Gitlab CI - SSH权限被拒绝(publickey,密码)

时间:2017-06-05 07:11:04

标签: ssh gitlab-ci

我一直在尝试为我的项目设置CD。我的Gitlab CI跑步者和我的项目将在同一台服务器上。我已关注https://docs.gitlab.com/ee/ci/examples/deployment/composer-npm-deploy.html,但我一直收到SSH Permission denied (publickey,password).错误。我在项目设置中正确设置了所有变量,私钥和其他变量。

我使用ssh-keygen -t rsa -C "my.email@example.com" -b 4096命令创建了我的ssh密钥而没有密码,并将PRODUCTION_PRIVATE_KEY变量设置为~/.ssh/id_rsa文件的内容。

这是我的gitlab-ci.yml

stages:
  - deploy

deploy_production:
  stage: deploy
  image: tetraweb/php
  before_script:
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
    - eval $(ssh-agent -s)
    - ssh-add <(echo "$PRODUCTION_PRIVATE_KEY")
    - mkdir -p ~/.ssh
    - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
    - apt-get install rsync
  script:
    - ssh $PRODUCTION_SERVER_USER@$PRODUCTION_SERVER
    - hostname
  only:
    - master

这是Gitlab CI runner的输出:

Running with gitlab-ci-multi-runner 9.2.0 (adfc387)
  on ci-test (1eada8d0)
Using Docker executor with image tetraweb/php ...
Using docker image sha256:17692e06e6d33d8a421441bbe9adfda5b65c94831c6e64d7e69197e0b51833f8 for predefined container...
Pulling docker image tetraweb/php ...
Using docker image tetraweb/php ID=sha256:474f639dc349f36716fb98b193e6bae771f048cecc9320a270123ac2966b98c6 for build container...
Running on runner-1eada8d0-project-3287351-concurrent-0 via lamp-512mb-ams2-01...
Fetching changes...
HEAD is now at dfdb499 Update .gitlab-ci.yml
Checking out dfdb4992 as master...
Skipping Git submodules setup
$ which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
/usr/bin/ssh-agent
$ eval $(ssh-agent -s)
Agent pid 12
$ ssh-add <(echo "$PRODUCTION_PRIVATE_KEY")
Identity added: /dev/fd/63 (rsa w/o comment)
$ mkdir -p ~/.ssh
$ echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
$ apt-get install rsync
Reading package lists...
Building dependency tree...
Reading state information...
rsync is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
$ ssh $PRODUCTION_SERVER_USER@$PRODUCTION_SERVER
Pseudo-terminal will not be allocated because stdin is not a terminal.
Warning: Permanently added '{MY_SERVER_IP}' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
ERROR: Job failed: exit code 1

提前致谢。

4 个答案:

答案 0 :(得分:11)

您需要将公钥添加到服务器,以便将其识别为身份验证密钥。也就是说,将您正在使用的私钥对应的公钥内容粘贴到~/.ssh/authorized_keys上的$PRODUCTION_SERVER

答案 1 :(得分:0)

这是对我有用的脚本:

before_script:
                - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
                - mkdir -p ~/.ssh
                - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
                - chmod 700 ~/.ssh/id_rsa
                - eval "$(ssh-agent -s)"
                - ssh-add ~/.ssh/id_rsa
                - ssh-keyscan -t rsa 64.227.1.160 > ~/.ssh/known_hosts
                - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
                - chmod 644 ~/.ssh/known_hosts

我也必须取消保护该变量。

Gitlab pipelines ssh key

答案 2 :(得分:0)

有些重要的事情... 〜/ .ssh / authorized_keys文件的权限应为600。

答案 3 :(得分:0)

以下可以交替使用

some_stage:
        - eval $(ssh-agent -s)
        - cd ~
        - touch id.rsa
        - echo "$SSH_PRIVATE_KEY" > id.rsa
        - chmod 700 id.rsa
        - ssh -o StrictHostKeyChecking=no -i id.rsa $SSH_USER@$SERVER