1

Gitlab CI/CD can't connect to my remote vps. I took https://gitlab.com/gitlab-examples/ssh-private-key as an example to make a .gitlab-ci.yaml file, its contents:

image: ubuntu

before_script:
  - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client git -y )'
  - eval $(ssh-agent -s)
  - echo "$SSH_KEY_VU2NW" | tr -d '\r' | ssh-add -
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh
  - ssh-keyscan (domain name here) >> ~/.ssh/known_hosts
  - chmod 644 ~/.ssh/known_hosts

Test SSH:
  script:
  - ssh root@(IP address here)

The runner responds with

the connection is refused

The server auth log says

sshd[2222]: Unable to negotiate with XXXXX port 53068: no matching host key type found. Their offer: sk-ecdsa-sha2-nistp256@openssh.com [preauth]

sshd[2220]: Unable to negotiate with XXXXX port 53068: no matching host key type found. Their offer: sk-ssh-ed25519@openssh.com [preauth]

Is there any way to solve this? I already tried connecting to another VPS, also without luck.

C.A. Vuyk
  • 1,055
  • 17
  • 36
  • Maybe it is a key format issue? (I [used `ssh-keygen -t rsa -P "" -m PEM`](https://stackoverflow.com/questions/62502921/ssh-from-shared-gitlab-runner-stopped-working#comment110569199_62508041)) for testing the old format. – VonC Oct 01 '22 at 08:10
  • Thanks for the hint @VonC , I tried it with same results as earlier, unfortunately. – C.A. Vuyk Oct 01 '22 at 12:15
  • Would [modifying the `~/.ssh/config` file](https://askubuntu.com/a/1368561) help? – VonC Oct 01 '22 at 19:38
  • Yes, I thought of that and tried Host * StrictHostKeyChecking no Host * HostKeyAlgorithms +sk-ecdsa-sha2-nistp256 PubkeyAcceptedKeyTypes +sk-ssh-ed25519 But, no, it didn't work... – C.A. Vuyk Oct 03 '22 at 06:17

1 Answers1

0

Finally got it to work, with this contents in the .gitlab-ci.yaml file:

image: ubuntu
before_script:
  - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client git -y )'
  - eval $(ssh-agent -s)
  - mkdir -p /root/.ssh
  - chmod 700 /root/.ssh
  - echo "$SSH_KEY_GITLAB" >> /root/.ssh/id_rsa  
  - ssh-keyscan DOMAINNAME >> /root/.ssh/known_hosts
  - chmod 644 ~/.ssh/known_hosts
  - chmod 400 ~/.ssh/id_rsa
Test SSH:
  script:
  - ssh root@DOMAINNAME

Where $SSH_KEY_GITLAB is set in Gitlabs' Settings > CICD section, and is a private key, generated by Putty, converted in Putty to an open SSH key. The public version of this key must be in the target hosts' ~/.ssh/authorized_keys ...and DOMAINNAME must be a domain that resides on the target host, or, the DNS record should point there anyhow.

With ssh -vvv came some debugging info that pointed to the checking of ~/.ssh/id_rsa, so that's where I put the private key.

C.A. Vuyk
  • 1,055
  • 17
  • 36