I am writing an app hosted on Heroku which performs read/write operations on private GitHub hosted repositories.
I have done the following
Generated an SSH key, using the same email as my GitHub account
Added the SSH public key to my GitHub account which has admin privileges to the repository
Added the SSH public key to Heroku using heroku:keys add
When trying to perform any git operation on a GitHub hosted repository (that I have total access to), I get "Host key verification failed"
I'm not sure what I'm doing wrong.. as far as I can tell, the Heroku app should be able to read and push to the repo on GitHub just fine.
If I run the same script locally, everything works like a charm.
Hoping someone can help me out.
After hearing back from Heroku support, they mentioned something along the lines of what VonC said. The key wasn't available in Heroku so it was failing.
Although what VonC said would work I imagine, I resolved to using an OAuth Token for my git operations instead of sharing private and public keys away.
As per this article, you can use a GitHub OAuth token in place of a username and all works fine. Setting it as a Heroku config var also means that it never has to appear in your code.
https://help.github.com/articles/git-automation-with-oauth-tokens
If I run the same script locally, everything works like a charm.
That is because locally, in your $HOME/.ssh, you have both the private and public key.
You need both to access a repo hosting server (like GitHub or Heroku).
That means: if Heroku needs to access directly GitHub, it also needs the public and private ssh key.
You need (as in this article) to reference your private key as config vars
heroku config:add PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
MMMMMMMMaaaaaammmmammamamammamaasdhkghkdahgj8234joihsdfJHHKJGHGG
...
-----END RSA PRIVATE KEY-----"
make sure you pass the config var when you load the key.
key = OpenSSL::PKey::RSA.new ENV["PRIVATE_KEY"], 'notasecret'
And your Heroku App will be able to use that private key when contacting GitHub.
Note that sharing private keys is frowned upon, so generating a new public/private key dedicated for Heroku accessing GitHub (and adding the new public key to the GitHub repo) is preferable.
You will find similar approach (for an Heroku app to access a private ssh key) in:
"bwhmather/heroku-buildpack-ssh"
issue 17
Related
I have an organization's private GitHub repository that I am trying to connect a Heroku app to, using the Heroku Dashboard from a browser. In the settings of my GitHub account (that is linked to Heroku), under OAuth Applications, I can see Heroku Dashboard, and under Permissions, it says Full control of private repositories.
However, when I navigate to the Heroku app page and select this GitHub repo from the select-list and click Connect, I get the message:
Item could not be modified:
Admin access to repository required
On GitHub, my account has Write access for the repo. Moreover, as mentioned above, Heroku Dashboard has Full control of private repositories. Can anybody help me figure out what access needs to be granted where? I would really appreciate that.
Never mind. That private GitHub repo had been created by someone else who had since left the company. I had Write access but that is not enough. When I created a new GitHub repo and an app on Heroku myself, I could connect them without any issues.
We had the same problem when someone without admin access to the github repo requested the github access in Heroku. He had to revoke his access in github before we could log back into Heroku with an account that had admin access in github and properly connect the accounts.
Working on local, pushing changes to Heroku works and the app works as expected. However I am having trouble linking heroku app to a private repo on Github.
Current configuration looks something like this
git#github.com:{Organization}/{project}.git
Where should I configure username/password for the private repo?
I tried (even though this is not the preferred way)
username:password#github.com/{organization}/{project}.git
would appreciate any pointers regarding this.
EDIT:
I failed to mention that I am setting it under app settings in Heroku.
git#github.com:{Organization}/{project}.git
This is an ssh address, with the authentication managed by public/private key: make sure your public key is published among the collaborators' keys for that Organization.
No "username" or "password" here.
username:password#github.com/{organization}/{project}.git
That could be correct if you use that remote address as an HTTPS address.
Note that Honza Javorek mentions in "How do I access a private github repo from heroku?" in Nov. 2020:
Heroku only supports HTTP(S) Basic authentication with Git out of the box.
That's unfortunate as it means you'd need to add your credentials as part of the installation URL and commit that as plain text in your list of dependencies.
He suggests to create a new GitHub SSH key and follow the heroku-buildpack-ssh-key process:
heroku buildpacks:add https://github.com/heroku/heroku-buildpack-ssh-key.git -i 1
heroku config:set BUILDPACK_SSH_KEY=$(cat ~/.ssh/id_rsa_heroku)
If you want to use a private repo, heroku needs to send github some sort of token as you know. If you create a deploy key on that private repo, you can use https://github.com/siassaj/heroku-buildpack-git-deploy-keys
I can't get the system of managing ssh keys.
I want to push application to Heroku, so I tried to push but get error.Here is my log
$ git push heroku master
! Your key with fingerprint bf:f6:ed:14:9d:cd:52:a2:a3:16:b2:e9:b4:f2:bf:ba is not authorized to access warm-samurai-6574.
fatal: The remote end hung up unexpectedly
User#PK /e/examples (master)
$ heroku keys:add
Found existing public key: C:/Users/User/.ssh/id_rsa.pub
Uploading SSH public key C:/Users/User/.ssh/id_rsa.pub
!This key is already in use by another account. Each account must have a unique key.
User#PK /e/examples (master)
$ heroku keys
=== 1 key for denys.medynskyi#gmail.com
ssh-rsa AAAAB3NzaC...etyxYh4Q== User#PK
Every account has own ssh key. So I can push from any computer, because ssh key is pushing to heroku ?
Every application on heroku should have own ssh key or not ?
Basically, your computer has an SSH key. However, the SSH key on it is associated with another Heroku account (different from the one you are using now). Your best bet would be to generate a brand new SSH key and add it to Heroku.
Just make a new SSH key on your machine and upload it to Heroku:
$ ssh-keygen
Make sure to save it as '/Users/User/.ssh/new_id_rsa.pub' when the prompt asks you.
$ heroku keys:add /Users/User/.ssh/new_id_rsa.pub
This should allow you to use Heroku.
As for your other questions: you can push to Heroku from any computer as long as you add the computer's SSH keys through heroku keys:add. And no, every application does not need to have it's own SSH key.
Your computer has an SSH key, but that SSH key is associated with another Heroku account. If you need to use both accounts for different applications on the same computer you should make a new SSH key on your machine and upload it to Heroku:
$ ssh-keygen
Make sure to save it as '/Users/User/.ssh/new_id_rsa.pub' when the prompt asks you.
$ heroku keys:add /Users/User/.ssh/new_id_rsa.pub
You then need to add another host to your ~/.ssh/config:
Host heroku-alt
HostName heroku.com
IdentityFile ~/.ssh/new_id_rsa
And then update the .git/config in your project to use the host alias:
[remote "heroku"]
url = git#heroku-alt:myapp.git
fetch = +refs/heads/*:refs/remotes/heroku/*
By choosing between heroku and heroku-alt in the remote of the .git/config files of specific projects you can manage which projects use which credentials.
Heroku requires an SSH key to be unique to an account. Two accounts cannot have the same ssh key.
You can do ONE of these to solve your issue:
Unlink the ssh key from the other heroku account. Chances are you are not using that account. This is path of least resistance.
Delete the existing keys. Generate a new ssh public/private key pair. Advantage is you will retain the default name for keys and thus it will be automatically found by any application you use.
Generate a new ssh public/private key pair and save it alongside your existing keys. The disadvantage is, these two keys will have a custom name. If you end up using these keys often, you will need to locally set configure ssh to use these instead of the default id_rsa. This does require some work and might get involved.
Which you choose really depends on you.
If you choose the third option, refer this answer https://superuser.com/a/272613/25665 for how to configure ssh locally to always use the new keys for heroku. In case you are wondering why bother with this, well, you will be interacting with heroku by pushing to a git repository. That requires you to be authenticated using ssh. By default it will use the older keys and you wont be able to push. Its just easier to instead tell ssh to use the alternate key when interacting with warm-samurai-6574.heroku.com
The following link has instructions on creating a new key. You will need to either accept the default names or give custom ones depending on which option you chose.
https://devcenter.heroku.com/articles/keys
Can you push from any computer?
Again, it depends. If the computer has your ssh keys and its configured to use your keys for the heroku domain, then yes. You can instead choose to not copy your keys there and simply add the ssh keys present there to your heroku account.
Does each app require a unique key?
No. You can have multiple apps under one heroku account. They all will share the keys you upload to your heroku account.
Let me see if I understand this correctly.
Most of the replies are agree on that the ssh keys we are using for git identifies the computer, because the suggestion they made is to regenerate the key on the other computer and upload it to Heroku.
From my point of view the SSH key should identify me as a developer of the app, and this is what creates the confusion. This means I have to bring my private and public keys with me and use it on any computer I use which can be accomplished with a pendrive or something similar.
So my suggestion is: copy your public and private keys with you, put them in the computer you want to use for pushing to Heroku and protect your private key with a password.
I've a git repository administered by gitosis on my server. On the same server I have teamcity for my CI.
I can't seem to connect to the git repository through teamcity.
I've an Administrator user that can access the repository (its under a git user on the same server) through cygwin, however when I try to setup teamcity to access with the Administrator's private key I get an authentication issue: 'Connection test failed: com.jcraft.jsch.JSchException: Auth fail'.
In team city I have username style as email, authentication method as private key, the username is the same as the public key and the path to the private key is correct.
When using password access I'm told the path doesn't look like a git repository, even though it is and works fine through cygwin.
If anyone has teamcity connecting to a gitosis repository please let me know how you managed it.
I've solved the problem.... I was using the wrong user type. I was using just user name not user name email.
Has anybody successfully configured Teamcity to monitor, extract, and build from GitHub?
I can't seem to figure how where and how to configure the SSH keys for Teamcity. I have Teamcity running as a system service, under a system account. So where does Teamcity stash its SSH configuration?
EDIT
To get this to work, I needed to stop the agent from running under a system account.
Ok... I got this to start working on my Windows server. Here are the steps I took to configure TeamCity 4.5 Professional:
Downloaded the JetBrains Git VCS Plugin
Copied the downloaded zip file to .BuildServer\plugins
In the Administration > Edit Build Configuration > Edit VCS Root configuration screen, I selected "Git (JetBrains)"
Entered my Clone Url from the GitHub project page
Set for authentication method "Default Private Key" -- this is IMPORTANT
The TeamCity BuildAgent should be running as a standard user, with the SSH installation configured properly for that user.
Follow the GitHub SSH directions for SSH configuration
Leave the username blank. This should already be provided for in your GitHub clone URL
I got "Default Private Key" to work with agents running as the SYSTEM user on Windows. For me, the answer was having the identity file at
C:\Windows\SysWOW64\config\systemprofile\.ssh\id_rsa
instead of at
C:\Windows\System32\config\systemprofile\.ssh\id_rsa
Your question is specific to SSH, but it is certainly easier and quicker to use HTTP over TLS, as GitHub and TeamCity both now support HTTP authentication. Furthermore, GitHub also supports personal api tokens with limited permissions, that you may configure to your liking, or create a new user if you prefer.
See image below of our TeamCity settings.
Since TeamCity 8.1, there is an official support for SSH key management, please read this docs: https://confluence.jetbrains.com/display/TCD9/SSH+Keys+Management
for private key, username must be blank.
(This is a up to date answer to an old question)
I got ssh based builds working with github/gitlab and teamcity 7 like this:
Log onto the teamcity machine and use puttygen/ssh-keygen to generate a rsa key pair and save the openssh key somewhere sensible.
(Gotcha - Using puttygen? Make sure the private key is in openssh format - puttygen > conversions > export openssh key)
I suggest you save the private key in
C:\.ssh\id_rsa
Now setup "default private key" in teamcity - create a file
C:\.ssh\config
And in it place this:
Host * IdentityFile c:\.ssh\id_rsa
Login to your gitlab/guthub account and paste in the openssh public key for your teamcity private key.
You should now be able to create a git vcs root in teamcity that can use the default private key to pull your source.
You may need a third party plugin like this
I don't know why but choosing Default Private Key failed to me.
Then I choose to Custom Private Key as screen shot below:
The Username field has to be empty.
The Passphrase field is the password of the your private key
(Assume you have added the public key of this private key in git already.)
Hope no one got stuck like me !