CODEWITHSUNDEEP
sshpermissionsbitbucketbitbucket-pipelines
Dan
Dan

Reputation: 1660

WARNING: UNPROTECTED PRIVATE KEY FILE! using Bitbucket Pipelines and SSH

I'm stating out with Git and attempting to use Bitbucket Pipelines to deploy to my remote server.

After reading a few posts on this and seeing what others have attempted, I am using the following code:

# This is a sample build configuration for PHP.
# Check our guides at https://confluence.atlassian.com/x/e8YWN for more examples.
# Only use spaces to indent your .yml configuration.
# -----
# You can specify a custom docker image from Docker Hub as your build environment.
image: samueldebruyn/debian-git

pipelines:
    default:
        - step:
            script:
                - umask 077 - echo $MY_SSH_KEY | base64 --decode > ~/.ssh/id_rsa

                - scp -i ~/.ssh/id_rsa -P $SERVER_PORT -r $DIRECTORY_TRANSFER_LIST $USERNAME@$SERVER_IP_ADDRESS:~/site

Just to point out, the Environment variables are:

DIRECTORY_TRANSFER_LIST: This is my Domain without www. i.e domain.co.uk

MY_SSH_KEY: I have tried both public and private keys but doesn't seem to make a difference.

SERVER_PORT: 22

I'm not actually sure what image means and why this link is here, this could be my issue?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/root/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/root/.ssh/id_rsa": bad permissions
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
lost connection

After readying another post regarding the same error message, although not to do with Bitbucket Pipelines. It was suggest to change the chmod to 400.

So I ssh's into the remote server and changed the permissions for id_rsa to 400:

cd ~/.ssh
chmod 400 id_rsa

But that didn't make any difference when I re-ran the pipeline.

What am I not doing?

Upvotes: 1

Views: 7086

Answers (3)

NuberKetes
NuberKetes

Reputation: 1

ls -al ~/.ssh

ssh-keygen -t rsa -b 4096 -C "[email protected]"

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa

cat ~/.ssh/id_rsa.pub

Go to your GitHub profile → Settings → SSH and GPG Keys → New SSH Key. Paste your public key and save it.

ssh -T [email protected]

it will show Hi <username>! You've successfully authenticated, but GitHub does not provide shell access.

git remote -v

git remote set-url origin [email protected]:<username>/<repository>.git

git push origin <branch>

Upvotes: 0

phod
phod

Reputation: 536

I suggest you add your SSH key to Pipelines by following the documentation here: https://confluence.atlassian.com/bitbucket/use-ssh-keys-in-bitbucket-pipelines-847452940.html

That will remove the need for you to manage file permissions, makes it easier to rotate keys, and removes a fairly confusing command from your configuration. (Your team will love you for it!)

The umask 077 - echo $MY_SSH_KEY | base64 --decode > ~/.ssh/id_rsa approach was a workaround before Pipelines had proper SSH key support.

Upvotes: 0

BlueM
BlueM

Reputation: 3861

You write “I ssh's into the remote server” – and I think this is the problem, as it sounds you tried to fix permissions on the server to which the project is deployed. SSH checks the permissions on the client side, which in your case is the SSH key in the Docker image. Which means you simply have to add the chmod in your script, between umask and scp.

Upvotes: 2

Related Questions