Passhprase not working

[shnigi]

I tried to add passphrase option as mentioned in this ticket: #16
But it is not working for unknown reason. Here is my yml.

name: CI
on: [push]
jobs:
   deploy:
    if: github.ref == 'refs/heads/master'
    runs-on: [ubuntu-latest]
    steps:
      - uses: actions/checkout@v1
      - name: Push to server
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.SERVER_IP }}
          port: ${{ secrets.PORT }}
          username: ${{ secrets.SERVER_USERNAME }}
          password: ${{ secrets.SERVER_PASSWORD }}
          passphrase: ${{ secrets.SSHKEYPASSWORD }}
          script: cd ${{ secrets.PROJECT_PATH }} && git pull

I have secrets added in the repository. I can manually ssh login to my server and do git pull. Then I enter password and it works like it should. However github actions say:

err: git@github.com: Permission denied (publickey).
2020/06/24 13:21:57 Process exited with status 1
err: fatal: Could not read from remote repository.

So what am I doing wrong here? I expected that passphrase would input the password for my ssh key. Or is there something else wrong? I also did this: cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

I later removed my ssh key passphrase and then it works! But I really would like to secure my key with password. Looks like the passphrase is not working for some reason?

[mojo706]

If I may ask what's the passphrase for. I dont think you have a private key in your secrets on the repo. Do you?

[shnigi]

@mojo706 I have set up a password for my ssh key like this: #16 (comment) The feature seems to be implemented but it doesn't work for me. Or did I understand it wrong? I thought using passphrase it would enter the password when trying to pull. I don't have my private key in the repo secrets. Is that the issue? It can't use the key directly from the server?

[mojo706]

@shnigi The private key is in your personal computer under ~/.ssh assuming that you're on Mac or Linux use pb copy like so pbcopy < ~/.ssh/id_rsa then in your repo secrets add it as SSH_PKEY or any name you find useful. Then you can remove the SERVER_PASSWORD from your yml

[shnigi]

@mojo706 Yes I know. But isn't the difference between: password and passphrase the following: password is used to login the server. Can be any user/password. Passphrase is used to pull from Github, again can be any key? So two different passwords. I have ssh login password and Github key password which needs to be entered. I also tried adding my key to Github secrets but it doesn't work.

[mojo706]

@shnigi That's not it. You use the SSH_PKEY to log in to your server instead of a password. Then you use the secrets.GITHUB_TOKEN to log in to Github.

[KerberosMorphy]

There is the modification if you need your SSH Key to log in to your server:

      - name: Push to server
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.SERVER_IP }}
          port: ${{ secrets.PORT }}
          username: ${{ secrets.SERVER_USERNAME }}
-         password: ${{ secrets.SERVER_PASSWORD }}
+         key: ${{ secrets.SSH_KEY }}
          passphrase: ${{ secrets.SSHKEYPASSWORD }}
          script: cd ${{ secrets.PROJECT_PATH }} && git pull

Now that you are inside your server, you need credentials to pull from github, if you use HTTPS with username/password try:

git pull "https://<username>:<password>@github.com/<github_account>/<repository_name>.git" <branch_name>

Complete example, not sure if it's a good practice and I didn't test it :

      - name: Push to server
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.SERVER_IP }}
          port: ${{ secrets.PORT }}
          username: ${{ secrets.SERVER_USERNAME }}
          password: ${{ secrets.SERVER_PASSWORD }}
          key: ${{ secrets.SSH_KEY }}
          passphrase: ${{ secrets.SSHKEYPASSWORD }}
          script: |
            cd ${{ secrets.PROJECT_PATH }}
            git pull "https://${{ secrets.GITHUB_USERNAME }}:${{ secrets.GITHUB_PASSWORD }}@github.com/shnigi/my_repo.git" master

[KalleVuorjoki]

I have the same issue, passphrase not working. Relevant part from ssh -vT git@github.com is

err: debug1: read_passphrase: can't open /dev/tty: No such device or address

I think echo $SSH_AUTH_SOCK command on runner script should return something, now it its empty. I have tried various ways to modify my server .ssh/rc file according to https://gist.github.com/martijnvermaat/8070533 but none of them work for me.

[shnigi]

There is the modification if you need your SSH Key to log in to your server:

      - name: Push to server
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.SERVER_IP }}
          port: ${{ secrets.PORT }}
          username: ${{ secrets.SERVER_USERNAME }}
-         password: ${{ secrets.SERVER_PASSWORD }}
+         key: ${{ secrets.SSH_KEY }}
          passphrase: ${{ secrets.SSHKEYPASSWORD }}
          script: cd ${{ secrets.PROJECT_PATH }} && git pull

Now that you are inside your server, you need credentials to pull from github, if you use HTTPS with username/password try:

git pull "https://<username>:<password>@github.com/<github_account>/<repository_name>.git" <branch_name>

Complete example, not sure if it's a good practice and I didn't test it :

      - name: Push to server
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.SERVER_IP }}
          port: ${{ secrets.PORT }}
          username: ${{ secrets.SERVER_USERNAME }}
          password: ${{ secrets.SERVER_PASSWORD }}
          key: ${{ secrets.SSH_KEY }}
          passphrase: ${{ secrets.SSHKEYPASSWORD }}
          script: |
            cd ${{ secrets.PROJECT_PATH }}
            git pull "https://${{ secrets.GITHUB_USERNAME }}:${{ secrets.GITHUB_PASSWORD }}@github.com/shnigi/my_repo.git" master

What I am actually doing is that I ssh into my server with name and password, then in the server I have github ssh key which is used to pull the code. I can get this to work if I remove my ssh key password from the server. So appleboy script works to the point where I login to the server but fails when it tries to pull from Github as my sshkey is asking for the password. Then I get the usual error message to github actions center:

err: git@github.com: Permission denied (publickey).
err: fatal: Could not read from remote repository.
2021/01/21 13:57:35 Process exited with status 1
err:
err: Please make sure you have the correct access rights
err: and the repository exists.

[Manapyzz]

Hello,
I'm stumbling upon the same thing and can't find out how I can do this. I can connect to my server with ssh-actions but then when trying to "git pull", I'm asked for my github passphrase but getting the same error:

err: git@github.com: Permission denied (publickey). err: fatal: Could not read from remote repository. err: err: Please make sure you have the correct access rights err: and the repository exists.

@shnigi did you come up with a solution ? I would love to know.

[web-mc]

I've had the same problem.
What I did https://zellwk.com/blog/github-actions-deploy/

Generate new key and leave "passphrase" empty.

[AntonioKichaev]

I've had the same problem. What I did https://zellwk.com/blog/github-actions-deploy/

Generate new key and leave "passphrase" empty.

that's really great tips, thx

[appleboy]

    - name: clone private repository
      uses: appleboy/ssh-action@v1.1.10
      with:
        host: ${{ secrets.HOST }}
        username: ${{ secrets.USERNAME }}
        key: ${{ secrets.KEY }}
        port: ${{ secrets.PORT }}
        script_stop: true
        script: |
          git clone https://appleboy:${{ secrets.TEST_TOKEN }}@github.com/go-training/self-runner.git test_repository
          rm -rf test_repository

create your personal token from user setting and store value in secret page.