Overriding SSH configuration for current environment

113 views Asked by At

TL;DR

Is there an option to override the SSH configuration in any way for the current environment only? I.e., provide an option to SSH-Agent, or set environment variable to read SSH config from file, etc, without modification of the current user or system configuration of any kind?

The Problem

I am trying to set up the CI for one of the repositories I do not own. During that, a git clone command is invoked by a build tool (flutter) to a private repository with a non-standard authentication flow. The cloning process is invoked by a third-party tool during the project dependencies of dependencies download, thus I have no control of the Git URL.

Normal Git authentication (equivalent SSH config):

Match Host xxx User git
    User git
    Port 12345
    IdentityFile yyy

Normally, the username is git, port is 22, and identity file is~/.ssh/id_rsa. A different username & port may be specified in the Git URL, and a different public key may be injected via the SSH Agent.

The problem lies in the fact that private Git repo uses a non-standard SSH model, authenticating users by a "username + ssh key" pair, not only by an SSH key.

The following config is required:

Match Host xxx User git
    User username
    Port 12345
    IdentityFile yyy

The port specified in the URL is only sometimes correct, and the username is never correct (they include none resulting in the git username).

What I Tried

I tried the following:

  • Injecting an SSH-Agent to provide an SSH key (SSH key includes username) -> didn't work
  • Patching the dependencies config in the runtime to change all Git URLs to include the username -> resulted in the successful dependencies but failed on the deps of deps.
  • Read all the documentation about the ssh CLI, ssh-agent CLI, and Flutter (the build tool) -> didn't help

Rewriting the URLs:

Log file is anonymized

[build-multiplatform] [TRACE] Replacing 'ssh://private-repo.org:12345/top-level/dependency' with 'ssh://[email protected]:12345/top-level/dependency'...
[build-multiplatform] Rewriting file 'pubspec.yaml'...
[Pipeline] writeFile
[Pipeline] sh
00:00:15.023  + flutter clean
00:00:15.274  + flutter pub get
00:00:16.186  Resolving dependencies...
00:02:52.433  Git error. Command: `git clone --mirror ssh://private-repo.org/second-level/dependency /home/jenkins/.pub-cache/git/cache/flutter_app_components-323d1175f93598320dc758a60eaf879c64d41c0f`
00:02:52.433  stdout: 
00:02:52.433  stderr: Cloning into bare repository '/home/jenkins/.pub-cache/git/cache/flutter_app_components-323d1175f93598320dc758a60eaf879c64d41c0f'...
00:02:52.433  ssh: connect to host private-repo.org port 22: Connection timed out
00:02:52.433  fatal: Could not read from remote repository.
00:02:52.433  
00:02:52.433  Please make sure you have the correct access rights
00:02:52.433  and the repository exists.
00:02:52.433  exit code: 128

Note the port (none -> 22) and username (none -> git) in the second-level dependency in the log above.

What I can't do

  • Modify the global (system) or user SSH or Git configuration (making CI infrastructure-dependent)
  • Modify the server authentication model (not having access)
  • Modify or override the source code of dependencies, including lists of their dependencies (not having access)
  • Modify the build toll (3rd-party)
  • Invoke git clone manually (requires the reverse engineering of the build tool)
  • Add local Git config (cloning is processed to the temporary directory)
  • Execute any command as admin/superuser (CI user isn't one)

What I can do

  • Override any environment variable
  • Modify or override top-level source code
  • Modify any file in the current directory
  • (Potentially) Execute build in Docker (requires some additional setup but possible)
0

There are 0 answers