create the SSH directory and give it the right permissions
    ##
    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh

    ##
    ##
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'

    ##
    ## SSH test
    ##
    - echo "$TARGET_SERVER_USER"
    - echo "$TARGET_SERVER_HOST"
    - ssh -o StrictHostKeyChecking=no -T "$TARGET_SERVER_USER@$TARGET_SERVER_HOST"
  script:
    - npm i -g pm2 

All echo on before_script return good value. But the result of job is not good :

$ ssh -o StrictHostKeyChecking=no -T "$TARGET_SERVER_USER@$TARGET_SERVER_HOST"
Warning: Permanently added 'xxx.x.xxx.xxx' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).

I don’t understand why the SSH connexion fail. I think I had to make a misconfiguration, but I can not find where.

Anyone can help me ?

Thank you community !

I’m running a gitlab-ee instance on-site and I encountered exactly the same issue.
Last week, I had a full ci pipeline including deploy - with key-based ssh - working and running in my gitlab CI. I was running on gitlab 11.1.4.
I then updated to 11.2.3 and it stopped working. I tried various options to try and resolve the issue, but to no avail. my runner(s) were running 11.2.0 the whole time.
I tried to look through the changelog between 11.1 and 11.2, and didn’t spot anything that may have caused this, but then I didn’t deeply read each of the (many) changes.
I eventually fixed my deploy job by changing approach completely and deploying directly through docker api. I can’t get any jobs to run using ssh - where it was working before :cry:
Hoping somebody else has run into this and there’s a quick-fix.

I’ve just gone back to this - 'cos your post had me thinking.

TL;DR version - check your variable isn’t protected.

long version:

I tried a new branch with a simple .gitlab-ci.yml file:

variables:
  TEST_SERVER_LOGIN: deployer@test-host.example.com

stages:
  - deploy

.b-deploy: &b-deploy
  before_script:
    - cat /etc/centos-release
    - mkdir -p ~/.ssh && chmod 700 ~/.ssh
    - echo "$DEPLOYER_KEY" > ~/.ssh/id_rsa && chmod 600 ~/.ssh/id_rsa
    - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
    - chmod 600 ~/.ssh/config

.a-deploy: &a-deploy
  after_script:
    - rm ~/.ssh/id_rsa

test-ssh:
  stage: deploy
  <<: *b-deploy
  <<: *a-deploy
  tags:
    - linux
  script:
    - cat ~/.ssh/id_rsa
    - "ssh -vvv $TEST_SERVER_LOGIN uname -a"

I stripped out everything except a simple uname -a on the remote machine, and turned up the ssh verbosity.
The first thing I noticed was that the cat ~/.ssh/id_rsa line had no output - which means that my script wasn’t getting my deploy variable.
I went back to the project and checked the variable was properly supplied - and it was, only it was set as a protected variable
my branch isn’t a protected one.
I unprotected the variable, retried the deploy, and it worked fine.

Hope this helps you…
-R

1 Like