SSH Keys Management

TeamCity supports keys in the PEM and OpenSSH formats. Keys that use different formats need to be converted. For example, you can use the PuTTY Key Generator to convert unsupported Putty private keys (*.ppk) to the PEM format. To do this, navigate to the Conversions | Export OpenSSH key menu.

To allow TeamCity projects to access remote repositories via SSH keys, you first need to upload your keys to these projects.

1. In Project Settings, click SSH Keys.

2. On the SSH Keys page, click Upload SSH Key.

3. In the "Upload SSH Key" dialog, browse for a private key file and specify a name for this key.

4. Click Save to save the uploaded key.

Uploaded SSH keys are stored in the <TeamCity Data Directory>/config/projects/<project>/pluginData/ssh_keys directory. TeamCity tracks this directory so uploaded keys become available in the current project and its subprojects without the need to restart a server.

note

Keep the access to the TeamCity Data Directory secure, as a server stores SSH keys in an unmodified/unencrypted form on the file system.

If you use GitHub Deploy Keys or similar authentication workflows, you can let TeamCity generate SSH keys instead of generating them manually. This approach is more secure (since generated keys are not stored on your local machine) and significantly faster. The latter is especially helpful if you re-generate and rotate SSH keys every once in a while.

1. In Project Settings, click SSH Keys.

2. Click the Generate SSH Key button.

   

3. Enter the key name, select the key type, and click Generate.

4. If you need a private or a public key for your new generated key:

   • A private key is stored in the Data Directory/config/projects/<parent project>/pluginData/ssh_keys directory.

   • A public key is accessible from the main SSH Keys page (click the Copy the public key link under a required key). Paste this key to your version control service (for example, in GitHub: "Repository settings | Deploy Keys | Add deploy key").

5. Select the generated key in the Authentication Settings of your TeamCity VCS root. For your convenience, keys generated in TeamCity are placed in a separate category.

   

Once required SSH keys are uploaded, modify the VCS Root settings to select a key that your project should use.

note

Private SSH keys are employed only when your VCS root is configured to work with a remote repository via an SSH URL (for instance, git@github.com:...). If your "Fetch URL" / "Push URL" in Project Settings are set to HTTPS (for instance, https://github.com/...), authorization with SSH keys is disabled.

tip

Watch our video tutorial on how to check out from SSH repositories with SSH keys.

1. Go to the Project Settings | VCS Roots page and click the required root.

2. In the Authentication Settings section, click the required "Private Key" option:

   • Uploaded Key — select this option to utilize the key(s) uploaded to the project.

   • Default Private Key — select this option to utilize the keys available on the file system in the default locations used by common ssh tools: the mapping specified in <USER_HOME>/.ssh/config if the file exists or the private key file <USER_HOME>/.ssh/id_rsa (the files are required to be present on the server and also on the agent if the agent-side checkout is used).

   • Custom Private Key — supported only for server-side checkout. Fill the Private Key Path field with an absolute path to the private key file on the server machine. If the key is encrypted, specify the passphrase in the corresponding field.

If you configure the agent-side checkout, the server passes SSH keys to agents. During a build, the Git plugin downloads the key from the server to the agent, and removes this key after git fetch/clone is complete.

note

Keys are removed from agents for security reasons. For example, the tests executed by the build can leave some malicious code that will access the build agent file system and acquire the key. However, tests cannot get the key directly since it is removed by the time they are running. It makes it harder but not impossible to steal the key. Therefore, the agent must also be secure.

To transfer the key from the server to the agent, TeamCity encrypts it with a DES symmetric cipher. For a more secure way, configure an HTTPS connection between agents and the server.

In addition to VCS roots, uploaded SSH keys can be used in SSH Agent build features. See this link for more information: SSH Agent.

TeamCity REST API allows external applications and scripts to access TeamCity resources via URLs. You can utilize this feature to upload SSH keys and customize VCS Root settings.

GET
/app/rest/projects/<project_locator>/sshKeys

POST
/app/rest/projects/<project_locator>/sshKeys?fileName=<Key_Name>

POST
/app/rest/projects/<project_locator>/sshKeys/generated?keyName=NewKey&keyType=RSA

DELETE
/app/rest/projects/<project_locator>/sshKeys?fileName=<Key_Name>