TL;DR
Is there an option to override the SSH configuration in any way for the current environment only? I.e., provide an option to SSH-Agent, or set environment variable to read SSH config from file, etc, without modification of the current user or system configuration of any kind?
The Problem
I am trying to set up the CI for one of the repositories I do not own.
During that, a git clone command is invoked by a build tool (flutter) to a private repository with a non-standard authentication flow. The cloning process is invoked by a third-party tool during the project dependencies of dependencies download, thus I have no control of the Git URL.
Normal Git authentication (equivalent SSH config):
Match Host xxx User git
User git
Port 12345
IdentityFile yyy
Normally, the username is git, port is 22, and identity file is~/.ssh/id_rsa.
A different username & port may be specified in the Git URL, and a different public key may be injected via the SSH Agent.
The problem lies in the fact that private Git repo uses a non-standard SSH model, authenticating users by a "username + ssh key" pair, not only by an SSH key.
The following config is required:
Match Host xxx User git
User username
Port 12345
IdentityFile yyy
The port specified in the URL is only sometimes correct, and the username is never correct (they include none resulting in the git username).
What I Tried
I tried the following:
- Injecting an SSH-Agent to provide an SSH key (SSH key includes username) -> didn't work
- Patching the dependencies config in the runtime to change all Git URLs to include the username -> resulted in the successful dependencies but failed on the deps of deps.
- Read all the documentation about the
sshCLI,ssh-agentCLI, and Flutter (the build tool) -> didn't help
Rewriting the URLs:
Log file is anonymized
[build-multiplatform] [TRACE] Replacing 'ssh://private-repo.org:12345/top-level/dependency' with 'ssh://[email protected]:12345/top-level/dependency'...
[build-multiplatform] Rewriting file 'pubspec.yaml'...
[Pipeline] writeFile
[Pipeline] sh
00:00:15.023 + flutter clean
00:00:15.274 + flutter pub get
00:00:16.186 Resolving dependencies...
00:02:52.433 Git error. Command: `git clone --mirror ssh://private-repo.org/second-level/dependency /home/jenkins/.pub-cache/git/cache/flutter_app_components-323d1175f93598320dc758a60eaf879c64d41c0f`
00:02:52.433 stdout:
00:02:52.433 stderr: Cloning into bare repository '/home/jenkins/.pub-cache/git/cache/flutter_app_components-323d1175f93598320dc758a60eaf879c64d41c0f'...
00:02:52.433 ssh: connect to host private-repo.org port 22: Connection timed out
00:02:52.433 fatal: Could not read from remote repository.
00:02:52.433
00:02:52.433 Please make sure you have the correct access rights
00:02:52.433 and the repository exists.
00:02:52.433 exit code: 128
Note the port (none -> 22) and username (none -> git) in the second-level dependency in the log above.
What I can't do
- Modify the global (system) or user SSH or Git configuration (making CI infrastructure-dependent)
- Modify the server authentication model (not having access)
- Modify or override the source code of dependencies, including lists of their dependencies (not having access)
- Modify the build toll (3rd-party)
- Invoke
git clonemanually (requires the reverse engineering of the build tool) - Add local Git config (cloning is processed to the temporary directory)
- Execute any command as admin/superuser (CI user isn't one)
What I can do
- Override any environment variable
- Modify or override top-level source code
- Modify any file in the current directory
- (Potentially) Execute build in Docker (requires some additional setup but possible)