Using ssh-agent with docker on macOS

Question

I would like to use ssh-agent to forward my keys into the docker image and pull from a private github repo.

I am using a slightly modified version of https://github.com/phusion/passenger-docker with boot2docker on Yosemite.

ssh-add -l
...key details
boot2docker up

Then I use the command which I have seen in a number of places (i.e. https://gist.github.com/d11wtq/8699521):

docker run --rm -t -i -v $SSH_AUTH_SOCK:/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent my_image /bin/bash

However it doesn't seem to work:

root@299212f6fee3:/# ssh-add -l
Could not open a connection to your authentication agent.

root@299212f6fee3:/# eval `ssh-agent -s`
Agent pid 19

root@299212f6fee3:/# ssh-add -l
The agent has no identities.

root@299212f6fee3:/# ssh git@github.com
Warning: Permanently added the RSA host key for IP address '192.30.252.128' to the list of known hosts.
Permission denied (publickey).

What are the permissions on the file $SSH_AUTH_SOCK? – seanmcl Nov 20 '14 at 11:48 — seanmcl, Nov 20 '14 at 11:48

Jakub Kukul · Answer 1 · 2023-05-03T08:03:58.390

25

Since version 2.2.0.0, docker for macOS allows users to access the host’s SSH agent inside containers.

Here's an example command that let's you do it:

docker run --rm -it \
-v /run/host-services/ssh-auth.sock:/ssh-agent \
-e SSH_AUTH_SOCK="/ssh-agent" \
my_image

Note that you have to mount the specific path (/run/host-services/ssh-auth.sock) instead of the path contained in $SSH_AUTH_SOCK environment variable, like you would do on linux hosts.

edited May 03 '23 at 08:03

answered Mar 16 '20 at 21:21

Jakub Kukul

12,032
3
54
53

2

After more digging : Works only if the user inside the container is root I think (otherwise he cannot access the socket in the VM) – Denis R. Mar 27 '20 at 08:38
3

On my mac OS Big Sur there's no such path `/run/host-services`. Why? Should I install something? – Salivan Sep 06 '21 at 16:07
2

@Salivan I also don't have this path myself. This is a "magic" mount - docker knows how to handle this path when it sees it. Did you try it out? – Jakub Kukul Sep 07 '21 at 17:31
1

@JakubKukul yep, and it worked. Why isn't it documented anywhere? Or at least my google isn't able to find the documentation where this is mentioned. – Salivan Sep 07 '21 at 19:11
2

@Salivan Ideally this should be documented somewhere, yes. I found out about it by following this Github issue's thread: https://github.com/docker/for-mac/issues/410 – Jakub Kukul Sep 08 '21 at 13:38
1

Here's the doc as of today https://docs.docker.com/desktop/networking/#ssh-agent-forwarding – Alessandro Fazzi Mar 30 '23 at 09:24

score 7 · Answer 2 · edited Dec 09 '16 at 14:31

7

A one-liner:

Here’s how to set it up on Ubuntu 16 running a Debian Jessie image:

docker run --rm -it --name container_name \
-v $(dirname $SSH_AUTH_SOCK):$(dirname $SSH_AUTH_SOCK) \
-e SSH_AUTH_SOCK=$SSH_AUTH_SOCK my_image

https://techtip.tech.blog/2016/12/04/using-ssh-agent-forwarding-with-a-docker-container/

edited Dec 09 '16 at 14:31

Nissa

4,636
8
29
37

answered Dec 09 '16 at 13:16

MJ1

141
1
5

1

This looks very promising, but on OS X I'm getting a `Permission denied (publickey).` error. Perhaps it's because on non-linux hosts Docker is running in it's own WM? – Tad Lispy Mar 26 '18 at 15:33

score 4 · Answer 3 · answered Jul 09 '15 at 13:34

I expanded on @wilwilson's answer, and created a script that will setup agent forwarding in an OSX boot2docker environment.

https://gist.github.com/rcoup/53e8dee9f5ea27a51855

#!/bin/bash

# Use a unique ssh socket name per-invocation of this script
SSH_SOCK=boot2docker.$$.ssh.socket

# ssh into boot2docker with agent forwarding
ssh -i ~/.ssh/id_boot2docker \
    -o StrictHostKeyChecking=no \
    -o IdentitiesOnly=yes \
    -o UserKnownHostsFile=/dev/null \
    -o LogLevel=quiet \
    -p 2022 docker@localhost \
    -A -M -S $SSH_SOCK -f -n \
    tail -f /dev/null

# get the agent socket path from the boot2docker vm
B2D_AGENT_SOCK=$(ssh -S $SSH_SOCK docker@localhost echo \$SSH_AUTH_SOCK)

# mount the socket (from the boot2docker vm) onto the docker container
# and set the ssh agent environment variable so ssh tools pick it up
docker run \
    -v $B2D_AGENT_SOCK:/ssh-agent \
    -e "SSH_AUTH_SOCK=/ssh-agent" \
    "$@"

# we're done; kill off the boot2docker ssh agent
ssh -S $SSH_SOCK -O exit docker@localhost

Stick it in ~/bin/docker-run-ssh, chmod +x it, and use docker-run-ssh instead of docker run.

I created a version that works with docker-machine, now that Docker is recommending against using boot2docker. https://gist.github.com/leedm777/923706741c8296869e7d — leedm777, Aug 12 '15 at 15:30
dave - have you tried using this with docker-compose? Not sure how to modify your example to work with statically defined environment variables in docker-compose.yml. — Bryce, Aug 31 '15 at 18:18

score 1 · Answer 4 · edited Feb 06 '18 at 16:36

For me accessing ssh-agent to forward keys worked on OSX Mavericks and docker 1.5 as follows:

ssh into the boot2docker VM with boot2docker ssh -A. Don't forget to use option -A which enables forwarding of the authentication agent connection.

Inside the boot2docker ssh session:

docker@boot2docker:~$ echo $SSH_AUTH_SOCK
/tmp/ssh-BRLb99Y69U/agent.7750

This session must be left open. Take note of the value of the SSH_AUTH_SOCK environmental variable.

In another OS X terminal issue the docker run command with the SSH_AUTH_SOCK value from step 2 as follows:

docker run --rm -t -i \
  -v /tmp/ssh-BRLb99Y69U/agent.7750:/ssh-agent \
  -e SSH_AUTH_SOCK=/ssh-agent my_image /bin/bash
root@600d0e9b443d:/# ssh-add -l
2048 6c:8e:82:08:74:33:78:61:f9:9a:74:1b:65:46:be:eb         
/Users/dev/.ssh/id_rsa (RSA)

I don't really like the fact that I have to keep a boot2docker ssh session open to make this work, but until a better solution is found, this at least worked for me.

score 1 · Answer 5 · answered May 21 '15 at 01:11

I ran into a similar issue, and was able to make things pretty seamless by using ssh in master mode with a control socket and wrapping it all in a script like this:

#!/bin/sh   

ssh -i ~/.vagrant.d/insecure_private_key -p 2222 -A -M -S ssh.socket -f docker@127.0.0.1 tail -f /dev/null

HOST_SSH_AUTH_SOCK=$(ssh -S ssh.socket docker@127.0.0.1 env | grep "SSH_AUTH_SOCK" | cut -f 2 -d =)

docker run -v $HOST_SSH_AUTH_SOCK:/ssh-agent \
       -e "SSH_AUTH_SOCK=/ssh-agent" \
       -t hello-world "$@"

ssh -S ssh.socket -O exit docker@127.0.0.1

Not the prettiest thing in the universe, but much better than manually keeping an SSH session open IMO.

Meanwhile newes docker complains: docker: Error response from daemon: invalid volume spec ":/ssh-agent": invalid volume specification: ':/ssh-agent'. — aholbreich, May 24 '17 at 15:36

score 1 · Answer 6 · answered Jun 01 '19 at 07:30

Socket forwarding doesn't work on OS X yet. Here is a variation of @henrjk answer brought into 2019 using Docker for Mac instead of boot2docker which is now obsolete.

First run a ssh server in the container, with /tmp being on the exportable volume. Like this

 docker run -v tmp:/tmp -v \
 ${HOME}/.ssh/id_rsa.pub:/root/.ssh/authorized_keys:ro \
 -d -p 2222:22 arvindr226/alpine-ssh

Then ssh into this container with agent forwarding
```
 ssh -A -p 2222 root@localhost
```

Inside of that ssh session find out the current socket for ssh-agent

 3f53fa1f5452:~# echo $SSH_AUTH_SOCK
 /tmp/ssh-9zjJcSa3DM/agent.7

Now you can run your real container. Just make sure to replace the value of SSH_AUTH_SOCK below, with the value you got in the step above
```
 docker run -it -v tmp:/tmp  \
 -e SSH_AUTH_SOCK=/tmp/ssh-9zjJcSa3DM/agent.7 \
 vladistan/ansible
```

Still useful and working on Docker Desktop for Mac in Aug,2022 for deploying rails 7 app using capistrano agent forwarding. — millisami, Aug 03 '22 at 06:33

score 0 · Answer 7 · answered Nov 20 '14 at 16:26

0

By default, boot2docker shares only files under /Users. SSH_AUTH_SOCK is probably under /tmp so the -v mounts the agent of the VM, not the one from your mac.

If you setup your VirtualBox to share /tmp, it should be working.

answered Nov 20 '14 at 16:26

creack

116,210
12
97
73

This sounds promising, could you provide some more information on how to do this? I found this: https://github.com/boot2docker/boot2docker#virtualbox-guest-additions but I'm relatively new to docker – Paul Odeon Nov 21 '14 at 09:12
Open your virtualbox, right click on the boo2docker vm, settings, shared directires, click the add button, enter /tmp, tick automount and permanent. However, after testing, it appears that shared directory does not allow you to share the socket, so it will not work. – creack Nov 21 '14 at 10:48
1

I don't think this is possible. SSH_AUTH_SOCK is a Unix socket, not a file, so it can't be shared with VirtualBox the way files are. – David Resnick Jan 30 '16 at 15:27

vhs · Answer 8 · 2019-09-17T08:47:18.767

Could not open a connection to your authentication agent.

This error occurs when $SSH_AUTH_SOCK env var is set incorrectly on the host or not set at all. There are various workarounds you could try. My suggestion, however, is to dual-boot Linux and macOS.

Additional resources:

Using SSH keys inside docker container - Related Question
SSH and docker-compose - Blog post
Build secrets and SSH forwarding in Docker 18.09 - Blog post

Using ssh-agent with docker on macOS

8 Answers8

Linked