Key not used during SSH handshake

Question

Key not used during SSH handshake

webpolis opened this issue 8 years ago · 26 comments

I have my key_path set and properly mounted, but it seems it's not even used during SSH handshake:

2017/03/03 14:45:08 staging.xxxxxx.com: outputs: 
0s
8
2017/03/03 14:45:08 drone-ssh error:  ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain
0s
9
ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain

This is how the pipeline looks like:

  ssh:
    image: appleboy/drone-ssh
    when:
      branch: [staging, production]
    host: ${DRONE_BRANCH}.xxxxxx.com
    port: 9999
    user: root
    key_path: /root/${DRONE_BRANCH}.key
    script:
      - echo "yay"

And my docker-compose.yml:

  drone-server:
    container_name: xxxxxxx-ci
    image: drone/drone:0.5
    volumes:
      - /var/lib/drone:/var/lib/drone
    restart: always
    env_file: drone.env
  drone-agent:
    image: drone/drone:0.5
    command: agent
    restart: always
    depends_on: [ drone-server ]
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /root/staging.key:/root/staging.key
    env_file: drone.env

Of course, the .key file is present:

-rw-r--r--  1 root root      3326 Mar  1 12:57 staging.key

Answer 1 · 2017-03-04T22:24:01.000Z

I seem to be experiencing this issue as well..

Answer 2 · 2017-03-05T11:22:47.000Z

I would set the file permissions 0600 and give that a try. openssh is strict about the key security. If that still does not work, I would also assume a bug.

Answer 3 · 2017-03-05T13:32:20.000Z

Please set file permission as 400.

Answer 4 · 2017-05-10T08:49:20.000Z

@webpolis Any updates?

Answer 5 · 2017-06-06T11:19:47.000Z

hi @appleboy ,
I have the same issue, my pipeline is

ssh:
    image: appleboy/drone-ssh
    host: 192.168.254.1
    port: 22
    username: drone
    key_path: /root/drone.key
    #secrets: [ssh_username, ssh_key]
    script:
      - "docker service update --image fredix/hugo hugo"
    when:
      status: success

my yml for docker swarm is

  drone-agent:
    image: drone/drone:0.7.1
    restart: always
    env_file: .env.production-agent
    command: agent
    depends_on:
      - drone-server
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /sync/drone/agent/drone.key:/root/drone.key
    deploy:
      placement:
        constraints:
          - node.labels.location == home

permission is set to 400

ls -al /sync/drone/agent/drone.key 
-r--------. 1 root root 3243  6 juin  01:45 /sync/drone/agent/drone.key

Answer 6 · 2017-06-07T05:50:42.000Z

@fredix I will try your config.

Answer 7 · 2017-07-04T08:21:49.000Z

Is there any update on this issue??

Answer 8 · 2017-09-21T20:38:57.000Z

Hi @appleboy , I have the same issue, any updates ??

Answer 9 · 2017-09-22T01:36:05.000Z

@dev-drprasad Could you help try to add ssh key using drone secret?

Answer 10 · 2017-09-28T07:27:30.000Z

Dear all,
i try all the method from issue, but the problem still exists,
no matter using the secrets in drone or key_path will cause the problem.

BUT, I solved the problem only by upgrading the drone from 0.7 to 0.8.
I have no idea why, if someone is still facing the problem, maybe give it a try.

Answer 11 · 2017-09-28T14:14:58.000Z

@chrisliuqq It is working on drone 0.5, 0.6, 0.7 and 0.8 version with secrets in drone. maybe I should try it out for the key_path way.

Answer 12 · 2017-09-28T14:22:41.000Z

This was awhile ago but I believe I experienced this issue whilst trying to mount an ssh key to my drone server's ~/.ssh directory (Which is a big no-no). I would recommend creating a brand new drone container and make sure you aren't mounting anything funky to the drone server and then adding the key via secrets as @appleboy suggests.

Answer 13 · 2017-09-28T14:33:10.000Z

Please enable the trusted mode in project setting if you want to load secret key from key_path. See the following screenshot.

Answer 14 · 2017-10-15T18:55:46.000Z

I have enabled the Trusted option on Project Settings , but still not working with key_path.

But I find a solution: Mount private key to the plugin's container instead of drone agent.

pipeline:

pipeline:
  ssh:
    image: appleboy/drone-ssh
    host: xxxxx.com
    username: deploy
    volumes:
      - /root/drone_rsa:/root/ssh/drone_rsa
    key_path: /root/ssh/drone_rsa
    script:
      - echo "test ssh"

That works!

Of course, enabled the Trusted mode is required.

Answer 15 · 2017-10-29T13:32:17.000Z

hi @harryxu !
good job, i tried your config and it works well. @appleboy maybe you should update doc with that tips ?

Answer 16 · 2017-10-30T01:48:10.000Z

@harryxu @fredix Already updated readme. See the updates: https://github.com/appleboy/drone-ssh#mount-key-from-file-path

Answer 17 · 2018-02-11T18:20:12.000Z

I gave up using secrets...

:-(

It simply didn't work.

I'd set a secret in the GUI, via the drone CLI.

But this buried on the bottom of the front door worked

  deploy:
    image: appleboy/drone-ssh
    host: 192.168.0.11
    port: 22
    username: vagrant
    volumes:
      - /vagrant/.vagrant/machines/toolchain/virtualbox/private_key:/root/ssh/drone_rsa
    key_path: /root/ssh/drone_rsa
    command_timeout: 360
    script:
      - date
    when:
      branch: master

Answer 18 · 2018-02-11T18:25:01.000Z

I tried

drone secret add --name TOOLCHAIN_SSH_KEY --value @/vagrant/.vagrant/machines/toolchain/virtualbox/private_key --repository root/helloworld-martini

And cutting and pasting the contents of /vagrant/.vagrant/machines/toolchain/virtualbox/private_key into the Drone Secret gui for a TOOLCHAIN_SSH_KEY

[vagrant@dev helloworld-martini]$ drone secret ls --repository root/helloworld-martini
TOOLCHAIN_SSH_KEY 
Events: push, tag, deployment
Images: <any>

then using a pipeline like so

  deploy:
    image: appleboy/drone-ssh
    host: 192.168.0.11
    port: 22
    username: vagrant
    ssh_key: [TOOLCHAIN_SSH_KEY]
    command_timeout: 360
    script:
      - date

And I could always from the command line:

ssh -i /vagrant/.vagrant/machines/toolchain/virtualbox/private_key vagrant@192.168.0.11

Answer 19 · 2018-04-29T04:08:50.000Z

So how do I generate the drone_rsa key in the drone container?

Answer 20 · 2018-04-29T04:12:17.000Z

@harryxu Do we need to generate an ssh key inside the container? where does drone_rsa come from?

Answer 21 · 2018-04-29T06:22:44.000Z

@itsnauman Use ssh-keygen command.

Answer 22 · 2018-04-29T18:00:28.000Z

Inside the container? or do I mount a volume with the SSH key

Answer 23 · 2018-04-30T03:19:42.000Z

@itsnauman You can generate ssh key on host os, and mount it to container.

Answer 24 · 2019-10-28T17:34:21.000Z

The following drone.yml is failing with getKeyFile error: open /root/drone_rsa: no such file or directory:

kind: pipeline
name: default

steps:
- name: deploy code
  image: appleboy/drone-ssh
  settings:
    host: develop.example.com
    username: deploy
    volumes:
    - /home/drone/.ssh/id_rsa:/root/drone_rsa
    key_path: /root/drone_rsa
    script:
    - echo "Target host name:" `hostname`
    when:
      branch:
      - drone-setup

(Drone 1.6.1)

Answer 25 · 2019-10-28T19:23:39.000Z

Syntax changed https://docker-runner.docs.drone.io/configuration/volumes/host/ which turns the above to:

kind: pipeline
name: default

steps:
- name: deploy code
  image: appleboy/drone-ssh
  volumes:
  - name: ssh_key
    path: /root/drone_rsa
  settings:
    host: develop.example.com
    username: deploy
    key_path: /root/drone_rsa
    script:
    - echo "Target host name:" `hostname`
    when:
      branch:
      - drone-setup

volumes:
- name: ssh_key
  host:
    path: /home/drone/.ssh/id_rsa

Answer 26 · 2019-12-24T06:31:34.000Z

I gave up using secret...and using volumes and key_path works!

my pipeline
pipeline:
deploy:
image: appleboy/drone-ssh
host: 10.xx.xx.123
username: drone
volumes:
- /tmp/id_rsa:/tmp/id_rsa
key_path: /tmp/id_rsa
port: 22
script:
- echo "hello drone" > /tmp/hello.drone