[users at bb.net] Using SSH keys with GitPoller and Git step?

Drago Trusk drago.trusk at gmail.com
Tue Mar 7 06:31:58 UTC 2017


Hi Pierre,

it is understandable that people should use SSH keys, but if third party 
exposes non-SSH access then this becomes a problem.

Obfuscation of command (e.g. password) is nice, but if for whatever 
reason this command fails and writes sensitive information into 
stderr/stdout it will still be visible. Of course if worker is on Linux 
that can be piped and replaced (or through code itself).

Since I'm provisioning my workers with SSH keys anyway I have sensitive 
information in gitconfig, but I just wanted to point out that use cases 
can happen in situations when someone doesn't have another choice.

PS Pierre: ups, wrong reply button
On 03/06/2017 08:32 PM, Chris Spencer wrote:
> Is there any way to suppress the output of the Git step 
> (http://docs.buildbot.net/latest/manual/cfg-buildsteps.html#step-Git), 
> so my password isn't visible in the logs? It doesn't appear to accept 
> any type of "gitbin" option.
>
> On Thu, Mar 2, 2017 at 6:42 PM, Will Rosecrans <wrosecrans at gmail.com 
> <mailto:wrosecrans at gmail.com>> wrote:
>
>     As far as I know, the GitPoller doesn't directly support that.  I
>     have mostly used salt to set up the buildslave machine, and
>     included ssh and git config as part of the buildslave's system
>     config rather than the buildbot config.  If you are using GitHub,
>     it's also easy to set up token passwords on an account and use
>     that for service work.  It uses a password rather than an actual
>     key, but the password is a long string of gibberish, and you can
>     use the token as a sub account, with different permissions for the
>     tokens and the ability tp revoke them individually.
>
>     You can also set the GitPoller's gitbin to point to a script that
>     runs git with whatever key setup you like, and have buildbot just
>     invoke that script.
>
>     On Wed, Mar 1, 2017 at 5:18 PM, Chris Spencer <chrisspen at gmail.com
>     <mailto:chrisspen at gmail.com>> wrote:
>
>         How do you specify the ssh key to use with the Gitpoller and
>         Git step classes?
>
>         I'm currently hard-coding my username/password in the repourl,
>         and I'd like to move away from that for security reasons.
>         However, even after reading the docs and looking at the
>         source, I can see no obvious way to specify the pem key file
>         to checkout and fetch via ssh.
>
>         _______________________________________________
>         users mailing list
>         users at buildbot.net <mailto:users at buildbot.net>
>         https://lists.buildbot.net/mailman/listinfo/users
>         <https://lists.buildbot.net/mailman/listinfo/users>
>
>
>
>
>
> _______________________________________________
> users mailing list
> users at buildbot.net
> https://lists.buildbot.net/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20170307/ff73a3b1/attachment.html>


More information about the users mailing list