Try this:

mkdir /root/.ssh
cat <<EOT>> /root/.ssh/id_rsa
@secret:private-key@
EOT
chmod 400 /root/.ssh/id_rsa
ssh -o "StrictHostKeyChecking no" debian@@server echo hello world

not working

honestly i don't know what i'm doing wrong : the secret is always replaced by MASK "*****"

the secret:idsec

the secret:idpub

The command

The report log

why the idsec is correctly echoed but not the idpub ?

It only masks the secret occurrences in log, and will not affect actual behavior.

Why you are echoing the secret to console? The secret content should be written to file id_rsa as I demonstrated above

The exact command i passed before opening the issue was :

echo "@secret:idsec@" >> .ssh/id_rsa
echo "@secret:idpub@" >> .ssh/id_rsa.pub

Because it was not working, i try to cat the result files to see if it was correctly filled. To my surprise, the id_rsa.pub was filled with "*****" wheras the id_rsa was filled with the correct private Key.

Like i said in the previous post, only the secret:idsec is correctly handle by onedev and not secret:idpub which is not consistent.

Whether the both failed or whether they succeed.

So there is something wrong

I guess one secret is of multiple lines, while another is single line. OneDev only masks secrets in log line by line.

Echo multiple lines into a file might be problematic. The correct way is to use

cat <<EOT>> /root/.ssh/id_rsa
@secret:private-key@
EOT

The command

Not working, if i cat the file it is filled with "*****"

You can not examine content of the file by catting to console, it will again be masked. in console. You may copy the file out and examine the content, or publish the file via publish artifacts step, and check its content.

Also I guess the comma character around the @secret:idpub@ should be removed.

Remember that all @...@ will be replaced literally by OneDev before passing to shell for execution.

You are absolutely right. When publishing theses files as artifacts, they are correct.

But i still get ssh connection error like if have i have wrong keys. I still investigate...

I'd suggest to run the container from terminal directly, played with ssh keys, to make sure that it works. Then make the script into OneDev build spec.

Also I can use the commands suggested previously to login to remote server.

Another thing important: make sure to change file mode of id_rsa to 400

when i test

docker run --rm -it --mount type=bind,src=/home/debian/test,dst=/opt/ alpine

and then inside, execthe same command

mkdir /root/.ssh
cat /opt/id_rsa >>/root/.ssh/id_rsa
chmod 400 /root/.ssh/id_rsa
ssh -o StrictHostKeyChecking=no debian@server

everything works

but not with onedev, very frustrating.

Moreover, i think there will be TTY problem running ssh command inside docker and onedev.

So, do you have a way to connect to server, copy file and run some commands ?

update

when running verbose

it seems my key is invalid. from stackoverflow some other have the same issue rapporting endofline format.

So let's try something : adding a extra empty line in the job secret

After saving, i show the job at new, the extra line has disappear

Do you rewrite the job secret value with trim() or not handle append new line ?

Yes, input will be trimmed for normalization purpose. It is surprising me the EOL is required for your server. I tested with Ubuntu server and the EOL does not matter.

input will be trimmed for normalization purpose

?

and what about the line return when pasting in the textarea ? my client pc in on windows. i try to force \n and then pasting but do not work either

All white spaces including line ending will be deleted

Will turn this off in next patch release. For now, you may manually append a line ending to your private key file

what it works :

• adding the .ssh/id_rsa in the git repo and use-it for the ssh
• adding the private key to a file "foo" in the git repo and cat foo >> .ssh/id_rsa (so no problem with cat command)

what it does not work :

• paste the key to job secret and cat or echo the value to .ssh/id_rsa

you said you test it, but in the same conditions ? onedev is running on container and job run alpine image. i'm pasting the job secret from firefox on windows.

and what about having custom file inject inside the running job container ?

we have artifact which are the result file of build why no having the opposite, file insert in the build without being in the repo ?

Why cat or echo directly does not work:

As I mentioned earlier, @...@ will be replaced literally, so if you write

cat @secrets:id_sec@ >> /root/.ssh/id_rsa

It will be seen by shell as below after @secrets:id_sec@ being replaced:

cat firstline of private key
second line of private key
...
last line of private key >> /root/.ssh/id_rsa

This is the reason I am using below to write multiline string to a file in the first place:

cat <<EOT>> /root/.ssh/id_rsa
@secret:private-key@
EOT

yes, that's why i use the code you propose

cat <<EOT>> /root/.ssh/id_rsa
@secret:private-key@
EOT

but does not work

i attach the private/pub keys i used you can try (obviously not production keys...).

What image are you using for the job (alpine does not have ssh client available)? And what OS of your server you are trying ssh into?

i'm using alpine and connect to debian 11.

this job command works as the id_rsa come from file in the git repo

and not working when using the job secret with the cat EOT...

Turns out that multi-line input in a text area will be saved using "\r\n" as line ending (this is html standard). And Debian is strict on line ending while Ubuntu not. The workaround is install dos2unix to your container, and then call below statement to convert "\r\n" to "\n"

dos2unix /root/.ssh/id_rsa

And Debian is strict on line ending

😬 rohhhhhh

dos2unix /root/.ssh/id_rsa

such a journey, but this workaround is perfect !

thanks you Robin for all the help 👍

you can close the thread