Stored key not picked up by scp

Question

Stored key not picked up by scp

antonpirker opened this issue 5 years ago · 5 comments

Hello!

First, thanks for this action, really nice!

I have the problem, that the saved key file is not found by a call to scp in the following step.

This is how I call your action:

    - name: Install SSH key
      uses: shimataro/ssh-key-action@v1
      with:
        private-key: ${{ secrets.SSH_KEY_PRODUCTION }}
        public-key: ${{ secrets.SSH_KEY_PRODUCTION_PUBLIC }}

In the log of my workflow I see the following message (so I assume everything worked as expected):

Run shimataro/ssh-key-action@v1
  with:
    private-key: ***
    public-key: ***
    name: id_rsa
SSH key has been stored to /home/runner/.ssh successfully.

In my workflow then I call scp like this:

- name: Deploy to production
      if: github.ref == 'refs/heads/master'
      run: |
        scp -v ./docker-compose.yml myuser@141.93.196.111:/somedir/

In the log of my workflow I see that the file is not found:

Run scp -v ./docker-compose.yml codefrog@142.93.196.203:/codefrog/
Executing: program /usr/bin/ssh host 142.93.196.203, user codefrog, command scp -v -t /codefrog/
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 142.93.196.203 [142.93.196.203] port 22.
debug1: Connection established.
debug1: identity file /home/runner/.ssh/id_rsa type 0   <--- *** HERE! ***
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3

Can you please help me. What am I missing?
Thank you very much!

Answer 1 · 2019-12-04T03:45:09.000Z

Hello @antonpirker. Thank you for using this action!

debug1: identity file /home/runner/.ssh/id_rsa type 0   <--- *** HERE! ***

It is not an error, means that id_rsa is RSA key.
(see here)

As far as I see, SCP seems to connected successfully.
If transfer failed, could you paste whole log?

Answer 2 · 2019-12-04T13:55:51.000Z

Hi!

Thanks for your quick reply. The error message is in the next line:

debug1: identity file /home/runner/.ssh/id_rsa type 0   <--- *** HERE! ***
debug1: key_load_public: No such file or directory

So it seems that the file is not found by scp. Any idea why this is failing?

Thanks
Anton

PS: This is the complete log of the scp command attempt:


Run scp -v ./docker-compose.yml codefrog@142.93.196.203:/codefrog/
Executing: program /usr/bin/ssh host 142.93.196.203, user codefrog, command scp -v -t /codefrog/
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 142.93.196.203 [142.93.196.203] port 22.
debug1: Connection established.
debug1: identity file /home/runner/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/runner/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x04000000

Answer 3 · 2019-12-05T09:00:39.000Z

OK, I understand what you are saying.

These pairs seem to consist of key_load_public, identity file in this order.
I tried removing id_rsa.pub and run scp in my computer:

...
debug1: Connection established.
debug1: key_load_public: No such file or directory           <- appeared before id_rsa!
debug1: identity file /home/shimataro/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/shimataro/.ssh/id_rsa-cert type -1
...

In your case, I think it's no problem because no key_load_public printed before id_rsa.

...
debug1: Connection established.
debug1: identity file /home/runner/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory           <- for id_rsa-cert.pub
debug1: identity file /home/runner/.ssh/id_rsa-cert type -1
...

By the way, is docker-compose.yml transferred successfully?

Answer 4 · 2019-12-09T10:45:13.000Z

Hi!

Sorry for the delay.
No, the docker-compose.yml was not transferred successfully.

I did some debugging and learned, that the writing of the known_hosts file was the problem.

So I changed my scp command from:

scp -v ./docker-compose.yml codefrog@xxx.xxx.xxx.xxx:/codefrog/

to:

scp -v -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /home/runner/.ssh/id_rsa ./docker-compose.yml codefrog@xxx.xxx.xxx.xxx:/codefrog/

And now everything is working as expected!

Thanks a lot for helping tracking this issue down! Greetings from Austria!

Answer 5 · 2019-12-10T02:58:20.000Z

@antonpirker
Congratulations!🎉

I highly recommend specifying known-hosts parameter for security reason.

- name: Install SSH key
  uses: shimataro/ssh-key-action@v1
  with:
    private-key: ${{ secrets.SSH_KEY_PRODUCTION }}
    public-key: ${{ secrets.SSH_KEY_PRODUCTION_PUBLIC }}
    known-hosts: ${{ secrets.KNOWN_HOSTS }} # optional, but HIGHLY recommended

And you will be able to run SCP without -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no.

scp -v ./docker-compose.yml codefrog@xxx.xxx.xxx.xxx:/codefrog/

Note: I'm planning to make known-hosts required in v2.