Login/Register
How to add ssh passphrase to Docker and removed it after it was used?
Asked Answered
Solved gitdockersecuritysshsshpass
B

1

5

The problem sounds elementary in its nature but I cannot find a secure and simple solution.

The issue is the following, I have a project and I want to pull dependencies from private git repos to build a runtime environment and remove both SSH key and SSH passphrase afterward. I cannot skip passphrase as it is enforced by git remote repos.

  1. I struggle to push the SSH passphrase, so the SSH won't ask for a passphrase
  2. I struggle to understand how to do it securely

The question of how can I do it, so the approach also will be secure?

I am operating in Docker and potentially can install any open-source software on it.

Benetta answered 23/9, 2020 at 8:27 Comment(6)
What I generally do is drop the Passphrase, clone the repo, put the passphrase back in place. I think you made it clear that your remote has enforced the use of passphrase, so you cannot drop it and clone? Is my understanding correct?Biflagellate
Yes, it is exactly the problem. It is enforced, so I have to overcome it. I am also not in control of the organization's policies.Benetta
I tend to run all git operations outside of Docker space. That avoids the problem of getting a key into the image, and the possibility of leaking it; it lets me build an arbitrary branch, or working code; and it avoids trouble where Docker will not repeat a RUN git clone line believing it to be idempotent.Tierratiersten
@DavidMaze It wouldn't work in my case, because the SSH connection is to build project dependencies that are in the Git. It would mean that I will need to build a project with all dependencies outside but native environments in local machine, cloud, and CI/CD pipeline may be different, so I won't use the power of Docker in that case at all. It puts usage of the Docker under questions and Docker is not something I can drop in this project.Benetta
Put the Dockerfile and other artifacts in the repositories themselves. git clone ... && docker build. You will still get consistent results from a consistent source tree.Tierratiersten
With buildkit enabled you can forward connections to the ssh-agent during the build. Clone repos i.e.: RUN --mount=type=ssh git clone [email protected]:myorg/myproject.git myprojectToken
T
6

With buildkit enabled:

The docker build has a --ssh option to allow the Docker Engine to forward SSH agent connections.

You can ssh-add your private keys to a ssh-agent.

From the ssh-add man pages:

If any file requires a passphrase, ssh-add asks for the passphrase from the user.

From the ssh-agent man pages:

The idea is that the agent is run in the user's local PC, laptop, or terminal. Authentication data need not be stored on any other machine, and authentication passphrases never go over the network. However, the connection to the agent is forwarded over SSH remote logins, and the user can thus use the privileges given by the identities anywhere in the network in a secure way.

The ssh-agent will never send a private key over its request channel. ...

Example Dockerfile from the doc:

# syntax=docker/dockerfile:experimental
FROM alpine

# Install ssh client and git
RUN apk add --no-cache openssh-client git

# Download public key for github.com
RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts

# Clone private repository
RUN --mount=type=ssh git clone [email protected]:myorg/myproject.git myproject

Build the image: docker build --ssh default

Token answered 23/9, 2020 at 21:15 Comment(2)
There is a single note to it that in Windows default doesn't work, so you need to specify the full pass default=C:/.ssh/id_rsa (or your id_rsa file location)Benetta
Although this is a bit off the mark, I wanted to share this documentation: docs.docker.com/desktop/networking/#ssh-agent-forwarding I stumbled upon this question looking for a solution to mounting host SSH capabilities for a docker run command. This doc helped!Peria

© 2022 - 2024 — McMap. All rights reserved.