Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bitbucket Pipelines SSH documentation -> not working?

Jan Mueller
Jan Mueller July 30, 2019

Hello, 

I've followed the instructions in this article: https://confluence.atlassian.com/bitbucket/use-ssh-keys-in-bitbucket-pipelines-847452940.html 

It looks like the information provided is more or less useless as following step by step does not result in having success. 

Using the built-in "feature" of having bitbucket generate a SSH pair for the user results in a password protected private-key which can not be used to connect. 

Why is this information in the documentation?

--- 

What I want to achieve: 

Connect via SSH and run a simple command (write some text into a file). That's it for now. 

 

---  

Anyways .. here's what I did: 

1. go to bitbucket.org -> your repo -> settings -> pipelines -> ssh keys 

2. generate SSH key & copy public key (also fetch host fingerprint while already here) 

3. login to the target server and add the generated public key to ~./ssh/authorized_keys (and making sure the file and enclosing folder are having the right permissions 600/700) 

4. use this recipe: 

image: atlassian/default-image:2

pipelines: 
  default: 
    - step: 
        script: 
          - apt-get update -y 
          - apt-get install -y ssh 
          - ssh -t pipelines@staging.xxxxxxxx.xx "echo `foo` > httpdocs/foo" 
          - echo "Everything is awesome!"

--> the build fails with this error message:  

ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directoryPermission denied, please try again.

ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directoryPermission denied, please try again. 

ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directoryPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

I have a couple of questions already which neither the documentation nor the help in the GUI answers. 

I used ssh -t pipelines@.... to connect - why? Because running without the -t flag results in another error (the interactive terminal error)

Also I added a username (pipelines) which I did not set anywhere in Bitbucket. If I omit that, I'll get an error message (need a user). 

So I wonder.. what is it that I am not getting? What is the missing piece? Does it have something to do with that I used the generate SSH key function that Bitbucket / Pipelines provides which is just not working as it maybe is intended to work? <- my guess... 

I hope that my description is not too confusing and somebody (@Philip Hodder maybe?) has a couple minutes to point me into the right direction. 

I've spent hours on reading .. there are a lot of users having the exact same or similar problems. Atlassian.. where is your infamous support and superior documentation? :-/ 

Answer
Watch
Like Be the first to like this
4872 views

1 answer

1 accepted

0 votes
Answer accepted
Daniil Penkin
Daniil Penkin
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 30, 2019

Hi @Jan Mueller,

The error about ssh_askpass is raised because the SSH key you generated is password-protected, whereas the documentation page you linked has the following note:

Any SSH key you use in Pipelines should not have a passphrase.

So SSH tries to show password prompt, which isn't possible in Pipelines because there's no one to enter anything back.

The other error ("need a user" when you don't specify username in ssh command) is raised because when don't specify a user, SSH will try to log in to remote host (staging.xxxxxxxx.xx in your case) as the same user you run SSH command locally. I bet you got this error when you disabled the aforementioned SSH key so connection proceeded beyond the key password prompt point.

As an example, I successfully ran this command in Pipelines after adding custom SSH key:

ssh -p 10080 -l www  0.tcp.au.ngrok.io 'find . -name ".*history" -exec cat {} \;'

Hope this helps. Let me know if you have any questions.

Cheers,
Daniil

View More Comments
Jan Mueller
Jan Mueller July 31, 2019

First of all, thanks for your answer, Daniil. 

Yes, the documentation says the key shall not have a password. BUT the one Atlassian generates in the Bitbucket GUI 

1. go to bitbucket.org -> your repo -> settings -> pipelines -> ssh keys 

2. generate SSH key & copy public key (also fetch host fingerprint while already here) 

does have one and there is no way to remove it. So why is that? Why is that functionality even there when it can not be used? The documentation tells you to go there and do it but then on the very same page tells you not to use a password protected key. Those two things do not fit together. 

The next iteration for me now is to add a custom SSH key (funny .. the link in my first post gives a 404 now) and try again with that. 

So I can remove the key generated by Bitbucket in the guy and in authorized_keys on the remote server. Will post back here after I'm done with that. 

Like
Daniil Penkin
Daniil Penkin
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 31, 2019

Wait, I misread that part of your original message, sorry about that. If you generate SSH key in Pipelines settings UI, it complies with the requirements described in the manual, that is it is not password protected.

In this case ssh_askpass likely appears because your remote didn't accept the SSH key, and ssh tried to fallback to password prompt which, as I mentioned, doesn't work in Pipelines because the build runs in headless mode, there's no one to ask to enter that password.

Let's try to debug it and verify if my assumption is correct. Can you add -v parameter to your ssh command, run Pipeline again and check the output of that command? It should tell what keys it tried to offer and what was remote server's response. So, something like this:

 ssh -v staging.xxxxxxxx.xx "echo `foo` > httpdocs/foo"

Let me know what was the output.

Cheers,
Daniil

Like
Jan Mueller
Jan Mueller August 1, 2019

Hi Daniil, 

Let me know what was the output. 

This: 

https://dsc.cloud/jmueller/ssh-output-plain.rtf 

CleanShot 2019-08-01 at 09.03.01.png

best, 

Jan 

Like
Daniil Penkin
Daniil Penkin
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 2, 2019

Hey @Jan Mueller,

So among the lines you can see this:

debug1: Trying private key: /opt/atlassian/pipelines/agent/ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

The first line means that SSH client tried to use private key .../ssh/id_rsa — this is what you created with Pipelines Settings. However, the next line means that the attempt failed and lists possible options to continue authentication (all of them obviously fail).

So the problem is that your target server doesn't recognize the SSH key offered. Please double check:

  • user staging exists on staging.skgbickenbach.de (if that's not the right user, you need to change your ssh command accordingly)
  • you added the right public key to staging.skgbickenbach.de for that user

In case of a successful authentication the log would look like this (I just replicated your setup, and it worked just fine):

debug1: Trying private key: /opt/atlassian/pipelines/agent/ssh/id_rsa
debug1: Authentication succeeded (publickey).

Hope this helps.

Cheers,
Daniil

Like Jan Mueller likes this
Jan Mueller
Jan Mueller August 2, 2019

Thanks so much, Daniil. 

With your advice I finally got it to work. 

Like Daniil Penkin likes this
Daniil Penkin
Daniil Penkin
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 2, 2019

Awesome, I'm glad I was able to help :)

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events