Scp using public key


#1

Hi all! I’m new to the community and trying to setup things for a passwordless scp deployment. I am not a sysadmin, but from what I understand traditionally, what I need in order to achieve this, is to configure the public SSH key of the server running the scp as an authorized_host of the destination.

So I look at CircleCI settings and it’s asking me for my private SSH key (i.e.: where I am deploying to). This is exactly the opposite of how trustability in the crypto world works, as far as I am aware. You are making me copy my private key into a web form. By uploading it to CircleCI, I’m effectively giving you permission to access every other server in the world that acknowledges my public key.

TravisCI, just to give an example, has a mechanism for encrypting the id_rsa file and only decrypt it during a build if it’s needed. And that whole process in done via a CLI tool (not a web browser).

So how should I go about all this? Any other proposed way I could tackle this without the implications of a potentially severe security breach?

Thank you very much.


#2

You are correct here. I would suggest using a specific key that you generate on the server(s) that you are deploying to rather than using “your” key.

We encrypt the data at rest, and the web form is over TLS so there is no significant risk of uploading and using the key this way.

What I typically do is:

  1. Log into my server that I want CircleCI to deploy to as the user that is going to be doing the deployment (not root).
  2. Run ssh-keygen
  3. Copy ~/.ssh/id_rsa to the CircleCI web form
  4. Copy ~/.ssh/id_rsa.pub to authorized_keys

Best,
Lev


SSH connection to staging server refused
#3

Hi,

Did the scp copy works after that ? In my setup the scp request I accept the remote host but I cannot ssh to the circle ci 2 instance to accept the remote server.
=> Are you sure you want to continue connecting (yes/no)?
I added the ‘Installing additional ssh keys’ run step, What did I miss in the configuration ?


#4

I’m not 100% clear on what you said but…

As Lev mentioned, you want to create a new key pair. The private key, you upload to CircleCI, via our website, in the project’s setting page. The public key, you append it to the authorized_keys file on the server you are trying to deploy to.

Keep in mind that the username needs to be correct as well. Ever system user on the remote server has its own authorized_keys file so make sure you specify the correct one.


#5

I managed the key pair deployment on CI and my server.
My issue is that I cannot make ssh/scp to accept the key fingerprint.
I’ve found a workaround but it feel not best secure:

  - add_ssh_keys
  - deploy:
      command: |
        if [ "${CIRCLE_BRANCH}" == "circle_2_deploy" ]; then
          scp -oStrictHostKeyChecking=no -r /home/ubuntu/mdph/dist/. ${DEPLOY_USER}@${DEPLOY_SERVER}:${DEPLOY_DIR}/.
        fi 

What do you think of it ?


#6

That goes without saying.

From the moment I press Ctrl/Cmd+C on my private key, the risked ceased to be zero (I’m assuming my own private server is reasonably secure or secure enough for me, under my responsibility). I’m sure you don’t have any intrinsically bad intentions (though I only have your word for it) - but you can’t offer any guarantee that any other third party out there doesn’t. Now or in the future.

I guess what I’m trying to say is that asymmetric cryptography in general is a perfectly clear mechanism that works well enough as long as we all abide to certain rules: rules that you are openly breaking. Or encouraging people to break. If he is to contact Alice, Bob needs to know her public key. Private keys should never be shared under any circumstance - unless, of course, the man with the wrench comes along.


#7

You can add the public key indicated by the fingerprint like this:

  - add_ssh_keys
  - deploy:
      command: |
        if [ "${CIRCLE_BRANCH}" == "circle_2_deploy" ]; then
          echo '<hostname> <type> <key>' >> ~/.ssh/known_hosts
          scp -oStrictHostKeyChecking=no -r /home/ubuntu/mdph/dist/. ${DEPLOY_USER}@${DEPLOY_SERVER}:${DEPLOY_DIR}/.
        fi

By your example, hostname would be ${DEPLOY_SERVER}, type is the type of SSH key (ssh-rsa, ecdsa-sha2-nistp256, etc), and key is the public key of hostname.


#8

Now, this is more like it. I wasn’t aware of the add_ssh_keys step. In my humble opinion, this should really be the de facto way of managing scenarios like this. But some official replies and documents are sadly pointing the other way.

Thank you very much, @FelicianoTech.


#9