error in libcrypto, loading ssh key from an environment variable

[ctaque]

Operating system :

environment: docker
image: ubuntu:kinetic
openssl version 3.0.3
libssl-dev installed

I'm doing:

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

or

ssh-add ~/.ssh/id_rsa

What I get :

Load key "/root/.ssh/id_rsa": error in libcrypto

I'm loading an ssh private key from a Gitlab CI variable.
I tried adding a newline at the end of the variable like so:

SSH_PRIVATE_KEY: "-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAuNk4L4Cf4oDaDjXdjNydM6g5hg5/wGzxoqzENx2Xxq1QminyrZpB
...
MmlCwQe7o/n+W8xUTFPJLr6dUBwILrdI5qH6ZmKyoY4WJtdgwzTc2pLLnf7dES466jtruY
vwbTGCQPZajU5h2/ZcE3jnFLZAvJZO1IxWURXL5AwWtIf/MKOT/aS7rPiKEXotqBCWsX65
Eo6Re1Rp+K3vifSALr2QbOfhd2yVy27oM8FuFQQpOppOJQPuWuwmSyHbT6AhIlAbo8E2v1
mrCMIVawQXSytHAAAAFmN5cHJpZW5AY3lwcmllbi11YnVudHUBAgME
-----END OPENSSH PRIVATE KEY-----
"

The key can be imported in the key store in the host operating system

related SO issue :

https://stackoverflow.com/questions/74183218/gilab-ci-load-ssh-key-from-environment-variable

It may be more a usage issue rather than a bug. I've spent the day trying to solve this and would appreciate a little help.

I can do anything you need

[paulidale]

You should report this to the ssh project not OpenSSL. They are completely different.

[songleo]

Hi @ctaque have you fixed this issue in Gitlab CI? I met the same issue if you have some solution, thanks.

[ctaque]

yes :

  before_script:
    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client wget gnupg -y )'
    - wget -qO- https://get.docker.com/gpg | apt-key add -
    - eval $(ssh-agent -s)
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
    - mkdir -p ~/.ssh
    - touch ~/.ssh/config
    - touch ~/.ssh/known_hosts
    - chmod -R 400 ~/.ssh
    - ssh-keyscan ip >> ~/.ssh/known_hosts
    - '[[ -f /.dockerinit ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'

create a variable SSH_PRIVATE_KEY with the content of your key (add an empty line at the end)

That being said, I could'nt make it work with a runner running on my development machine.

[JamieWithofsPXL]

I'm running into the same problem. I'm using my own ubuntu docker executor. However, the given solution doesn't seem to work for me.

[ctaque]

It may depend on the image used, in my case:

image:
    name: debian:stretch
    entrypoint: [ '/bin/bash', '-c', 'ln -snf /bin/bash /bin/sh && /bin/bash -c $0' ]

[JamieWithofsPXL]

I'm running into the same problem. I'm using my own ubuntu docker executor. However, the given solution doesn't seem to work for me.

I solved it by doing a chmod 400 on my private key file variable like this:
chmod 400 /builds/gitlab-instance-1af93b45/drupal-poc.tmp/SSH_PRIVATE_KEY
Then I switched the order of the ssh-add command like this:
ssh-add "$SSH_PRIVATE_KEY" | tr -d '\r'

[OranGeNaL]

Solved problem with Gitlab CI. Looks like if store key value like simple variable, Gitlab removes all line breaks from it. But if store key like file variable, it doesn't.

So storing key like file variable works for me.

[kasra-trendplus]

Hey guys, for future readers.
I was using a ssh key file inside Gitlab CI YAML file and I kept getting error in libcrypto message.
I did 2 things that FIXED the problem:

1. Just changing the variable type from FILE variable to ENV_VAR
2. Using ssh-keygen -t ed25519 when generating the key. Looks like gitlab does not support the default rsa keys.

Then everything works fine.

Also use this as the base before_script:

  before_script:
    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client wget gnupg -y )'
    - wget -qO- https://get.docker.com/gpg | apt-key add -
    - eval $(ssh-agent -s)
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
    - mkdir -p ~/.ssh
    - touch ~/.ssh/config
    - touch ~/.ssh/known_hosts
    - chmod -R 400 ~/.ssh
    - ssh-keyscan <ip> >> ~/.ssh/known_hosts
    - '[[ -f /.dockerinit ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'

[churumellas]

Hey guys, for future readers. I was using a ssh key file inside Gitlab CI YAML file and I kept getting error in libcrypto message. I did 2 things that FIXED the problem:

1. Just changing the variable type from `FILE` variable to `ENV_VAR`

2. Using `ssh-keygen -t ed25519` when generating the key. Looks like gitlab does not support the default `rsa` keys.

Then everything works fine.

Also use this as the base before_script:

  before_script:
    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client wget gnupg -y )'
    - wget -qO- https://get.docker.com/gpg | apt-key add -
    - eval $(ssh-agent -s)
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
    - mkdir -p ~/.ssh
    - touch ~/.ssh/config
    - touch ~/.ssh/known_hosts
    - chmod -R 400 ~/.ssh
    - ssh-keyscan <ip> >> ~/.ssh/known_hosts
    - '[[ -f /.dockerinit ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'

Thank you soooo muuuch!!! I want just connect ssh but none in documentation is working, removing the docker config I use this way:

  before_script:
    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
    - eval $(ssh-agent -s)
    - echo "$ID_RSA" | tr -d '\r' | ssh-add -
    - mkdir -p ~/.ssh
    - touch ~/.ssh/config
    - touch ~/.ssh/known_hosts
    - chmod -R 400 ~/.ssh

[yypastushenko]

There is another way to fix it.
I did not change the ci/cd variable type from file to variable (string).
Just added one \n at the end of private key in the value and it worked.

-----BEGIN OPENSSH PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OPENSSH PRIVATE KEY-----

[govindkailas]

Adding a new line at the end worked for me as well.

[SirawichDev]

yes this solved my problem as well

[azmiadhani]

When I follow the official guide (https://docs.gitlab.com/ee/ci/ssh_keys/) I cannot get things to work. But changing the variable type from File to Variable (Default) and configuring .gitlab-ci.yaml like below solves the issues.

stages:
  - deploy

deploy:
  stage: deploy
  image: ubuntu
  before_script:
    - echo "deploying app"
    ##
    ## Install ssh-agent if not already installed, it is required by Docker.
    ## (change apt-get to yum if you use an RPM-based image)
    ##
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client git -y )'

    ##
    ## Run ssh-agent (inside the build environment)
    ##
    - eval $(ssh-agent -s)

    ##
    ## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
    ## We're using tr to fix line endings which makes ed25519 keys work
    ## without extra base64 encoding.
    ## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
    ##
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -

    ##
    ## Create the SSH directory and give it the right permissions
    ##
    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh

    ##
    ## Use ssh-keyscan to scan the keys of your private server. Replace gitlab.com
    ## with your own domain name. You can copy and repeat that command if you have
    ## more than one server to connect to.
    ##
    - ssh-keyscan $SSH_HOST >> ~/.ssh/known_hosts
    - chmod 644 ~/.ssh/known_hosts
  script:
    - ssh $SSH_USERNAME@$SSH_HOST
    # Script to run on remote server
    - ls

[detzen]

I could solve the issue with adding a newline at the end of the private key. Variable type is set to "file". Here's the relevant part of my .gitlab-ci.yaml

script:
    - chmod 600 $SSH_PRIV_KEY
    - scp -qi $SSH_PRIV_KEY -o StrictHostKeyChecking=no -r foo $DEPLOYMENT_USER@$DEPLOYMENT_SERVER:/tmp/
    - scp -qi $SSH_PRIV_KEY -o StrictHostKeyChecking=no -r bar $DEPLOYMENT_USER@$DEPLOYMENT_SERVER:/tmp/

Have a look at https://docs.gitlab.com/ee/ci/ssh_keys/
In the Value field, paste the content of your private key from the key pair that you created earlier. Make sure the file ends with a newline.