GitLab CI/CD SSH Authentication and Remote Deployment Architecture

Published by TechMarmot Editorail Staff on | Category GitLab CI

The integration of Secure Shell (SSH) protocols within GitLab CI/CD pipelines represents a critical bridge between automated build environments and the physical or virtual infrastructure where applications reside. In the modern DevOps lifecycle, the ability to securely authenticate a GitLab Runner—which may be running in a transient Docker container or on a dedicated shell executor—against a remote server is paramount for tasks such as automated deployments, private package retrieval, and the management of internal submodules.

Because GitLab does not provide a native, built-in mechanism for managing SSH keys directly within the build environment's filesystem, engineers must implement a strategy to inject these credentials dynamically during the job execution phase. This process involves a sophisticated orchestration of CI/CD variables, the ssh-agent utility, and the precise configuration of the .gitlab-ci.yml file. The goal is to establish a secure, non-interactive authentication channel that allows the Runner to execute commands on a remote host without requiring manual password entry or risking the exposure of private keys in job logs.

This architectural requirement spans across all GitLab tiers, including Free, Premium, and Ultimate, and is applicable regardless of whether the organization utilizes GitLab.com (SaaS), GitLab Self-Managed, or GitLab Dedicated offerings. The necessity for this setup typically arises when a pipeline needs to interact with a remote server for the purposes of executing remote commands, utilizing rsync for efficient file synchronization, or deploying application code to platforms such as Heroku or a private VPS.

SSH Key Implementation Use Cases and Technical Requirements

The deployment of SSH keys within a CI/CD context is not a one-size-fits-all solution but is instead triggered by specific operational requirements. Each of these use cases carries distinct security implications and technical configurations.

  • Checking out internal submodules: When a project relies on other private repositories as submodules, the GitLab Runner requires an SSH identity to authenticate against the GitLab server to clone these dependencies.
  • Downloading private packages: Many package managers, such as Bundler for Ruby, may require SSH authentication to pull private gems or libraries from a secure registry.
  • Application deployment: The most common use case involves pushing built artifacts or triggering a git pull on a production or staging server to update the live application.
  • Remote command execution: This involves using the ssh command to trigger scripts, restart services (e.g., systemctl restart nginx), or perform database migrations on a remote host.
  • File synchronization via Rsync: For projects where only specific assets or compiled binaries need to be moved, rsync over SSH provides an efficient way to transfer data while maintaining file permissions.

The impact of these requirements is that the build environment must essentially "become" a trusted entity in the eyes of the remote server. This is achieved by placing the public key of the Runner's generated pair into the ~/.ssh/authorized_keys file of the target server, thereby creating a cryptographic trust relationship.

Secure Management of SSH Keys via CI/CD Variables

The primary method for introducing a private key into a GitLab pipeline is through the use of CI/CD variables. This ensures that sensitive credentials are not hard-coded into the .gitlab-ci.yml file, which would be a catastrophic security failure.

Variable Type Selection: File vs. Regular

GitLab allows users to define variables as either "Variable" (regular) or "File".

  • File type variables: This is the preferred method. When a variable is set to "File", GitLab stores the content in a temporary file on the runner and provides the path to that file in the environment variable. This is critical for SSH keys because they contain multiple lines and specific whitespace characters.
  • Regular variables: These store the key as a string. While possible, this method is prone to formatting errors during the shell expansion process and often requires manual redirection to a file (e.g., using echo or base64 decoding).

The Visibility and Masking Paradox

A critical technical detail regarding SSH keys is that they cannot be "Masked" in GitLab CI/CD variables. Masking requires the value to meet specific character requirements (such as no whitespace), which SSH private keys inherently violate due to their multiline structure.

  • Visibility settings: Because masking is impossible, the visibility must be set to "Visible".
  • Log exposure risks: Since the key is not masked, any command that prints the variable's value—such as cat, tee, or echo—will leak the private key into the job logs in plain text.
  • Mitigation strategies: To prevent unauthorized access, it is recommended to restrict these variables to "Protected" branches and tags. This ensures that only authorized merge requests to the main or production branches can trigger the deployment, preventing a malicious actor from creating a feature branch with a script designed to print the SSH_PRIVATE_KEY to the console.

Step-by-Step SSH Key Generation and Deployment

To establish a functional connection, a key pair must be generated and distributed correctly between the GitLab environment and the target destination.

Generation of the Key Pair

The key should be generated using a secure algorithm. The ed25519 algorithm is currently recommended for its security and performance.

bash ssh-keygen -t ed25519 -C "[email protected]"

During this process:
- The default file location is typically ~/.ssh/id_ed25519.
- Passphrases: While adding a passphrase increases security, it creates a roadblock for automated CI/CD pipelines because the ssh-agent would prompt for the passphrase, causing the job to hang and eventually time out. For automated jobs, a passphrase-less key is typically used, provided the key is stored securely in GitLab's encrypted variables.

Distributing the Public Key

The public key (ending in .pub) must be shared with the entities that need to grant access:

  • For remote server access: Copy the content of the public key into the ~/.ssh/authorized_keys file on the target server.
  • For private GitLab repositories: If the Runner needs to clone other private projects, the public key must be added as a "Deploy Key" in the target repository's settings.

Configuring the GitLab Runner for SSH Authentication

Depending on the executor being used, the method of applying the SSH key differs.

Using the Docker Executor

When using Docker, the environment is completely isolated and ephemeral. This means the .ssh directory does not exist by default and must be created during the before_script phase.

The process for a Debian-based or Alpine-based Docker image involves the following technical steps:

  1. Installation of the SSH client: The image must have openssh-client installed. In Alpine Linux, this is done via apk add openssh-client.
  2. Creation of the SSH directory: The directory ~/.ssh must be created with the correct permissions.
  3. Loading the key: The ssh-agent must be started, and the key must be added to the agent using ssh-add.
  4. Handling Known Hosts: To prevent the pipeline from failing due to an "Unknown Host" prompt, the public key of the remote server must be added to the known_hosts file using ssh-keyscan.

Implementation Example for Dockerized Pipelines

The following configuration demonstrates the correct sequence for a secure deployment:

yaml deploy: image: alpine:latest stage: deploy only: - prelive before_script: - apk update - apk add openssh-client - install -m 600 -D /dev/null ~/.ssh/id_rsa - echo "$SSH_PRIVATE_KEY" | base64 -d > ~/.ssh/id_rsa - ssh-keyscan -H $SSH_HOST > ~/.ssh/known_hosts script: - ssh $SSH_USER@$SSH_HOST "cd $WORK_DIR && git checkout $PRELIVE_BRANCH && git pull && exit" after_script: - rm -rf ~/.ssh

In this specific implementation:
- The install -m 600 command ensures the private key file has the strict permissions required by the SSH client; if the permissions are too open (e.g., 777), the SSH client will reject the key for security reasons.
- The base64 -d command is used if the SSH_PRIVATE_KEY variable was stored as a base64 encoded string to avoid whitespace issues.
- The after_script ensures that the sensitive key is removed from the runner's filesystem after the job completes.

Configuring a Shell Executor

For users running a GitLab Runner directly on a host machine (Shell executor), the configuration can be handled at the system level of the Runner machine rather than within the .gitlab-ci.yml.

  1. Generate the key on the Runner machine:
    bash ssh-keygen -t ed25519 -C "[email protected]"
  2. Start the agent and add the key:
    bash eval $(ssh-agent -s) ssh-add ~/.ssh/id_ed25519
  3. GitLab Runner Configuration: The config.toml file (located at /etc/gitlab-runner/config.toml on Linux or C:\GitLab-Runner\config.toml on Windows) may need to be modified under the [[runners]] section to ensure the environment has access to the necessary SSH paths.

Troubleshooting Common SSH Failures in CI/CD

Even with correct keys, several common errors can occur during the pipeline execution.

Permission Denied (publickey, password)

This error typically indicates that the remote server rejected the key provided by the Runner. Possible causes include:

  • Missing Public Key: The public key was not correctly added to the ~/.ssh/authorized_keys file on the remote server.
  • Incorrect Permissions: The .ssh directory or the authorized_keys file on the remote server has permissions that are too broad (e.g., the server requires authorized_keys to be 600).
  • Key Mismatch: The private key stored in the CI/CD variable does not correspond to the public key installed on the server.

No Such File or Directory (/root/.ssh/id_rsa)

This is a frequent error when using Docker executors. It occurs when the script attempts to use an SSH key that has not been written to the filesystem. The solution is to ensure the before_script explicitly creates the directory and writes the variable content to a file.

Error in libcrypto

This error often appears when there is a mismatch between the key format and the version of the SSH client installed in the container. For instance, an older version of libcrypto may not support newer Ed25519 keys. Ensuring the openssh-client is updated to the latest version via apk update or apt update usually resolves this.

Technical Comparison of SSH Variable Storage Methods

The following table compares the two primary methods of storing SSH keys within GitLab CI/CD.

Feature File-type Variable Regular Variable
Storage Method Stored as a file on the runner Stored as an environment string
Whitespace Handling Preserves multiline formatting Prone to formatting errors
Usage in YAML Reference via path ($SSH_PRIVATE_KEY) Reference via value (echo "$SSH_PRIVATE_KEY")
Recommended for Keys Highly Recommended Not Recommended
Security Risk Low (if protected branch used) High (risk of shell expansion errors)

Analysis of Security Best Practices for Automated SSH

The use of SSH keys in automation introduces a specific attack surface that must be managed through a rigorous security posture.

Key Rotation and Lifecycle Management

SSH keys should not be treated as permanent credentials. An effective security strategy involves rotating the SSH_PRIVATE_KEY every 30 to 90 days. This limits the window of opportunity for an attacker if a key is accidentally leaked through a job log or a compromised runner.

Principle of Least Privilege

The user account used for deployment (e.g., deployer@XXX) should not have root privileges. Instead, it should be restricted to:
- A specific working directory ($WORK_DIR).
- Specific commands (using authorized_keys command restrictions).
- No shell access if only rsync or git operations are required.

Avoidance of Personal Keys

A common mistake is reusing a developer's personal SSH key for the CI/CD pipeline. This creates a critical security flaw where the compromise of a pipeline could lead to the compromise of a developer's entire identity. Unique, dedicated "Deploy Keys" must be generated for each project and environment (Development, Staging, Production).

Conclusion

The implementation of SSH authentication within GitLab CI/CD is a balance between operational necessity and security rigor. By utilizing "File" type CI/CD variables, protecting those variables via branch restrictions, and carefully orchestrating the ssh-agent within the before_script of a Docker executor, organizations can achieve a secure and automated deployment pipeline. The transition from manual deployments to an automated SSH-based workflow reduces human error and increases deployment frequency, but it requires a deep understanding of the underlying Linux filesystem permissions and the SSH protocol's authentication handshake. The ultimate success of this configuration relies on the precise alignment of the private key in GitLab and the public key in the remote server's authorized_keys file, underpinned by the strict enforcement of 600 file permissions.

Sources

  1. Using SSH keys with GitLab CI/CD
  2. Using SSH key with GitLab Runner
  3. Using GitLab CI to Deploy via SSH
  4. Deploying code from GitLab repository into remote server

Related Posts