SSH agent forwarding to Docker Alpine container from Mac OS

Asked 16/11, 2017 at 16:33 Answered 23/9, 2020 at 8:15

docker docker-compose macos-sierra alpine-linux ssh-agent

Okay so for several projects I need to access my private repositories, so I'd like to forward the host's SSH Agent to the container to allow retrieving from these private repositories. Eventually I would like to implement this in docker-compose.

I've found a lot of answers and solutions pointing to something like this:

docker run --rm -t -i \
-v $SSH_AUTH_SOCK:/ssh-agent \
-e SSH_AUTH_SOCK=/ssh-agent \
alpine:3.6 sh

But when I run ssh-add -l inside there (after making sure openssh is installed)

I get the following error:

Error connecting to agent: Connection refused

Also tried this within my docker compose setup but it doesn't seem to work like it should. Due to most posts and solutions being several years old I hope someone can help me with accurate up-to-date info.

Clypeate answered 16/11, 2017 at 16:33 Comment(0)

According to this issue you can forward your macOS ssh-agent to your docker container by adding -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" options to your docker run command, e.g.

docker run --rm -it \
-v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock \
-e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" \
docker_image

Warford answered 6/2, 2020 at 15:35 Comment(4)

Can anyone confirm that this works on macOS? I tried it and it doesn't seem to work for me. – Bough 3/6, 2021 at 3:51

It didn't work for me, but this worked: github.com/nardeas/ssh-agent – Lawrence 26/10, 2022 at 8:30

It worked for me on macOS 13.6 with M2 Silicon, using Docker Desktop 4.24.2 (124339). There was NO path named /run/... on my local machine. These values are somehow replaced by Docker Desktop I guess? – Casuist 16/11, 2023 at 13:38

It has worked for me too. Docker deskop version 4.26.1. Apple M1 chip, macOS version 13.4.1. Though no path is named /run/host-services/ssh-auth.sock. – Yancey 31/1 at 19:45

Add keys to the launchd managed ssh-agent:

SSH_AUTH_SOCK=`launchctl getenv SSH_AUTH_SOCK` ssh-add

Forward the launchd managed ssh-agent to docker container:

docker run --rm -it \
-v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock:ro \
-e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" \
image ssh hosts

The mount option and SSH_AUTH_SOCK value in container are all magic constants, do not change them.

launchctl getenv SSH_AUTH_SOCK may output empty string on iTerm2 3.2+ due to the bug. The work around is one of:

A portable way for newer OS (>=10.13 i.e. macOS High Sierra) is launchctl asuser $UID launchctl getenv SSH_AUTH_SOCK, or
For older OS, in iTerm2 > Prefs > Advanced, turn on "Enable multi-server daemon", or
For older OS, in iTerm2 > Prefs > Advanced, turn off "Allow sessions to survive logging out and back in".

NOTE: if the launchctl problem cannot work round, there is another way to forwarding ssh agent via stdio tunnel.

Borborygmus answered 23/9, 2020 at 8:15 Comment(7)

Thanks for leaving an answer to this question. Can you share your version of your operating system and which docker software and version you are running on it? – Massimo 12/12, 2020 at 15:25

OS: MacOS 11.0.1, Docker: 20.10.0 – Borborygmus 12/12, 2020 at 17:13

Thanks. Is this docker for mac or are you running it with a different virtual machine? – Massimo 12/12, 2020 at 19:8

Docker for Mac 3.0.0 – Borborygmus 13/12, 2020 at 7:52

The portable solution works great for me without needing to fiddle with iTerm! Great answer! – Mien 25/1, 2022 at 19:53

ls: cannot access '/run/host-services/ssh-auth.sock': No such file or directory. macOS 14.1.2 – Saporific 11/12, 2023 at 2:54

@Saporific '/run/host-services/ssh-auth.sock' is a path in virtual machine of docker desktop, not the host os. so you cannot ls this path in the host os shell. just mount this path, the docker is finally run in the virtual machine then mount the collect pipeline into the result container. – Borborygmus 11/12, 2023 at 4:14

You can mount files, but not sockets - sharing sockets between MacOS through the hypervisor into docker containers is something that isn't supported yet. Various bug reports and acknowledgements exist, and some day it should work.

So in the meantime, you need to have something that forwards network traffic between the container and MacOS. One of the solutions that people point out is docker-ssh-agent-forward.

A different solution would be to run ssh-agent in a container and to access that from MacOS and the other containers - it's probably a bit more invasive but works. A solution is docker-ssh-agent.

Warmhearted answered 17/11, 2017 at 16:45 Comment(2)

Another solution would be to use ngrok: ngrok.com You can run it from within the container using ngrok tcp 22, and it will generate/expose a public FQDN that you can use to connect directly to the container. – Limonene 19/11, 2017 at 6:12

the posted docker-ssh-agent-forward has not been updated for over 7 years now. If you, like me, just search for a working solution, you can try github.com/uber-common/docker-ssh-agent-forward. It's a fork of this one and worked right out of the box for me. – Saporific 11/12, 2023 at 3:20

Recommended topics

Hot tags