Fabio - I love your solution, very clever workaround for this! I was able to implement this idea in my codebase and it put an end to hours of debugging ssh keys. 

In my case I was using attempting to deploy to a hosting provider that would only allow me to supply a 4096 bit public key. I tried quite a few different ways to get keys that would communicate with the deployment stack but got nowhere. I'm not sure if it was pipelines being incompatible with the key type but I've wasted so many hours and build minutes on this issue. 

The idea of storing a private key in an environmental variable just sounds like bad practice. At least in this case the data is obfuscated to some degree. I'm sure this can be made more secure but at the end of the day this looks like more of a Bitbucket pipelines issue. We should be allowed to upload and use more secure ssh keys in a build environment.

Hi,

I didn't test the PEM key yet. That seems to be hot. 

For some time this problem was bothering me and I tried to inspect it. Then, the problem went away. I wanted to debug ssh messages, so I did the following

1. Created the ssh keys as I found here https://confluence.atlassian.com/bitbucket/use-ssh-keys-in-bitbucket-pipelines-847452940.html

# by default, it goes to .ssh folder
ssh-keygen -t rsa -b 4096 -N ''

 2. Created a ssh config with LogLevel directive

cat > .ssh/config <<EOF
Host bitbucket.org
    StrictHostKeyChecking no
    HostName bitbucket.org
    Port 22
    User git
    IdentityFile ~/.ssh/id_rsa
    LogLevel DEBUG
EOF

 3. Wrapped all to tar in base64 format

tar -czvf - .ssh/ | base64 -w0

4. I copied the base64 code and pasted it in Bitbucket as documented here https://confluence.atlassian.com/bitbucket/use-ssh-keys-in-bitbucket-pipelines-847452940.html, in the "3: Add the key as a secure variable". The name I choose to the variable is "SSH_KEYS"

 5. In the beginning of pipeline I put this in the script session

- echo "${SSH_KEYS}" | base64 -d | tar -C "${HOME}" -zxvf -

I was expecting to get the SSH errors, because I use git clone command in my pipeline. But I got no errors after that.

As the above comment mentioned, you need to generate a key in pem format, for example:

```

ssh-keygen -a 100 -t rsa -b 2048 -N '' -m pem

```

Should be documented somewhere!

Would be great if the pem requirement was documented. Finally found this issue and solved my problem

@marco_to

Thank you so much. This is documented NOWHERE.

Found the issue.
It seems that Bitbucket requires PEM format for the private key.
Using a custom key (opposed to generating a new one) and uploading a private key NOT in PEM format gives the error:

debug1: Trying private key: /opt/atlassian/pipelines/agent/ssh/id_rsa
Load key "/opt/atlassian/pipelines/agent/ssh/id_rsa": invalid format

This happens ALSO with RSA keys, if you use any recent ssh-keygen and DO NOT pass -m pem.
Alas, ED25519 keys NEVER uses PEM format for private key.

Some reference: https://security.stackexchange.com/questions/143114/what-is-the-difference-between-pem-format-to-dsa-rsa-ecc-might-i-confuse-pem-w

@aneita After I replace RSA key with ed25519 key in Pipeline, it now fails to run my Ansible playbook:

https://bitbucket.org/hongquan/talk-customize-linux-embedded/addon/pipelines/home#!/results/7

As you can see this in the log:

Failed to connect to the host via ssh: Warning: Permanently added the RSA host key for IP address '103.92.28.225' to the list of known hosts.\r\nLoad key \"/opt/atlassian/pipelines/agent/ssh/id_rsa

the path of the key file is weird. This key is not RSA but the path created by Pipeline is RSA.

@aneita I can add ed25519 SSH key now. I think BitBucket has fixed this issue before you are assigned.
Thanks.

Hi @hongquan,

Thanks for reaching out. Can you clarify whether you've having issues adding SSH keys (in general) to Pipelines or having issues adding ed25519 keys in particular?

If it's the latter, can you let me know what issue or error message your running into when you try to add the key?

Thanks,
Aneita