2

According to the docs at https://docs.gitlab.com/ee/ci/ssh_keys/

I can add a private ssh key as CI Variable and add it for my pipeline with

- eval $(ssh-agent -s)
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -

However, I get an error

Error loading key "(stdin)": incomplete message

I used following command to generate the key pair:

ssh-keygen -t rsa -b 2048

and tried several things to resolve the issue:

a) With and without blank line at the end of the variable
b) Change type of variable to file
c) Change the way the key is generated (different -t and -b options)
d) First write to file and then add from file
e) Change encoding
f) Edit /etc/ssh/ssh_config and add the lines

HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa

=> Could not solve the issue until now.

Related question:

Error loading key "(stdin)": invalid format Gitlab CI

Some alternative commands that did not work:

echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null

echo "$SSH_PRIVATE_KEY" | base64 -d | ssh-add -

Another error message that I got while trying:

Error loading key "(stdin)": error in libcrypto

Edit

As a workaround, instead of adding the private key as CI variable, I use a shell executor and manually logged in on the gitlab runner host, changed user to "gitlab-runner" and established an ssh connection. My corresponding CI Job looks like this (you need to replace remote-server.de and [email protected]):

job_back_end_deploy:
  stage: deploy
  #variables:
  #  CI_DEBUG_TRACE: "true"  # uncomment this to get more detailed console output
  before_script:
  # In order for this to work, an SSH connection already needs to be manually prepared
  # between the user "gitlab-runner" on the host of the gitlab-runner and on the target server
  # you would like to connect to
  # Also see https://docs.gitlab.com/ee/ci/ssh_keys/#ssh-keys-when-using-the-shell-executor
  # -------------------------------------
  ## change to user "gitlab-runner"
  # su - gitlab-runner
  ## generate ssh key-pair
  # ssh-keygen -t rsa -b 2048
  ## copy public key to the remote server you would like to connect to (asks for password)
  # ssh-copy-id -p 222 -i /home/gitlab-runner/.ssh/id_rsa.pub [email protected]
  # -----------------------------  
  #
  # verify SSH host keys, also see
  # https://docs.gitlab.com/ee/ci/ssh_keys/#verifying-the-ssh-host-keys
  - ssh-keyscan 'remote-server.de' >> ~/.ssh/known_hosts
  script:    
  - echo 'Copying files to remote server...'
  - scp -P 222 -r ./back_end/ [email protected]:./public_html/back_end/   # add -v option to see more output if you want
  tags:
    - visualization
Improve this question

1 Answer 1

Reset to default
1

Check the openssh version used: 8.2 used to trigger the "incomplete message" error.

Using a passphrase-less private key would be more convenient in your case (with key rotation, since you can force an SSH key to expire)

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you for the hint. I used openssh-client version 1:8.9p1-3. Upgrading to version 9.0p1 (as described in linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html) did not help.
When downgrading to version 8.1p1 the error changes to "Error loading key "(stdin)": error in libcrypto".
@Stefan That is tricky indeed, as openssh has its own runtime dependencies.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.