SSH Key Management
Introduction
FirmwareCI provides organization-level SSH key management to securely authenticate to target devices during test execution. Instead of using passwords or managing keys manually, you can upload SSH keys through the web interface or API, and they will be automatically available to all tests in your organization.
Key Concepts
Organization Keys
SSH keys are stored at the organization level, meaning all members of your organization can use them in their tests. When you upload a key, it becomes available to all workflows within your organization.
name: Firmware Deployment
description: Deploy firmware to target device
stages:
- name: Deploy
steps:
- cmd: copy
name: Copy firmware binary
transport:
proto: ssh
options:
host: "[[attributes.TargetHost]]"
user: root
identity_file: "[[ssh-keys.deployment_key]]"
parameters:
source: "[[storage.firmware]]/image.bin"
destination: /tmp/image.binAuto-Discovery
When SSH authentication is not explicitly configured in your test file, FirmwareCI automatically discovers and tries all available SSH keys for your organization. This means you can often omit the identity_file parameter entirely.
name: System Check
description: Run diagnostic commands on target
stages:
- name: Diagnostics
steps:
- cmd: cmd
name: Check disk space
transport:
proto: ssh
options:
host: "[[attributes.TargetHost]]"
user: root
# No identity_file specified - uses auto-discovery
parameters:
executable: df
args: ["-h"]Default System Keys
FirmwareCI administrators can configure a default SSH key at the instance level. This key is automatically available to all organizations and can be referenced using [[ssh-keys.default]].
name: BMC Access
description: Access baseboard management controller
stages:
- name: BMC Check
steps:
- cmd: cmd
name: Query BMC status
transport:
proto: ssh
options:
host: "[[attributes.BMCHost]]"
user: admin
identity_file: "[[ssh-keys.default]]"
parameters:
executable: ipmitool
args: ["mc", "info"]Managing SSH Keys
SSH keys are managed through the FirmwareCI web interface. Go to Settings → SSH Keys to add, generate, or manage your organization’s SSH keys.
You can either:
- Upload existing keys: Upload your own SSH key files (OpenSSH format, unencrypted)
- Generate new keys: Create new SSH key pairs directly on the website
All SSH keys are organization-wide and automatically available to all tests in your organization. Supported key types: RSA, Ed25519, ECDSA.
Using SSH Keys in Tests
Template Syntax
SSH keys are referenced in test files using the template syntax: [[ssh-keys.{name}]]
Available templates:
[[ssh-keys.deployment_key]]- Path to private key (default)[[ssh-keys.deployment_key.private]]- Explicit path to private key[[ssh-keys.deployment_key.public]]- Path to public key[[ssh-keys.default]]- Default system key (if configured)
How auto-discovery works:
- All organization SSH keys are automatically mounted into the test container at
/tmp/ssh-keys/{key_name}/ - The SSH transport scans for all
private_keyfiles in subdirectories - Valid keys are tried in sequence until one succeeds
- If a default system key exists, it’s also included
Deploying Public Keys to Target Devices
After adding an SSH key to FirmwareCI, you need to deploy the public key to your target devices. Here are common methods:
Method 1: Manual Deployment
Get the public key from the FirmwareCI web interface:
- Go to Settings → SSH Keys
- Click on your SSH key
- Copy the displayed public key
Add it to the target device’s
~/.ssh/authorized_keys:
# On the target device
echo "ssh-ed25519 AAAAC3Nza..." >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keysMethod 2: Firmware/Image Embedding
For devices you provision from scratch, embed the public key in your firmware binary or base system image so it’s available immediately after boot. See Test Images for further explanation on our provided testing base-image.
See Also
- Templating and Variables Reference - Complete template syntax guide
- Test Images - FirmwareCI base images with SSH key examples