SSH connection within GitLab CI/CD with deploy key gets connection timeout

GitLab CI/CD
,
1

Hi,

I am trying to setup GitLab CI/CD for our project.
It has to git clone from another private repository, so we’ve setup the deploy token as described here
[Deploy keys | GitLab](https://Deploy keys)

The before_script part of the job looks like this

- eval $(ssh-agent -s)
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- echo "Host gitlab.com
  Hostname altssh.gitlab.com
  User git
  Port 443
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/id_rsa" >> ~/.ssh/config
- ssh-add -L
- ssh -vvv git@gitlab.com

However we are getting connection timeout.

++ ssh -vvv git@gitlab.com

OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d 10 Sep 2019

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 19: Applying options for *

Pseudo-terminal will not be allocated because stdin is not a terminal.

debug2: resolving "gitlab.com" port 22

debug2: ssh_connect_direct

debug1: Connecting to gitlab.com [172.65.251.78] port 22.

debug1: Connection established.

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_rsa-cert type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: identity file /root/.ssh/id_dsa-cert type -1

debug1: identity file /root/.ssh/id_ecdsa type -1

debug1: identity file /root/.ssh/id_ecdsa-cert type -1

debug1: identity file /root/.ssh/id_ed25519 type -1

debug1: identity file /root/.ssh/id_ed25519-cert type -1

debug1: identity file /root/.ssh/id_xmss type -1

debug1: identity file /root/.ssh/id_xmss-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2

ssh_exchange_identification: read: Connection timed out

We’ve verified that the deploy key works from our local machines.
Does anybody know what is causing this?

2

Hi @sbyim
Do you try this on GitLab.com or your examples are just fiction? If you try this on gitlab.com:

Your ssh_config is wrong and not applied at all debug1: /etc/ssh/ssh_config line 19: Applying options for *

  • your Hostname is wrong, it should be gitlab.com
  • your Port is wrong, it should be 22

Your private key is also not being loaded - debug1: identity file /root/.ssh/id_rsa type -1 make sure the file has proper format and permissions

I also suggest to disable Host Key checking so you won’t get prompted to ‘trust’ the host.

This is what I usually use:

- mkdir -p ~/.ssh
- echo "${SSH_DEPLOY_KEY}" > ~/.ssh/id_rsa
- chmod 400 ~/.ssh/id_rsa
- echo -e "Host gitlab.com\n\tStrictHostKeyChecking no\n\tUser git\n\tIdentityFile ~/.ssh/id_rsa\n\n" > ~/.ssh/config
3

Hi thanks for the reply,

This case is for gitlab.com and I followed the example from the official documentation…
Using SSH keys with GitLab CI/CD | GitLab

the config file was added because the code from the official documentation weren’t working and from googling I found out you could also use 443 port.

But you are right in that the id_rsa file is not being loaded correctly, although when i print the file via cat the content seems to be right :confused:

4

It appears your initial issue is not the only one, but here is a snippet from a CI that I have that I hope you can use or learn from.

I strongly advise against disabling Host Key checking as this leaves you vulnerable to a Man-in-the-middle type attack. Instead, add the host key to your known hosts.

  before_script:
    - yum install -y git openssh-clients
    ## Start ssh-agent (ssh key manager) and add SSH key stored in
    ## SSH_PRIVATE_KEY variable to agent store
    - eval $(ssh-agent -s)
    - ssh-add <(echo "$SSH_PRIV_KEY")
    
    ## Set up SSH directory
    - mkdir ~/.ssh
    - chmod 700 ~/.ssh
    - echo "$TRUSTED_HOSTS" > ~/.ssh/known_hosts
    - chmod 600 ~/.ssh/known_hosts

Best of luck!