Ubuntu – How to add an SSH key to Gitlab through a bash executable

bashcommand linegitgitlabssh

I am creating a bash executable, which creates an SSH key, and uploads it to a user's Gitlab account. I am aware of how to create the SSH key via the bash executable:

ssh-keygen -o -f ~/.ssh/id_rsa

and I also know how to retrieve from it, however I don't know how to upload it to a user's Gitlab account.

I have found multiple documentations for uploading a user's SSH to Github however not Gitlab (I assume mostly similar…?). So I would use this for Github

curl -u "USERNAME:PASSWORD" --data "{\"title\": \"TITLE\", \"key\": \"$(cat ~/.ssh/id_rsa.pub)\"}" https://api.github.com/user/keys

and I would make USERNAME, PASSWORD, and TITLE input fields for the user to customize.

I want to say that it would be as simple for Gitlab (I found POST /users/:id/keys on their API site, but don't know how to implement it as a curl command), but I don't know how closely related Gitlab and Github are.

Best Answer

The first problem you need to solve when using the Gitlab REST API is the authentification, nicely explained in the docs here. I use a personal access token in this post which creation is explained here, but for you with a script authenticating as a specific user an Impersonation token (see here for the creation) may be better suited.

To add an ssh key I need:

POST /user/keys

To send data (and subsequently use the POST method) curl provides the -d option, required fields are title and key. As the default header is Content-Type: application/x-www-form-urlencoded but the API expects json I have to specify that using the -H option:

$ curl -d '{"title":"test key","key":"'"$(cat ~/.ssh/id_rsa.pub)"'"}' -H 'Content-Type: application/json' https://gitlab.com/api/v4/user/keys?private_token=<my_access_token>
{"id":3889765,"title":"test key","key":"ssh-rsa <my_ssh_key>","created_at":"2019-08-01T21:26:40.952Z"}

Now to test the change I just list my ssh keys. The docs say I have to use GET /user/keys, as GET is curl’s default method I just do:

$ curl https://gitlab.com/api/v4/user/keys?private_token=<my_access_token>
[{"id":3889765,"title":"test key","key":"ssh-rsa <my_ssh_key>","created_at":"2019-08-01T21:26:40.952Z"}]

I did this just for testing, so I’m going to delete the key with DELETE /user/keys/:key_id – note that :key_id needs to be substituted by the id of the key to delete:

$ curl -X DELETE https://gitlab.com/api/v4/user/keys/3889765?private_token=<my_access_token>

Here’s a nice article about curl and the common REST methods.

How It Works

When generating a key, you'll get two files: id_rsa (private key) and id_rsa.pub (public key). As their names suggest, the private key should be kept secret and the public key can be published to the public.

Public-key authentication works with a public and a private key. Both the client and the server have their own keys. When installing openssh-server the server public and private keys are generated automatically. For the client, you'll have to do that on your own.

When you (client) connect with a server, public keys are exchanged. You'll receive the servers one, and the server yours. The first time you receive the server public key, you'll be asked to accept it. If this public key changes over a time, you'll be warned because a possible MITM (Man in the middle) attack is going on, intercepting the traffic between the client and the server.

The server checks whether you are allowed to connect (defined in /etc/ssh/sshd_config) and if your public key is listed in the ~/.ssh/authorized_keys file. Possible reasons why the public key is denied:

/etc/ssh/sshd_config:
- AllowUsers or AllowGroups is specified, but your server user is not listed in the groups or users list (default not defined, placing no restriction on the users or groups from logging in).
- DenyUsers or DenyGroups is specified and you're in the users or groups list.
- You're trying to login as root, but PermitRootLogin is set to No (default yes).
- PubkeyAuthentication is set to No (default yes).
- AuthorizedKeysFile is set to a different location, and the public keys are not added to that file (default .ssh/authorized_keys, relative to home dir)
~/.ssh/authorized_keys: your public key is not added in this file (note that this file is read as root user)

Using multiple keys

It's not uncommon to use multiple keys. Instead of running ssh user@host -i /path/to/identity_file, you can use a configuration file, ~/.ssh/config.

Common settings are the IdentityFile (the keys) and port. The next configuration will check "id_dsa" and "bender" only when connecting with ssh youruser@yourhost:

Host yourhost
   IdentityFile ~/.ssh/id_dsa
   IdentityFile ~/.ssh/bender

If you omit Host yourhost, the settings will apply to all SSH connections. Other options can also be specified for this host match, like User youruser, Port 2222, etc. This would allow you to connect with the shorthand ssh yourhost instead of ssh -p2222 youruser@yourhost -i ~/.ssh/id_dsa -i ~/.ssh/bender.

Ubuntu – How is a login via an ssh private/public key associated with a given user

The command:

ssh-copy-id  username@host

As documented in the link above does not work from mac. Therefore, I logged in as root and of course, that is where the key was installed.

The answer seems to be: If You log in as the user, then cat the public key to the ~/.ssh/authorized_keys file.

Best Answer

Related Solutions

Ubuntu – Does ssh key need to be named id_rsa

How It Works

Using multiple keys

Ubuntu – How is a login via an ssh private/public key associated with a given user

Related Question