1

I use the following line in a gitlab pipeline :

scp -i "$SSH_PRIVATE_KEY" -r dist  user@1.1.1.1:/home/user/preprod

However when this line is executed the private key is prompted in the pipeline console, which is obviously a security issue.

The server is ubuntu 18.04

L. Faros
  • 382
  • What's the content of $SSH_PRIVATE_KEY? Is it a filename as it is supposed to be? – PerlDuck Sep 14 '18 at 14:08
  • It is a Gitlab variable (https://gitlab.com/help/ci/variables/README#variables) You think putting the variable in a file before using scp -i would solve my issue ? – L. Faros Sep 14 '18 at 14:11
  • No, I meant scp -i expects the name of the file that contains the private key, e.g. /home/username/.ssh/id_rsa and I was asking whether your $SSH_PRIVATE_KEY contains something similar. – PerlDuck Sep 14 '18 at 14:16
  • From your comments on the answers I got the impression that the variable actually contains the key (like -----BEGIN RSA PRIVATE KEY----- MIIEsexz4...). That's wrong. It should contain the name of the file that contains the key, not the key itself. – PerlDuck Sep 14 '18 at 14:33
  • Well doing echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null before the scp -i line allow me to use scp without the -i option – L. Faros Sep 14 '18 at 14:43

2 Answers2

1

There a two ways to avoid the password prompts:

  1. Use SSH keys without password (hit enter when prompted for a password from ssh-keygen
  2. Use ssh-agent as described here
Simon Sudler
  • 3,931
  • 3
  • 21
  • 34
  • I do have a ssh key without password, the copy part is working fine, but then the content of the private key is printed to the console – L. Faros Sep 14 '18 at 14:19
1

scp uses ssh wrapper and invoking the "-i" option requires the private key. You need to install the public key on your remote server.

A N
  • 11
  • I have the public key on my server, the file are correctly copied but the content of the key is printed in the gitlab pipeline console – L. Faros Sep 14 '18 at 14:18