6

Using GitLab CI, I want to push production code to a remote webhost.

To connect with SSH, I am storing the key pair's private key in the variables of my GitLab repository. I've also copied the public key to the authorized keys of the server. This is (part of) my .gitlab-ci.yml.

image: ubuntu

before_script:
  # Setup SSH credentials and known host
  - which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
  - mkdir -p ~/.ssh
  - echo "$SSH_PRIVATE" | tr -d '\r' > ~/.ssh/id_rsa
  - chmod 700 ~/.ssh/id_rsa
  - eval "$(ssh-agent -s)"
  - ssh-add ~/.ssh/id_rsa
  - echo "$SSH_KNOWN_HOSTS"
  - echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
  - chmod 644 ~/.ssh/known_hosts

This method works, but I'm questioning the security of it. Is my private key safe this way? How else can I achieve the result that I'm looking for?

EDIT: I'm particularly questioning the security of this method in a production environment.

Justin Praas
  • 93
  • 1
  • 4

1 Answers1

1

The official example is in gitlab-examples/ssh-private-key

Its .gitlab-ci.yml uses a custom environment variable SSH_PRIVATE_KEY, as described in "How to simplify your smart home configuration with GitLab CI/CD / Preparing the server (and GitLab) for SSH access".

As long as that variable is masked, this should be secure enough.

VonC
  • 1,129,465
  • 480
  • 4,036
  • 4,755
  • You can't mask a variable containing a private key if it contains line breaks though. – Clockwork Feb 02 '22 at 14:05
  • 1
    @Clockwork Indeed. Not without pre and post-processing, as in https://stackoverflow.com/a/54675024/6309. – VonC Feb 02 '22 at 15:08