-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/run/host-services/ssh-auth.sock does not respect $SSH_AUTH_SOCK #4242
Comments
I am in exactly the same situation: On a mac, trying to use a gpg-agent with key in Yubikey. |
Same here. Although I'm trying to forward the agent to use it for a SSH auth against a private GIT repo. |
We solved the issue today. It was as simple as sticking 100% to the docker docs to forward the ssh-agent into the container. Use exactly the volume definitions and don't change the paths. For some reason it has to be like that. Maybe this helps you too, even though our problems were slightly different: https://docs.docker.com/docker-for-mac/osxfs/#ssh-agent-forwarding Note: the ssh-agent needs to be started beforehand ( |
@Dakicka I don't use macOS anymore but that sounds like a different issue. Sure if you've already got a running ssh-agent Docker will be able to reuse it, but in case you are using a foreign SSH agent protocol implementation, e.g. the one provided by GnuPG, AFAIK Docker is not able to forward it atm. |
Just wanted to say "me too" on this issue. Looks like Docker's SSH Agent forwarding support only forwards the real ssh agent, not whatever you have specified in SSH_AUTH_SOCK. I can work around for now by using another key but my office's standard is to use the GPG/Yubikey ssh agent. |
For me the documented way only works when I start Docker from my shell, using
And if Docker is started from the shell, it only works as root inside the container, being a non-root user gives me:
Which makes sense, as it belongs to root:
|
Solution with hardcoded path not looks ideal, because needs modifications to cross-platform docker-compose files. And yes, it not respect my active agent. I have few agents on my machine and want to control which one is used in container. Next undocumented thing is how to add keys from host-machine. Then I can And then, after container restart, my container can use my keys to do it's job. |
Also I faced permission problem with the socket file. My container runs with non-root user and So to fix this problem I did next things:
And it solves the problem. |
In order to change the rights of
|
Following the exact docker-compose instructions from ssh-agent-forwarding, I don't understand why it seems to have no effect. I am trying to clone a private git repository in the container. On the host:
but in the container:
Edit At least one issue was that on mac, I was manually trying to start ssh agents on the host with |
Thank you @kdambekalns for sharing the idea of starting docker for mac from the terminal, this solved my issue! So basically, the very first step was to ensure to have one and only one running ##### START Fix for ssh-agent #####
# Ref: http://mah.everybody.org/docs/ssh
SSH_ENV="$HOME/.ssh/environment"
function start_agent {
echo "Initialising new SSH agent..."
/usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
echo succeeded
chmod 600 "${SSH_ENV}"
. "${SSH_ENV}" > /dev/null
/usr/bin/ssh-add;
}
# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]; then
. "${SSH_ENV}" > /dev/null
#ps ${SSH_AGENT_PID} doesn't work under cywgin
ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
start_agent;
}
else
start_agent;
fi
##### END Fix for ssh-agent ##### Then I had to kill all the running
And create a new session which started an Then start docker in a separated terminal with After Docker has started, I could start my Thank you so much 🎉 |
An portable way without knowing the magic path: macos_ssh_agent_ops=( -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock:ro -e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock )
// only input password for the first time
docker "${macos_ssh_agent_ops[@]}" --rm -it \
-v /path/id_rsa:/id_rsa:ro \
-v /path/id_rsa.pub:/id_rsa.pub:ro \
image-with-ssh-add \
ssh-add /id_rsa
// reuse the agent from /run/host-services/ssh-auth.sock
docker "${macos_ssh_agent_ops[@]}" --rm -it image-with-ssh ssh a-host-fqdn The magic ssh-agent is replacing the named container in other ssh-agent sharing methods, and providing a global shared ssh-agent namespace. |
The mac os native way to get the system auth agent: launchctl getenv SSH_AUTH_SOCK // print the magic socket path
SSH_AUTH_SOCK=`launchctl getenv SSH_AUTH_SOCK` ssh-add -l // list keys |
export SSH_AUTH_SOCK=`launchctl getenv SSH_AUTH_SOCK` is slightly easier |
on old iterm2, |
Issues go stale after 90 days of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so. Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. |
/remove-lifecycle stale |
Another YubiKey + The main problem is that macOS provides default The solution is quite simple and a bit hacky at the same time: solve the above mess by having only one First, create a custom launch agent <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>gpg-agent</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/MacGPG2/bin/gpgconf</string>
<string>--launch</string>
<string>gpg-agent</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
This will automatically launch GPG agent.
Second, overwrite and kinda ruin that default macOS SSH agent (it shouldn't be a real problem since we are going to replace it with GPG agent SSH solution in any way) by creating another <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>link-ssh-auth-sock</string>
<key>ProgramArguments</key>
<array>
<string>/bin/sh</string>
<string>-c</string>
<string>/bin/ln -sf $HOME/.gnupg/S.gpg-agent.ssh $SSH_AUTH_SOCK</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
Now it's time to remove that custom Reboot and verify:
Works for me with VSCode Remote Container inside of a Docker. Heavily inspired by this. |
@deepsweet Your solution partially worked for me. I was able to call I'm running macOS Big Sur, gpg 2.2.27 locally and gpg 2.2.12 on the remote. I'm mounting Permissions on the local S.gpg-agent.extra socket are 700, owned by the local user (id=501) and local group (id=20). |
@cameri I believe that you should also SSH-forward agent to the remote in addition to |
Issues go stale after 90 days of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so. Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. |
from the discussion ChrisJohnsen/tmux-MacOSX-pasteboard#78 (comment) the portable way (with different terms, and within/without tmux) to get export SSH_AUTH_SOCK=`launchctl asuser "${UID:-"$(id -u)"}" launchctl getenv SSH_AUTH_SOCK` |
Closed issues are locked after 30 days of inactivity. If you have found a problem that seems similar to this, please open a new issue. Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. |
D2C80A94-78DD-4FCA-BF2F-25831CF64FD8/20200130025252
Expected behavior
SSH agent socket specified via environment variable
SSH_AUTH_SOCK
is forwarded to containers when using--env SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock
.Actual behavior
Docker brings up a new
ssh-agent
and tries to read identities through it.Information
Diagnostic logs
It only shows
Diagnose succeeded
though? Anyway I'm using2.2.0.0
.Steps to reproduce the behavior
sudo mount -uw /
/etc/bashrc
or/etc/zshrc
(depending on which login shell you are using) and add the following lines to the end of the filedocker run --rm --tty --interactive --env SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock debian bash
apt update; apt install -y openssh-client; ssh-add -l;
and it showsThe agent has no identities.
ps aux | grep ssh-agent
, a process/usr/bin/ssh-agent -l
can be seenThis is particularly annoying to me as I'm using YubiKey and it's impossible for me to export my keys to
ssh-agent
.Related: #410 #483
The text was updated successfully, but these errors were encountered: