TeamCity Cloud 2023.11 Help

SSH Keys Management

You can upload private SSH keys into TeamCity projects. Uploaded keys can be used when configuring VCS roots, and in the SSH Agent build feature.

Supported Key Format

TeamCity supports keys in the PEM and OpenSSH formats. Keys that use different formats need to be converted. For example, you can use the PuTTY Key Generator to convert unsupported Putty private keys (*.ppk) to the PEM format. To do this, navigate to the Conversions | Export OpenSSH key menu.

Upload SSH Keys to TeamCity Server

To allow TeamCity projects to access remote repositories via SSH keys, you first need to upload your keys to these projects.

  1. In Project Settings, click SSH Keys.

  2. On the SSH Keys page, click Upload SSH Key.

  3. In the "Upload SSH Key" dialog, browse for a private key file and specify a name for this key.

  4. Click Save to save the uploaded key.

Add SSH Keys to TeamCity

Uploaded SSH keys are stored in the <TeamCity Data Directory>/config/projects/<project>/pluginData/ssh_keys directory. TeamCity tracks this directory so uploaded keys become available in the current project and its subprojects without the need to restart a server.

Generated SSH Keys

If you use GitHub Deploy Keys or similar authentication workflows, you can let TeamCity generate SSH keys instead of generating them manually. This approach is more secure (since generated keys are not stored on your local machine) and significantly faster. The latter is especially helpful if you re-generate and rotate SSH keys every once in a while.

  1. In Project Settings, click SSH Keys.

  2. Click the Generate SSH Key button.

    Generate SSH Key
  3. Enter the key name, select the key type, and click Generate.

  4. If you need a private or a public key for your new generated key:

    • A private key is stored in the Data Directory/config/projects/<parent project>/pluginData/ssh_keys directory.

    • A public key is accessible from the main SSH Keys page (click the Copy the public key link under a required key). Paste this key to your version control service (for example, in GitHub: "Repository settings | Deploy Keys | Add deploy key").

  5. Select the generated key in the Authentication Settings of your TeamCity VCS root. For your convenience, keys generated in TeamCity are placed in a separate category.

    Choose Generated Keys in VCS Auth Settings

Configure VCS Root Settings

Once required SSH keys are uploaded, modify the VCS Root settings to select a key that your project should use.

  1. Go to the Project Settings | VCS Roots page and click the required root.

  2. In the Authentication Settings section, click the required "Private Key" option:

    • Uploaded Key — select this option to utilize the key(s) uploaded to the project.

    • Default Private Key — select this option to utilize the keys available on the file system in the default locations used by common ssh tools: the mapping specified in <USER_HOME>/.ssh/config if the file exists or the private key file <USER_HOME>/.ssh/id_rsa (the files are required to be present on the server and also on the agent if the agent-side checkout is used).

    • Custom Private Key — supported only for server-side checkout. Fill the Private Key Path field with an absolute path to the private key file on the server machine. If the key is encrypted, specify the passphrase in the corresponding field.

Select an SSH key

Distribute SSH Keys to Build Agents

If you configure the agent-side checkout, the server passes SSH keys to agents. During a build, the Git plugin downloads the key from the server to the agent, and removes this key after git fetch/clone is complete.

To transfer the key from the server to the agent, TeamCity encrypts it with a DES symmetric cipher. For a more secure way, configure an HTTPS connection between agents and the server.

In addition to VCS roots, uploaded SSH keys can be used in SSH Agent build features. See this link for more information: SSH Agent.

REST API

TeamCity REST API allows external applications and scripts to access TeamCity resources via URLs. You can utilize this feature to upload SSH keys and customize VCS Root settings.

View Uploaded Keys

/app/rest/projects/<project_locator>/sshKeys

Upload New SSH Keys to a Project

/app/rest/projects/<project_locator>/sshKeys?fileName=<Key_Name>
  • Body: the contents of the private key file

  • Content-Type header: "text/plain"

Generate a New Key

/app/rest/projects/<project_locator>/sshKeys/generated?keyName=NewKey&keyType=RSA
  • keyName — any valid string that is your new key's name.

  • keyType — either "RSA" or "ED25519".

Set up VCS Authentication Settings

  • Switch the "Authentication method" to "Uploaded Key". Request body: "TEAMCITY_SSH_KEY".

    /app/rest/vcs-roots/<locator>/properties/authMethod
  • Select a particular SSH key. Request body: SSH key name.

    /app/rest/vcs-roots/<locator>/properties/teamcitySshKey
  • Specify a passphrase required by password-encrypted SSH keys. Request body: plain password string.

    /app/rest/vcs-roots/<locator>/properties/secure:passphrase

Delete a Key

/app/rest/projects/<project_locator>/sshKeys?fileName=<Key_Name>
Last modified: 10 May 2023