2

Recently I have configured a Gitlab Runner on a VM and I wanted to add keychain on that VM to allow runner to execute commands like scp or SSH without exposing my SSH passphras (https://www.cyberciti.biz/faq/ssh-passwordless-login-with-keychain-for-scripts/)

And when I install gitlab-multi-runner (https://docs.gitlab.com/runner/install/linux-repository.html) I see a new folder "gitlab-runner" in my /home.

So I added a password to this user (passwd command), edit its .bash_profile as described in the link above, and generate new SSH keys.

My runner is working fine, my .gitlab-ci.yml can execute scp commands like this :

scp jon.doe YOUR_LOGIN@DEV_SERVER_ADDRESS:/var/www/

No passphrase required / exposed.

So here my questions:

  1. Is it safe to configure runner like this ?
  2. Is there an official or better way, to do what i want ? (use SSH and SCP safely with a gitlab-runner)

I think there should be no problem, but I'm not an expert in Linux and SSH so...

Thanks for your answers !

Charley C.
  • 23

1 Answers1

0

Is it safe to configure runner like this ?

If only you are running the jobs it is ok.

If somebody else (you don't trust) can push any arbitrary command into your .gitlab-cy.yml, he can basically run any arbitrary code on your virtual machine and on your other machine (which is certainly not what you want).

You should restrict your remote user YOUR_LOGIN on your dev server to do the minimum needed by ForceCommand (scponly or just the forced command to scp into specific directory), block port forwarding and possibly use chroot.

Jakuje
  • 6,793