Using ssh-agent with docker on macOS

Question

I would like to use ssh-agent to forward my keys into the docker image and pull from a private github repo.

I am using a slightly modified version of https://github.com/

Answer 1

For me accessing ssh-agent to forward keys worked on OSX Mavericks and docker 1.5 as follows:

1. ssh into the boot2docker VM with boot2docker ssh -A. Don't forget to use option -A which enables forwarding of the authentication agent connection.

2. Inside the boot2docker ssh session:

   docker@boot2docker:~$ echo $SSH_AUTH_SOCK
   /tmp/ssh-BRLb99Y69U/agent.7750
   

This session must be left open. Take note of the value of the SSH_AUTH_SOCK environmental variable.

3. In another OS X terminal issue the docker run command with the SSH_AUTH_SOCK value from step 2 as follows:

   docker run --rm -t -i \
     -v /tmp/ssh-BRLb99Y69U/agent.7750:/ssh-agent \
     -e SSH_AUTH_SOCK=/ssh-agent my_image /bin/bash
   root@600d0e9b443d:/# ssh-add -l
   2048 6c:8e:82:08:74:33:78:61:f9:9a:74:1b:65:46:be:eb         
   /Users/dev/.ssh/id_rsa (RSA)
   

I don't really like the fact that I have to keep a boot2docker ssh session open to make this work, but until a better solution is found, this at least worked for me.

Answer 2

Socket forwarding doesn't work on OS X yet. Here is a variation of @henrjk answer brought into 2019 using Docker for Mac instead of boot2docker which is now obsolete.

1. First run a ssh server in the container, with /tmp being on the exportable volume. Like this

    docker run -v tmp:/tmp -v \
    ${HOME}/.ssh/id_rsa.pub:/root/.ssh/authorized_keys:ro \
    -d -p 2222:22 arvindr226/alpine-ssh
   

2. Then ssh into this container with agent forwarding

    ssh -A -p 2222 root@localhost
   

3. Inside of that ssh session find out the current socket for ssh-agent

    3f53fa1f5452:~# echo $SSH_AUTH_SOCK
    /tmp/ssh-9zjJcSa3DM/agent.7
   

4. Now you can run your real container. Just make sure to replace the value of SSH_AUTH_SOCK below, with the value you got in the step above

    docker run -it -v tmp:/tmp  \
    -e SSH_AUTH_SOCK=/tmp/ssh-9zjJcSa3DM/agent.7 \
    vladistan/ansible
   

Answer 3

I ran into a similar issue, and was able to make things pretty seamless by using ssh in master mode with a control socket and wrapping it all in a script like this:

#!/bin/sh   

ssh -i ~/.vagrant.d/insecure_private_key -p 2222 -A -M -S ssh.socket -f docker@127.0.0.1 tail -f /dev/null

HOST_SSH_AUTH_SOCK=$(ssh -S ssh.socket docker@127.0.0.1 env | grep "SSH_AUTH_SOCK" | cut -f 2 -d =)

docker run -v $HOST_SSH_AUTH_SOCK:/ssh-agent \
       -e "SSH_AUTH_SOCK=/ssh-agent" \
       -t hello-world "$@"

ssh -S ssh.socket -O exit docker@127.0.0.1

Not the prettiest thing in the universe, but much better than manually keeping an SSH session open IMO.

Answer 4

A one-liner:

Here’s how to set it up on Ubuntu 16 running a Debian Jessie image:

docker run --rm -it --name container_name \
-v $(dirname $SSH_AUTH_SOCK):$(dirname $SSH_AUTH_SOCK) \
-e SSH_AUTH_SOCK=$SSH_AUTH_SOCK my_image

https://techtip.tech.blog/2016/12/04/using-ssh-agent-forwarding-with-a-docker-container/

Answer 5

Could not open a connection to your authentication agent.

This error occurs when $SSH_AUTH_SOCK env var is set incorrectly on the host or not set at all. There are various workarounds you could try. My suggestion, however, is to dual-boot Linux and macOS.

Additional resources:

• Using SSH keys inside docker container - Related Question
• SSH and docker-compose - Blog post
• Build secrets and SSH forwarding in Docker 18.09 - Blog post

Answer 6

Since version 2.2.0.0, docker for macOS allows users to access the host’s SSH agent inside containers.

Here's an example command that let's you do it:

docker run --rm -it \
-v /run/host-services/ssh-auth.sock:/ssh-agent \
-e SSH_AUTH_SOCK="/ssh-agent" \
my_image

Note that you have to mount the specific path (/run/host-services/ssh-auth.sock) instead of the path contained in $SSH_AUTH_SOCK environment variable, like you would do on linux hosts.