SSH Command plugin does not work when loading private key from a secret

[xionous]

Expected Behavior

Be able to establish a SSH connection when loading a private key from a secret

Actual Behaviour

Unable to establish a SSH connection when loading a private key from a secret

Steps To Reproduce

1. launch kestra with docker
2. attach private key with env variable that is base64 encoded
3. run task with secret

I have validated that the environment variable is correct by decoding the key in the docker console and using ssh directly in the docker console to make a connection. The key also works when added to the flow directly in plain text, it only does not work when loaded from a secret.

Environment Information

• Kestra Version: 0.16.6
• Plugin version: 0.16.0
• Operating System (OS / Docker / Kubernetes): Docker
• Java Version (If not docker):

Example flow

Flow that works

id: test
namespace: test
description: test

inputs:
  - id: host
    type: STRING

tasks:
  - id: install-docker-on-host
    type: io.kestra.plugin.fs.ssh.Command
    authMethod: PUBLIC_KEY
    commands:
      - pwd
    host: "{{ inputs.host }}"
    privateKey: |-
        -----BEGIN OPENSSH PRIVATE KEY-----
        ...redacted...
        -----END OPENSSH PRIVATE KEY-----
    username: root

Flow that doesn't

id: test
namespace: test
description: test
inputs:
  - id: host
    type: STRING

tasks:
  - id: install-docker-on-host
    type: io.kestra.plugin.fs.ssh.Command
    authMethod: PUBLIC_KEY
    commands:
      - pwd
    host: "{{ inputs.host }}"
    privateKey: "{{ secret('ID_KEY') }}"
    username: root

[xionous]

Error that shows on failed flow:

2024-05-04 15:15:41.827
invalid privatekey
2024-05-04 15:15:41.827
com.jcraft.jsch.JSchException: invalid privatekey
    at com.jcraft.jsch.KeyPair.load(KeyPair.java:877)
    at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:42)
    at com.jcraft.jsch.JSch.addIdentity(JSch.java:501)
    at io.kestra.plugin.fs.ssh.Command.run(Command.java:163)
    at io.kestra.plugin.fs.ssh.Command.run(Command.java:38)
    at io.kestra.core.runners.Worker$WorkerThread.run(Worker.java:769)

[brian-mulier-p]

Hello ! I can't reproduce. Did you encode your private key in b64 properly ? What's working on my side is base64 -w0 ~/.ssh/id_rsa.

Notice the -w0 which prevents base64 tool from adding line wraps

[xionous]

Hello ! I can't reproduce. Did you encode your private key in b64 properly ? What's working on my side is base64 -w0 ~/.ssh/id_rsa.

Notice the -w0 which prevents base64 tool from adding line wraps

That is exactly how I generated the base64. There is nothing wrong with the base64 I am using because I can go into the container console, decode the secret, and use the decoded value to SSH to another host from the container console.

[brian-mulier-p]

Can you send me in DM on slack your private & public key (if you can revoke them and create a new one ofc) to test on my side if using yours I'm able to make it work ? It may have to deal with our lib and the format of your key but I have to check if that's the case

[xionous]

When you say you cannot reproduce this, did you make an actual flow that loads a private key from a secret and successfully establish a connection to a remote host and get an output from the remote host?

[brian-mulier-p]

When you say you cannot reproduce this, did you make an actual flow that loads a private key from a secret and successfully establish a connection to a remote host and get an output from the remote host?

Yes I could successfully run pwd on the remote host and authenticate using the secret function with b64-encoded key

[brian-mulier-p]

Already fixed by this in the end but not yet released

[anna-geller]

it seems it was released by now in 0.17 - @brian-mulier-p can you confirm and close the issue then?