5

I want to run pipline on Bitbucket. I made all the necessary settings. I installed ssh_askpass. I am using Ubuntu 18.

However, I am getting the error below.

ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory
Permission denied, please try again.

My bitbucket-pipelines.yml file:

pipelines:
  default:
    - step:
        deployment: staging
        caches:
          - composer
        script:
          - ssh -T root@142.93.143.146
          - eval `ssh-agent -s` && ssh-add ~/.ssh/id_rsa && ssh-add -l
          - cd /var/www/backoffice/
          - git checkout master 
          - git pull origin master 
          - sudo php artisan optimize 
          - sudo composer dump-autoload
          - echo 'Deploy finished....'
omero
  • 93
  • 1
  • 4
  • 10
  • 2
    What are you trying to accomplish? IIRC, ssh-askpass is aimed toward GUI users so they can enter their passphrase in a more friendly way. I'm not sure it makes sense for what you're doing. If anything, it seems like you should be using ssh's authorized_keys file to help with deployment. Even better would be to have some sort of [webhook](https://github.com/adnanh/webhook) listener that could be tipped off and do the deployment, but you might not get all the feedback you want. – John Szakmeister Aug 24 '20 at 18:11

3 Answers3

2

You aren't going to be able to use any sort of GUI program like ssh-askpass on a CI system because on Linux CI systems there is no GUI available.

If you want to use an SSH key in a CI system, you should use one that does not have a password set and store it in your CI system's secret store, then copy it to a file and use it. OpenSSH intentionally does not provide a way to programmatically read a password.

Note that if you have only one SSH key without a password, you don't need ssh-agent or ssh-add at all. Assuming the contents of your private key are in the variable SSH_KEY (e.g., due to your CI system's secret store), you can simply do this:

echo "$SSH_KEY" > ~/.ssh/id_rsa
ssh root@142.93.143.146 'echo hello from the remote machine`

You won't want to run ssh without a command since that will try to start an interactive session, which won't be useful to you. If your goal is to use Git to push and pull over an SSH connection, then you don't need to run ssh at all.

Finally, note that you will probably want to write the remote system's host key information into a file as part of your pipeline, either from your pipeline or a secret, because SSH won't connect if the host key isn't trusted. You can obtain this information by running a command like this: ssh-keyscan github.com 2>/dev/null. You can then take that output and insert it into your known_hosts file like this:

echo "github.com ssh-rsa AAAA...truncated" > ~/.ssh/known_hosts

This is far more secure than turning off strict host key checking.

bk2204
  • 64,793
  • 6
  • 84
  • 100
  • Thank you for answer. I dont know why using the "ssh_askpass". I am using Bitbucket. I want to make a Pull-Request after the push is done. I'm still getting the error. I could not find a serious answer on the internet. – omero Aug 25 '20 at 08:56
  • That's a totally separate question, so please ask it in a new question. There isn't possibly space for me to answer it in the comments. – bk2204 Aug 25 '20 at 23:22
1

When you configure pipeline deployments through Bitbucket you need to make sure you've updated Bitbucket with the fingerprint of each server. I recently discovered if you fail to do that you get ssh_askpass error, which is a little misleading.

To add the server fingerprint, go to "Repository Settings", then scroll down to the "Pipeline" section on the left and click "SSH Keys".

On the SSH Keys page, scroll to the bottom and you'll see a section titled "Known hosts".

Enter the IP address for the server and click the "Fetch" button to have Bitbucket fetch the fingerprint. Wait a second and it will populate the finterprint in the textbox just to the right of the host address. Once that's done click the button to add the host to the Known Hosts list.

You also need to setup the SSH keys but based on the error you're seeing, I'm betting you already did that part.

Doug Couvillion
  • 1,071
  • 10
  • 13
0

I experienced a similar error using VS Code communicating with a git repository on a local build of Azure DevOps Server. I fixed the problem by

  1. Replacing the ssh url with a http url in the .git/config file.
#unedited
[remote "origin"]
    url = ssh://X.X.X.X:22/theproject/_git/serverThing
    fetch = +refs/heads/*:refs/remotes/origin/*
|update
|this
V
#edited
[remote "origin"]
    url = http://X.X.X.X/theproject/_git/serverThing
    fetch = +refs/heads/*:refs/remotes/origin/*

  1. Performing a $ git fetch. Entered username and password here.

  2. Then changing the .git/config file back to the ssh url.

#edited for resetting known_host key file.
[remote "origin"]
    url = http://X.X.X.X/theproject/_git/serverThing
    fetch = +refs/heads/*:refs/remotes/origin/*
|update
|this
V
#final form
[remote "origin"]
    url = ssh://X.X.X.X:22/theproject/_git/serverThing
    fetch = +refs/heads/*:refs/remotes/origin/*
  1. Perform another $ git fetch - This results in updating the .ssh/known_host key file.
The authenticity of host 'X.X.X.X (X.X.X.X)' can't be established.
RSA key fingerprint is SHA256:noisehash.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'X.X.X.X' (RSA) to the list of known hosts.

I hope this helps.

Jon Hebert
  • 13
  • 5