#SSH from github action

https://github.com/mxschmitt/action-tmate

Might not be exactly what u want but it helps you to go into the running action and figure out the commands to ssh to your server before automating them in a workflow

Thanks @near elk. I saw this now. I am here at the moment:

` name: Deploy
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout repository
uses: actions/checkout@v2

  - name: Set up Cloudflared
    uses: docker://cloudflare/cloudflared:latest
    with:
      entrypoint: /usr/local/bin/cloudflared
      args: access ssh --hostname ${{ secrets.HOST }}

  - name: Set up SSH
    run: |
      mkdir -p ~/.ssh
      echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
      chmod 600 ~/.ssh/id_rsa
      ssh-keyscan -p ${{ secrets.PORT }} localhost >> ~/.ssh/known_hosts
      ssh-keygen -F localhost || ssh-keyscan -H localhost >> ~/.ssh/known_hosts

  - name: Execute deployment script
    run: ssh -T -p ${{ secrets.PORT }} ${{ secrets.USERNAME }}@localhost "/home/username/docker/restart-docker.sh"`

I am getting this error:

I am using this key:
-----BEGIN PRIVATE KEY-----
ALLOT OF RANDOM CODE HERE..
-----END PRIVATE KEY-----

Don't seem to work.

Ok I see it now, I am missing the ssh password

This one would typically indicate that either:

1. Something went wrong while attaching the private key to the "${{ secrets.SSH_PRIVATE_KEY }}" variable.

2. The corresponding public key for the private key from "${{ secrets.SSH_PRIVATE_KEY }}" has not yet been added to the "$HOME/.ssh/authorized_keys" file on the destination system.

I would suggest disabling SSH password authentication and lean solely on SSH keys to authenticate going forward.

I have this setup, can't get it to work:

deploy:
  name: Deploy
  runs-on: ubuntu-latest
  needs: build
  steps:
    - name: Checkout repository
      uses: actions/checkout@v2

    - name: Set up Cloudflared
      uses: docker://cloudflare/cloudflared:latest
      with:
        entrypoint: /usr/local/bin/cloudflared
        args: access ssh --hostname ${{ secrets.HOST }}

    - name: Set up SSH
      run: |
        mkdir -p ~/.ssh
        echo "${{secrets.SSH_PRIVATE_KEY}}" > ~/.ssh/id_rsa
        chmod 600 ~/.ssh/id_rsa
        ssh-keyscan -p ${{ secrets.PORT }} localhost >> ~/.ssh/known_hosts
        ssh-keygen -F localhost || ssh-keyscan -H localhost >> ~/.ssh/known_hosts
    
    - name: Update and Prune Docker Containers
      run: |
        ssh -i ~/.ssh/id_rsa -p ${{secrets.PORT}} ${{secrets.USERNAME}}@${{secrets.HOST}} "\
        docker compose up --pull always -d --remove-orphans && \
        docker system prune -af"

Should I have localhost ? Seems wrong..

127.0.0.1 / localhost would mean that the CI/CD script would try to do the given thing towards itself

(E.g. the same machine as the CI/CD script runs on)

To verify the authenticity of the host you're connecting to, you will typically (the first time, at least) see something like this prompt:

$ ssh github.com
The authenticity of host 'github.com (140.82.121.3)' can't be established.
ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

A such prompt would "kill" your automated workflow by stalling it indefinitely,.

The "ssh-keyscan" under "Set up SSH" seems to seek to resolve that, by scanning the remote host first, and adding it accodingly, to the known_hosts file.

ssh-keyscan -p ${{ secrets.PORT }} localhost >> ~/.ssh/known_hosts

-> Add fingerprint for "localhost" to ~/.ssh/known_hosts

ssh-keygen -F localhost || ssh-keyscan -H localhost >> ~/.ssh/known_hosts

-> Check if fingerprint for "localhost" already exists in ~/.ssh/known_hosts, if not, then scan and add fingerprint for "localhost" to ~/.ssh/known_hosts

Technically, in your case, they are both redundant, e.g. trying to achieve the same, and may be replaced with something like:

ssh-keygen -F ${{ secrets.HOST }} || ssh-keyscan -p ${{ secrets.PORT }} ${{ secrets.HOST }} >> ~/.ssh/known_hosts

Thanks for the very good explaination @swift ginkgo, I will give this a shoot

I got here..

  ***" > ~/.ssh/id_rsa
  chmod 644 ~/.ssh/id_rsa
  echo "***
  ***" > ~/.ssh/config
  chmod 644 ~/.ssh/config
  touch ~/.ssh/known_hosts
  chmod 644 ~/.ssh/known_hosts
  ls -l ~/.ssh/known_hosts
  ssh-keygen -F *** || ssh-keyscan -p *** *** >> ~/.ssh/known_hosts
  shell: /usr/bin/bash -e {0}
  env:
    REGISTRY: ghcr.io
    IMAGE_NAME: xxxxxxxxxx
-rw-r--r-- 1 runner docker 0 Jan 31 ***:16 /home/runner/.ssh/known_hosts
Error: Process completed with exit code 1.

Hmm, is that all there is regarding the error / how it ends?

The chmod's also seems different (e.g. 644 vs 600), compared the ones you have in your script above, - did you change them?

Yes I changed/tried from 644 to 600 and vice versa.

Does not seem that this is possible to do.. Have been on this for days now

This is my complete "deploy" part in ghcr actions:

  deploy:
    name: Deploy
    runs-on: ubuntu-latest
    needs: build
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Set up Cloudflared
        uses: docker://cloudflare/cloudflared:latest
        with:
          entrypoint: /usr/local/bin/cloudflared
          args: access ssh --hostname ${{ secrets.HOST }}

      - name: Set up SSH
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
          chmod 644 ~/.ssh/id_rsa
          echo "${{ secrets.SSH_CONFIG }}" > ~/.ssh/config
          chmod 644 ~/.ssh/config
          touch ~/.ssh/known_hosts
          chmod 644 ~/.ssh/known_hosts
          ls -l ~/.ssh/known_hosts
          ssh-keygen -F ${{ secrets.HOST }} || ssh-keyscan -p ${{ secrets.PORT }} ${{ secrets.HOST }} >> ~/.ssh/known_hosts

      - name: Update and Prune Docker Containers
        run: |
          ssh -i ~/.ssh/id_rsa -p ${{ secrets.PORT }} ${{ secrets.USERNAME }}@${{ secrets.HOST }} "\
          docker compose up --pull always -d --remove-orphans && \
          docker system prune -af"

And here is my error on ghcr:

How exactly did you get to that specific "Set up Cloudflared" section?

Looks like it doesn't like the entrypoint "/usr/local/bin/cloudflared", so I'm wondering if you started out with some guide that brought you there, or something?

Yeah, somewhere.. Can´t remember. And I am having problems finding a good instruction for that part on the web.

Ok, we start over. I want to connect (ssh) to my ubuntu server through cloudflare zero trust from github actions. How do I do that?

  deploy:
    name: Deploy
    runs-on: ubuntu-latest
    needs: build

    services:
      cloudflared:
        image: cloudflare/cloudflared:latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up SSH key
        run: |
          mkdir -p ~/.ssh

          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa

          ssh-keyscan -H ${{ secrets.HOST }} >> ~/.ssh/known_hosts
          chmod 644 ~/.ssh/known_hosts
          cat ~/.ssh/known_hosts

          echo "${{ secrets.SSH_CONFIG }}" >> ~/.ssh/config
          echo "  IdentityFile ~/.ssh/id_rsa" >> ~/.ssh/config
          chmod 644 ~/.ssh/config
          cat ~/.ssh/config

      - name: SSH and run command
        run: |
          ssh -i ~/.ssh/id_rsa ${{ secrets.USERNAME }}@${{ secrets.HOST }} "\
          docker compose up --pull always -d --remove-orphans && \
          docker system prune -af"

This is where I am at, tried a different way to keep cloudflare running. But am getting this error from Github actions:

  ***
  ***
  ***" > ~/.ssh/id_rsa
  chmod 600 ~/.ssh/id_rsa
  
  ssh-keyscan -H *** >> ~/.ssh/known_hosts
  chmod 644 ~/.ssh/known_hosts
  cat ~/.ssh/known_hosts
  
  echo "***
  ***" >> ~/.ssh/config
  echo "  IdentityFile ~/.ssh/id_rsa" >> ~/.ssh/config
  chmod 644 ~/.ssh/config
  cat ~/.ssh/config
  shell: /usr/bin/bash -e {0}
  env:
    REGISTRY: ghcr.io
    IMAGE_NAME: ***/test
Error: Process completed with exit code 1.

Tested the GitHub - mxschmitt/action-tmate but got in to a error loop, otherwise that maby could have given me som light on this myserious Error: Process completed with exit code 1..

The server that you run docker on (and want to SSH in to), ... have you actually set up anything there with cloudflared, and if so, what exactly?

Yes I have cloudflared on it and it runs my webserver, and I can ssh in to it from my laptop.
I have come some way after this. The problem now is that my ssh private key does not work. I di not know if I have this right, is there a separate key for ssh or is it the same as the cloudflared private key?

I am using "act" from my laptop on the section I am having problems with, to test faster.. This is my log:
[Test SSH Setup/test-ssh-setup] [DEBUG] Working directory '/Users/haffy/Webdev/njord'
| OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022
| debug1: Reading configuration data /etc/ssh/ssh_config
| debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files
| debug1: /etc/ssh/ssh_config line 21: Applying options for *
| debug1: Executing proxy command: exec cloudflared access ssh --hostname ssh.njordheim.com
| debug1: identity file /root/.ssh/id_rsa type -1
| debug1: identity file /root/.ssh/id_rsa-cert type -1
| debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
| debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
| debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.6 pat OpenSSH compat 0x04000000
| debug1: Authenticating to ssh.njordheim.com:22 as 'haffy'
| debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
| debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory

| debug1: SSH2_MSG_KEXINIT sent
| debug1: SSH2_MSG_KEXINIT received
| debug1: kex: algorithm: curve25519-sha256
| debug1: kex: host key algorithm: ssh-ed25519
| debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
| debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
| debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
| debug1: SSH2_MSG_KEX_ECDH_REPLY received
| debug1: Server host key: ssh-ed25519 SHA256:tXjBTry5SkT2dxxxxxxxxxxxxxxxxxx++RM
| debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
| debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
| debug1: Host 'ssh.njordstudio.com' is known and matches the ED25519 host key.
| debug1: Found key in /root/.ssh/known_hosts:1
| debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
| debug1: rekey out after 134217728 blocks
| debug1: SSH2_MSG_NEWKEYS sent
| debug1: expecting SSH2_MSG_NEWKEYS
| debug1: ssh_packet_read_poll2: resetting read seqnr 3
| debug1: SSH2_MSG_NEWKEYS received
| debug1: rekey in after 134217728 blocks
| debug1: Will attempt key: /root/.ssh/id_rsa explicit
| debug1: SSH2_MSG_EXT_INFO received

| debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
| debug1: kex_input_ext_info: [email protected]=<0>
| debug1: SSH2_MSG_SERVICE_ACCEPT received
| debug1: Authentications that can continue: publickey,password
| debug1: Next authentication method: publickey
| debug1: Trying private key: /root/.ssh/id_rsa
| debug1: Authentications that can continue: publickey,password
| debug1: Next authentication method: password
[Test SSH Setup/test-ssh-setup] ❌ Failure - Main Establish SSH connection through Cloudflare Tunnel

SSH keys are generated using ssh-keygen, where you by default (e.g. if you don't force a specific naming) will end up with something like e.g. "id_rsa" or "id_ecdsa" as the private key (the one you should keep safe, local, never share, ...).

Similarly the corresponding ".pub" file, e.g. "id_rsa.pub" or "id_ecdsa.pub" , would be the one you would add to "$HOME/.ssh/authorized_keys" on other machines.

AFAIK, I don't believe SSH'ing over tunnels should be changing that.

I think that is the key I am using

WIll check

| debug1: Trying private key: /root/.ssh/id_rsa

According to this one, the contents of "/root/.ssh/id_rsa.pub" on this machine, should be added to "$HOME/.ssh/authorized_keys" on the destination machine.

(I would however discourage any of such use as "root")

On my laptop where SSH works I have a .ssh/config file with this content:
Host ssh.njordheim.com
ProxyCommand /opt/homebrew/bin/cloudflared access ssh --hostname %h

Has the content from the /root/.ssh/id_rsa.pub on your laptop been added to $HOME/.ssh/authorized_keys (e.g. /home/haffy/.ssh/authorized_keys) on ssh.njordheim.com?

On the server (njordheim) I have both id_sha and authorized_key with the same content.

On the client I have none of them in .ssh.
In GitHub Actions I have that key from the server added with \n for new lines.

echo "-----BEGIN RSA PRIVATE KEY-----\n
xxxxxxx
-----END RSA PRIVATE KEY-----" >> $HOME/.ssh/id_rsa

Just _key? Or _keys?

Unless the client's public key (.pub file) has been added to the server's authorized_keys, you won't be let in with that key.

-rw------- 1 haffy haffy 2455 Jan 28 01:15 authorized_keys
-rw------- 1 haffy haffy 2455 Jan 28 01:14 id_rsa

That´s on the server

Does cat authorized_keys contain the one line you get, if you do cat /root/.ssh/id_rsa.pub on the laptop?

(You don't have to paste the content of that, just verify)

I do not have that file on the laptop

Hmm

It´s a Mac, could it be somewhere else

Have you been using these SSH keys for anything else, or just to play around with this kind of stuff?

Only for this. I think cloudflare / zero trust has it own ?

I would perhaps try starting over with them then

The question was more like, if you've started over and somehow locked yourself out of your servers/machines, ... that would rarely end up on being fun 😛

is there a file on the server where I can check if that is the case ?

I will try to redo this

Could it maybe be so that I have used the cert from Cloudflare Edge Certificate ?

The above SSH debugging output, it was trying the key, when it failed, the server asked for password.

Is it always asking you to provide your password, regardless when and where you log in?

Or does it sometimes ask you for a passPHRASE?

Not that I know of (and I can give you the correct URL in PM, njordheim is no the right one..).

If both of these are true:

1. You're always asked for a password
2. You are NEVER asked for a passPHRASE.

It doesn't seem like you are using the SSH keys to it's full extend anyway.

Aha.. hmm

will look in to it

Something like ssh-keygen -y -P "" -f /root/.ssh/id_rsa should complain about the passphrase being incorrect if there is a passphrase on you SSH key.

If there isn't a passphrase, it should just show the key, for example "ssh-rsa ..."

I managed to get in yesterday, the docker command went through. But then I could not repeat it

If there isn't a passphrase, and you're never getting to your machine without entering a password, - the SSH keys sounds to not be used at all.

I am not using ssh-keygen, I am using this command

- name: Configure SSH key
        run: |
          echo -e "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
          chmod 644 ~/.ssh/id_rsa

That said, - this specific output does mention:

| debug1: identity file /root/.ssh/id_rsa-cert type -1

It might be wise to save the files just in case.

How do you mean with saving ?

The ssh-keygen command/option was more in regards to to test the password/passphrase kind of stuff, to see if you were ready to throw it all away and start over with the SSH keys.

Saving as in keeping a backup of the files from your .ssh folder(s), if you're starting over.

I am in a meeting now som am a bit off.. But the ssh-keygen creates a new id_rsa right? Will that work when using zero trust ?

At the very first, it appears to me that we need to get the SSH stuff fixed, so it runs properly, it could for example be by SSH'ing in, and running e.g. "uptime" or another random command like "ls -l".

After that kind of "project" is done, we can then worry about the further CI/CD actions afterwards. 😉

That depends on the parameters you give to ssh-keygen.

yea, am on this command now..
ssh -vvv -i ~/.ssh/id_rsa -o ProxyCommand="cloudflared access ssh --hostname ${{ secrets.HOST }}" ${{ secrets.USERNAME }}@${{ secrets.HOST }} "echo 'SSH connection established successfully'"

Parameters from the above one I posted:

-f filename
Specifies the filename of the key file. 

-P passphrase
Provides the (old) passphrase. 

-y' This option will read a private OpenSSH format file and print an OpenSSH public key to stdout. 

Changing the echo to e.g. "ls -l" or so, - is that one actually showing the contents of the destination?

' rewritten to 'format('ssh-keygen -y -P "{0}" -f ~/.ssh/id_rsa
', secrets.PASSWORD)'
[Test SSH Setup/test-ssh-setup] [DEBUG] evaluating expression 'format('ssh-keygen -y -P "{0}" -f ~/.ssh/id_rsa
', secrets.PASSWORD)'
[Test SSH Setup/test-ssh-setup] [DEBUG] expression 'format('ssh-keygen -y -P "{0}" -f ~/.ssh/id_rsa
', secrets.PASSWORD)' evaluated to '%!t(string=ssh-keygen -y -P "***" -f ~/.ssh/id_rsa
)'
[Test SSH Setup/test-ssh-setup] [DEBUG] Wrote command

ssh-keygen -y -P "***" -f ~/.ssh/id_rsa


 to 'workflow/1'
[Test SSH Setup/test-ssh-setup] [DEBUG] Writing entry to tarball workflow/1 len:49
[Test SSH Setup/test-ssh-setup] [DEBUG] Extracting content to '/var/run/act'
[Test SSH Setup/test-ssh-setup]   🐳  docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/1] user= workdir=
[Test SSH Setup/test-ssh-setup] [DEBUG] Exec command '[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/1]'
[Test SSH Setup/test-ssh-setup] [DEBUG] Working directory '/Users/***/Webdev/njord/.github/workflows'
| /root/.ssh/id_rsa: No such file or directory
[Test SSH Setup/test-ssh-setup]   ❌  Failure - Main Configure SSH key```

When using this:

  - name: Configure SSH key
    run: |
      ssh-keygen -y -P "${{ secrets.PASSWORD }}" -f ~/.ssh/id_rsa

  - name: Add ssh.njordheim.com to known_hosts
    run: |
      echo -e "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
      chmod 644 ~/.ssh/known_hosts

  - name: SSH using Cloudflared Tunnel
    run: |
      ssh -vvv -i ~/.ssh/id_rsa -o ProxyCommand="cloudflared access ssh --hostname ${{ secrets.HOST }}" ${{ secrets.USERNAME }}@${{ secrets.HOST }} "ls -l"

I may have communicated that one out in an unclear way:

The ssh-keygen wasn't to be used in the CI/CD stuff, but to be checked, for example on your laptop and eventually any other location, where you're attempting to log in to njordheim from, to verify whether or not the (previous) SSH keys are actually being used, and whether you would be able to start over with them, without causing any trouble, such as locking you out of your own system(s).

What exact output are you getting right now, if you remove that "Configure SSH key" step?

[Test SSH Setup/test-ssh-setup] [DEBUG] Working directory '/Users/***/Webdev/njord/.github/workflows'
| Warning: Identity file /root/.ssh/id_rsa not accessible: No such file or directory.
| OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 20***
| debug1: Reading configuration data /etc/ssh/ssh_config
| debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
| debug1: /etc/ssh/ssh_config line 21: Applying options for *
| debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'
| debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'
| debug1: Executing proxy command: exec cloudflared access ssh --hostname ***
| debug1: identity file /root/.ssh/id_rsa type -1
| debug1: identity file /root/.ssh/id_rsa-cert type -1
| debug1: identity file /root/.ssh/id_ecdsa type -1
| debug1: identity file /root/.ssh/id_ecdsa-cert type -1
| debug1: identity file /root/.ssh/id_ecdsa_sk type -1
| debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
| debug1: identity file /root/.ssh/id_ed25519 type -1
| debug1: identity file /root/.ssh/id_ed25519-cert type -1
| debug1: identity file /root/.ssh/id_ed25519_sk type -1
| debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
| debug1: identity file /root/.ssh/id_xmss type -1
| debug1: identity file /root/.ssh/id_xmss-cert type -1
| debug1: identity file /root/.ssh/id_dsa type -1
| debug1: identity file /root/.ssh/id_dsa-cert type -1
| debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
| /bin/sh: 1: exec: cloudflared: not found
| kex_exchange_identification: Connection closed by remote host
| Connection closed by UNKNOWN port 65535
[Test SSH Setup/test-ssh-setup]   ❌  Failure - Main SSH using Cloudflared Tunnel

I will test this also.

/bin/sh: 1: exec: cloudflared: not found

At that point, it doesn't seem like cloudflared isn't available within that CI/CD run.

^ Same as there

strange

HOLD

I had commented out the installation of cloudflare for speeding up the ssh testing

THe log is to long for here... PM ?

Made a simple test step for cloudflared --version and it worked.

Given the ending of:

| debug1: Next authentication method: publickey
| debug1: Trying private key: /root/.ssh/id_rsa
| debug3: no such identity: /root/.ssh/id_rsa: No such file or directory
| debug1: Trying private key: /root/.ssh/id_ecdsa
| debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
| debug1: Trying private key: /root/.ssh/id_ecdsa_sk
| debug3: no such identity: /root/.ssh/id_ecdsa_sk: No such file or directory
| debug1: Trying private key: /root/.ssh/id_ed25519
| debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
| debug1: Trying private key: /root/.ssh/id_ed25519_sk
| debug3: no such identity: /root/.ssh/id_ed25519_sk: No such file or directory
| debug1: Trying private key: /root/.ssh/id_xmss
| debug3: no such identity: /root/.ssh/id_xmss: No such file or directory
| debug1: Trying private key: /root/.ssh/id_dsa
| debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
| debug2: we did not send a packet, disable method
| debug3: authmethod_lookup password
| debug3: remaining preferred: ,password
| debug3: authmethod_is_enabled password
| debug1: Next authentication method: password

I would look at the SSH keys now.

On somewhere, could be your laptop, or whatever, you can run something like:

1. ssh-keygen -t ed25519 -f ~/.ssh/github_ci_cd_key

2. Copy the contents of ~/.ssh/github_ci_cd_key to "${{ secrets.SSH_PRIVATE_KEY }}" CI/CD secret variable.

3. Add the contents of ~/.ssh/github_ci_cd_key to $HOME/.ssh/authorized_keys on njordheim.

4. Run it again

In step #1, do NOT add a passphrase, just hit enter.

(Your mention of "speeding up" here is one of the reasons why I specifically selected the ed25519 variant.)

Can I append the authorized_keys to the existing file ?

I did this and I still get: debug1: Next authentication method: password

Appending in authorized_keys is fine, assuming that got other keys you need to keep.

Does it say anything about it trying with some /.ssh/ file now?

Hmm

I saved the original file and made changes so only to contain the new key.

| debug1: Will attempt key: /root/.ssh/id_rsa ED25519 SHA256:V0IvcWlaEzfK2z35igcAj0gEyIvgvJfs+aYicf57Qt4 explicit

If you selected ed25519 as I mentioned, you should probably also change to pipe it to id_ed25519, instead of id_rsa.

| debug1: identity file /root/.ssh/id_rsa type 3

Exactly! Sorry for forgetting to mention that in the steps above.

Change the filename ?

no worries, I am so happy your helping me

^
Like the one you mentioned here:

Change:

echo -e "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa

to

echo -e "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519

[Test SSH Setup/test-ssh-setup] [DEBUG] expression 'echo -e "${{ secrets.SSH_PRIVATE_KEY_TEST }}" > ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_rsa
' rewritten to 'format('echo -e "{0}" > ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_rsa
', secrets.SSH_PRIVATE_KEY_TEST)'
[Test SSH Setup/test-ssh-setup] [DEBUG] evaluating expression 'format('echo -e "{0}" > ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_rsa
', secrets.SSH_PRIVATE_KEY_TEST)'
[Test SSH Setup/test-ssh-setup] [DEBUG] expression 'format('echo -e "{0}" > ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_rsa
', secrets.SSH_PRIVATE_KEY_TEST)' evaluated to '%!t(string=echo -e "***" > ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_rsa
)'
[Test SSH Setup/test-ssh-setup] [DEBUG] Wrote command

echo -e "***" > ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_rsa


 to 'workflow/2'
[Test SSH Setup/test-ssh-setup] [DEBUG] Writing entry to tarball workflow/2 len:481
[Test SSH Setup/test-ssh-setup] [DEBUG] Extracting content to '/var/run/act'
[Test SSH Setup/test-ssh-setup]   🐳  docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/2] user= workdir=
[Test SSH Setup/test-ssh-setup] [DEBUG] Exec command '[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/2]'
[Test SSH Setup/test-ssh-setup] [DEBUG] Working directory '/Users/***/Webdev/njord/.github/workflows'
| chmod: cannot access '/root/.ssh/id_rsa': No such file or directory
[Test SSH Setup/test-ssh-setup]   ❌  Failure - Main Configure SSH key

(I don't think I have ever used SSH keys where the file name indicated other key types, such as e.g. having ed25519 keys in id_rsa files, or vice versa, - so not sure if that would work like that 😛 )

sorry, did not change the chmod file..

and more.. trying again

debug1: Next authentication method: password

do I need to restart sshd on the server after chaning in the auth file ?

| debug1: identity file /root/.ssh/id_ed25519 type 3
| debug1: identity file /root/.ssh/id_ed25519-cert type -1
| debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
| debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
| debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.6 pat OpenSSH* compat 0x04000000
| debug2: fd 5 setting O_NONBLOCK
| debug2: fd 4 setting O_NONBLOCK
| debug1: Authenticating to : as '***'
| debug3: record_hostkey: found key type ED25519 in file /root/.ssh/known_hosts:1
| debug3: load_hostkeys_file: loaded 1 keys from ***

debug3: record_hostkey: found key type ED25519 in file /root/.ssh/known_hosts:1

| debug1: Will attempt key: /root/.ssh/id_ed25519 ED25519 SHA256:V0IvcWlaEzfK2z35igcAj0gEyIvgvJfs+aYicf57Qt4 explicit
| debug2: pubkey_prepare: done
| debug3: send packet: type 5
| debug3: receive packet: type 7
| debug1: SSH2_MSG_EXT_INFO received
| debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
| debug1: kex_input_ext_info: [email protected]=<0>
| debug3: receive packet: type 6
| debug2: service_accept: ssh-userauth
| debug1: SSH2_MSG_SERVICE_ACCEPT received
| debug3: send packet: type 50
| debug3: receive packet: type 51
| debug1: Authentications that can continue: publickey,password
| debug3: start over, passed a different list publickey,password
| debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
| debug3: authmethod_lookup publickey
| debug3: remaining preferred: keyboard-interactive,password
| debug3: authmethod_is_enabled publickey
| debug1: Next authentication method: publickey
| debug1: Offering public key: /root/.ssh/id_ed25519 ED25519 SHA256:V0IvcWlaEzfK2z35igcAj0gEyIvgvJfs+aYicf57Qt4 explicit
| debug3: send packet: type 50
| debug2: we sent a publickey packet, wait for reply
| debug3: receive packet: type 51
| debug1: Authentications that can continue: publickey,password

Hmm...

Did you add the public key to authorized_keys on a new line, or appended at the same line as another public key?

(on njordheim / the destination)

Yes

I will remove it

PM full log

In my /etc/ssh/ssh_conf I have this:
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes

And in /etc/ssh/sshd_config I have these active:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
ClientAliveInterval 5
AcceptEnv LANG LC_*

Did you add the key to /root/.ssh/authorized_keys on njordheim?

Or to /home/USERNAME/.ssh/authorized_keys?

hmm not to root

yes I did

It´s without \n there, but with \n in the secrets-tag

So if we say you try to authenticate as USERNAME, for example using ssh USERNAME@njordheim, you can confirm that the "ssh-ed25519" line has actually been added to /home/USERNAME/.ssh/authorized_keys on njordheim?

\n? 🤔

To get new line in ${{ secrets.xyz }} I learn to use \n and smash it to one line

It did not work otherwize in act

Ah, so in the CI/CD, you use \n with the private key

yes

But in authorized_keys, only the "ssh-ed25519 ..." one-liner from the .pub file exists?

But not on GitHub later, just now when testing

What .pub file ?

Oh

Wait

ssh-keygen -t ed25519 -f ~/.ssh/github_ci_cd_key did not give me a pub file

There are so many layers on this onion 🙂

2. Copy the contents of ~/.ssh/github_ci_cd_key to "${{ secrets.SSH_PRIVATE_KEY }}" CI/CD secret variable.

3. Add the contents of ~/.ssh/github_ci_cd_key to $HOME/.ssh/authorized_keys on njordheim.

#3 was wrong there, and should have said:

3. Add the contents of ~/.ssh/github_ci_cd_key.pub to $HOME/.ssh/authorized_keys on njordheim.

It is a ssh-ed25519 [...] one-liner to add to that $HOME/.ssh/authorized_keys, and NOT the whole -----BEGIN OPENSSH PRIVATE KEY-----/-----END OPENSSH PRIVATE KEY----- thing. 😉

$ ssh-keygen -t ed25519 -f ~/.ssh/github_ci_cd_key
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/darkdevil/.ssh/github_ci_cd_key
Your public key has been saved in /home/darkdevil/.ssh/github_ci_cd_key.pub
The key fingerprint is:
[...]

$ ls -1 | grep github
github_ci_cd_key
github_ci_cd_key.pub

-rw------- 1 haffy staff 419 5 Feb 14:03 github_ci_cd_key
-rw-r--r-- 1 haffy staff 108 5 Feb 14:03 github_ci_cd_key.pub

Yep, contents of github_ci_cd_key in #2, and contents of the github_ci_cd_key.pub to $HOME/.ssh/authorized_keys for the #3.

AHA

So remove the -----BEGIN ... and make the key to one line and add it to secrets ?

Or as mentioned here, the .pub contents goes in /home/USERNAME/.ssh/authorized_keys on njordheim. 🙂

The secret SSH_PRIVATE_KEY on GitHub should contain the private key, e.g.:

-----BEGIN OPENSSH PRIVATE KEY-----
pizza with pineapple sucks
-----END OPENSSH PRIVATE KEY-----

1. do NOT add a passphrase, just hit enter.
    ssh-keygen -t ed25519 -f ~/.ssh/github_ci_cd_key

2. Copy the contents of (CI/CD secret variable).
    ~/.ssh/github_ci_cd_key to "${{ secrets.SSH_PRIVATE_KEY }}" 


-----BEGIN OPENSSH PRIVATE KEY-----\npizza with pineapple sucks\nand also fish\n-----END OPENSSH PRIVATE KEY-----

3. Add the contents of (to on njordheim).
    ~/.ssh/github_ci_cd_key.pub to ~/.ssh/authorized_keys on njordheim.

    It is a ssh-ed25519 [...] one-liner to add to that $HOME/.ssh/authorized_keys, and NOT the whole -----BEGIN OPENSSH PRIVATE KEY-----/-----END OPENSSH PRIVATE KEY----- thing.

pizza with pineapple sucks and also fish

4. Add to ci/cd: 
    echo -e "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519

authorized_keys on njordheim, in $HOME/.ssh/authorized_keys / /home/USERNAME/.ssh/authorized_keys assuming you SSH to ssh USERNAME@njordheim should have the contents of github_ci_cd_key.pub.

Something like:

ssh-ed25519 spaghetti user@host

(the user@host part can be omitted)

Sounds correct.

~/.ssh/authorized_keys must however be while logged in to "USERNAME", if your CI/CD should log in to "USERNAME".

Or, it must b done while logged in to the user "bob", if your CI/CD should log in to "bob".

If secrets.USERNAME contains "bob", the full path to put the .pub key would be /home/bob/.ssh/authorized_keys

Ok I see

(According to your previous CI/CD steps)

But step 2 in my note above is correct ?

Seems more correct if step 2 and 3 would switch how they handle the keys

Hmm

Updated now

If the \n's are actually necessary, and you're making it an one-liner, it sounds more correct with:

    -----BEGIN OPENSSH PRIVATE KEY-----\npizza with pineapple sucks\nand also fish\n-----END OPENSSH PRIVATE KEY-----

Yeah, matches your update.

ok I will try this

✅ Success - Main SSH using Cloudflared Tunnel

IT WORKED !!!! You are so awsome !!

trying with my docker compose command now

Happy to hear we're making progress 😄

You also know how to fix "broken pipe" ?

Did Main SSH event actually end by testing with some "uptime" or "ls -l" command, or something similar on njordheim?

Hm, where do you see the broken pipe?

YEs ls -l worked

And also my docker command

Thou the site did not update, some error in the docker command I need to look at

| debug1: Sending command: cd /home/***/docker/ && docker compose up --pull always -d --remove-orphans && docker system prune -af --force

THat is my command in action and this is ascript, and the script works. Just need to translate that

cd /home/haffy/docker
docker compose down --volumes --remove-orphans
docker system prune -f
docker volume prune -f
docker compose up -d

Not now, but when I ssh in sometimes it break

Unless it's like repeatedly, I would probably leave that broken pipe with the expectation of it being a intermittent issue, such as for example unstable connectivity between the source and destination that would likely go away at some point.

Translate in which direction? 🤔

ok

Like:

cd /home/haffy/docker || docker compose down --volumes --remove-orphans || docker system prune -f || docker volume prune -f || docker compose up -d

I will fix that 🙂 No worries

What you want there (e.g. ;, && or ||) probably depends on your expectations, whether they must run "successfully" (and that they have the appropriate return values / status codes for such).

Aa that explains allot

$ cat /tmp/spaghetti; echo "here"
cat: /tmp/spaghetti: No such file or directory
here

$ cat /tmp/spaghetti && echo "here"
cat: /tmp/spaghetti: No such file or directory

$ cat /tmp/spaghetti || echo "here"
cat: /tmp/spaghetti: No such file or directory
here
$

So if docker compose down --volumes --remove-orphans does actually provide prope return values / status codes, and MUST succeed, before docker system prune -f should ever be run, using && might be the best.

$ echo "pizza" > /tmp/spaghetti
$ cat /tmp/spaghetti && echo "here"
pizza
here

Thanks 🙂

If this works now I will pop a beer tonight, been on this for two weeks now

Will be beer tonight !!!!!!!

https://tenor.com/view/omg-oh-my-god-crypto-eth-ethereum-gif-27338613