0

I have little to no knowledge in docker but I wanted to try building a dockerfile which clones a few projects locally with the users ssh key:

RUN mkdir /root/.ssh/
# Create id_rsa from string arg, and set permissions
RUN echo "$SSH_KEY" > /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa
# Create known_hosts
RUN touch /root/.ssh/known_hosts
# Add git providers to known_hosts
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
RUN ssh-keyscan gitlab.com >> /root/.ssh/known_hosts
RUN echo "StrictHostKeyChecking no" >> /etc/ssh/ssh_config
RUN ssh -Tv git@gitlab.com

The key I generated on the host has no password, however I receive this error message from the last RUN command:

Warning: Permanently added the ECDSA host key for IP address '35.231.145.151' to the list of known hosts.
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
git@gitlab.com: Permission denied (publickey).

I assume that it wants to read the passkey phrase but there should be none. How can I fix this?

Curunir
  • 1,186
  • 2
  • 13
  • 30
  • Either generate a key *specific* to this image, that is independent of the user creating the container, or have the user mount a directory containing their key when the container is created. – chepner Feb 02 '20 at 14:27
  • How would I achieve the second one? – Curunir Feb 02 '20 at 14:48
  • In your image, assume an arbitrary location for the required key (say, `/keys/id_rsa`). When you create the container, use the `--mount` option to map a directory containing a file named `id_rsa` to `/keys`. Basically, your image is a function, the in-container location is a parameter name, and `--mount` is what passes an argument to your "function". – chepner Feb 02 '20 at 14:53
  • Duplicate of https://stackoverflow.com/q/43348707/13317 ? – Kenster Feb 02 '20 at 15:57
  • Your ssh key is compromised now; anyone who has a copy of the image has a copy of the private key too. You need to run operations like `git clone` that require credentials outside of Docker space. It's very typical to check the Dockerfile into the repository itself, which forces you to clone first and build the Docker image second. – David Maze Feb 02 '20 at 20:22

0 Answers0