SSH Key Management

Introduction

FirmwareCI provides organization-level SSH key management to securely authenticate to target devices during test execution. Instead of using passwords or managing keys manually, you can upload SSH keys through the web interface or API, and they will be automatically available to all tests in your organization.

Key Concepts

Organization Keys

SSH keys are stored at the organization level, meaning all members of your organization can use them in their tests. When you upload a key, it becomes available to all workflows within your organization.

name: Firmware Deployment
description: Deploy firmware to target device

stages:
  - name: Deploy
    steps:
      - cmd: copy
        name: Copy firmware binary
        transport:
          proto: ssh
          options:
            host: "[[attributes.TargetHost]]"
            user: root
            identity_file: "[[ssh-keys.deployment_key]]"
        parameters:
          source: "[[storage.firmware]]/image.bin"
          destination: /tmp/image.bin

Auto-Discovery

When SSH authentication is not explicitly configured in your test file, FirmwareCI automatically discovers and tries all available SSH keys for your organization. This means you can often omit the identity_file parameter entirely.

name: System Check
description: Run diagnostic commands on target

stages:
  - name: Diagnostics
    steps:
      - cmd: cmd
        name: Check disk space
        transport:
          proto: ssh
          options:
            host: "[[attributes.TargetHost]]"
            user: root
            # No identity_file specified - uses auto-discovery
        parameters:
          executable: df
          args: ["-h"]

Default System Keys

FirmwareCI administrators can configure a default SSH key at the instance level. This key is automatically available to all organizations and can be referenced using [[ssh-keys.default]].

name: BMC Access
description: Access baseboard management controller

stages:
  - name: BMC Check
    steps:
      - cmd: cmd
        name: Query BMC status
        transport:
          proto: ssh
          options:
            host: "[[attributes.BMCHost]]"
            user: admin
            identity_file: "[[ssh-keys.default]]"
        parameters:
          executable: ipmitool
          args: ["mc", "info"]

Managing SSH Keys

SSH keys are managed through the FirmwareCI web interface. Go to Settings → SSH Keys to add, generate, or manage your organization’s SSH keys.

You can either:

  • Upload existing keys: Upload your own SSH key files (OpenSSH format, unencrypted)
  • Generate new keys: Create new SSH key pairs directly on the website

All SSH keys are organization-wide and automatically available to all tests in your organization. Supported key types: RSA, Ed25519, ECDSA.

Using SSH Keys in Tests

Template Syntax

SSH keys are referenced in test files using the template syntax: [[ssh-keys.{name}]]

Available templates:

  • [[ssh-keys.deployment_key]] - Path to private key (default)
  • [[ssh-keys.deployment_key.private]] - Explicit path to private key
  • [[ssh-keys.deployment_key.public]] - Path to public key
  • [[ssh-keys.default]] - Default system key (if configured)

How auto-discovery works:

  1. All organization SSH keys are automatically mounted into the test container at /tmp/ssh-keys/{key_name}/
  2. The SSH transport scans for all private_key files in subdirectories
  3. Valid keys are tried in sequence until one succeeds
  4. If a default system key exists, it’s also included

Deploying Public Keys to Target Devices

After adding an SSH key to FirmwareCI, you need to deploy the public key to your target devices. Here are common methods:

Method 1: Manual Deployment

  1. Get the public key from the FirmwareCI web interface:

    • Go to Settings → SSH Keys
    • Click on your SSH key
    • Copy the displayed public key

  2. Add it to the target device’s ~/.ssh/authorized_keys:

# On the target device
echo "ssh-ed25519 AAAAC3Nza..." >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Method 2: Firmware/Image Embedding

For devices you provision from scratch, embed the public key in your firmware binary or base system image so it’s available immediately after boot. See Test Images for further explanation on our provided testing base-image.

See Also