Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot forward SSH agent to Docker #4842

Closed
2 tasks done
mmenozzi opened this issue Aug 14, 2020 · 11 comments
Closed
2 tasks done

Cannot forward SSH agent to Docker #4842

mmenozzi opened this issue Aug 14, 2020 · 11 comments
Labels
lifecycle/locked lifecycle/stale version/2.3.4.0 version/2.4.2.0

Comments

@mmenozzi
Copy link

  • I have tried with the latest version of my channel (Stable or Edge)
  • I have uploaded Diagnostics
  • Diagnostics ID: 6150D17C-E977-4684-9188-71DEB732F943/20200814123446

Expected behavior

Given what has been stated here and here, I'd expect that these two command to produce the same output:

ssh-add -l
docker run --rm --mount type=bind,src=/run/host-services/ssh-auth.sock,target=/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" --entrypoint /usr/bin/ssh-add alpine/git -l

Actual behavior

$ ssh-add -l
2048 SHA256:7bPSF1N9P1tb2gbMRQn01zMk4p5oVu0SezsgyR253Ew /Users/manuele/.ssh/id_rsa (RSA)

$ docker run --rm --mount type=bind,src=/run/host-services/ssh-auth.sock,target=/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" --entrypoint /usr/bin/ssh-add alpine/git -l
The agent has no identities.

Information

Am I missing anything? Is it possible to forward the SSH agent of the Mac host to Docker containers?

  • macOS Version: 10.15.5
Docker for Mac: version 2.3.4.0 (Edge)
@dbarvitsky
Copy link

Had very similar issue. The SSH forwarding is fine, it seems to be going to the wrong agent.

It appears that with 2.3.0.4 (not sure about earlier versions), the SSH forwarding seems to work only when you add keys to the ssh-agent Docker Desktop (?) has started.

Reproduce:

  1. Stop Docker Desktop
  2. killall ssh-agent
  3. Start Docker Desktop
  4. Note: ps -ef | grep ssh-agent yields 5008 10897 1 0 9:11AM ?? 0:00.01 /usr/bin/ssh-agent -l that has been started by the Docker Desktop
  5. eval $(ssh-agent). Note that this starts a new agent, so now you have two running.
  6. ssh-add. Note that this adds key to the agent you just started.
  7. docker run --rm --mount.... -e... ssh-add -l yields "The agent has no identities"

My the theory: this happens because now containers talk to the wrong agent, that does not have the identity we just added.

I think the reason this is a widespread problem is that a lot of people have Docker Desktop starting automatically, and also have a habit to do eval $(ssh-agent) before ssh-add. The habit is forged by infosec that says to be extremely cautious with ssh-agents and not just re-use them for no reason. Yet this good habit lands you exactly in this situation with Docker Desktop which promotes the exact opposite.

What worked for me:

  • Start Docker Desktop
  • Open a terminal (after Docker Desktop starts)
  • ssh-add (use the existing SSH agent, don't start a new one)
  • docker run --rm --mount.... -e... ssh-add -l -works as expected

Infosec aside, from my (end-user) perspective, the fact that I have to use a specific agent for things to work is not obvious. I think of containers as "clients" for the agent that I control (started), rather than thinking of the docker engine as a "server" providing its own agent for me to use. At any rate, I think it deserves a 2x4 red banner with skull and bones and biohazard signs in documentation.

In linux you explicitly specify the socket path so this problem does not exist at all. From this perspective, while SSH agent forwarding is a valid narrow-case solution for a busy engineer, I would very much like to see a proper socket forwarding the way it is done in Linux.

@georgettica
Copy link

@dbarvitsky I am having the same issue using the steps you provided

my docker-for-mac version and docker version:

$ docker -v
Docker version 20.10.0-beta1, build ac365d7
---
docker client version
docker version: 2.4.2.0 (48975)

I am using so far the edge version as I heard it works better with it but it doesn't seem to do so

@lcta0717 lcta0717 mentioned this issue Jan 19, 2021
Open
@docker-robott
Copy link
Collaborator

Issues go stale after 90 days of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30 days of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

@rhiannon-eldridge-lrn
Copy link

rhiannon-eldridge-lrn commented Feb 19, 2021
edited
Loading

This issue is still happening.

Docker for Mac: 3.1.0
MacOS Mojave: Darwin 18.7.0 Darwin Kernel Version 18.7.0: Sun Dec 1 18:59:03 PST 2019; root:xnu-4903.278.19~1/RELEASE_X86_64 x86_64

What information is needed to fix this problem? It is very frustrating to deal with.

The only workaround I've found is to launch Docker from the terminal, but that's not very helpful or user friendly.

Please let me know if there is any additional information I can provide.

@rhiannon-eldridge-lrn
Copy link

Ah, I see the issue. I removed ssh-agent from my ohmyzsh plugins and now it works.

I still find it a bit weird that Docker for Mac can't find/use the ssh-agent that was started by ohmyzsh.

Is this a bug with the ohmyzsh ssh-agent plugin or an issue with how Docker for Mac detects the ssh-agent?

@georgettica
Copy link

As I saw it, the agent has it's own ssh-agent spinning up anyways, so you could just connect and add your keys once and it should persistent across restarts of the container.

Not a perfect patch but so far it works

@georgettica
Copy link

Also, I have no knowledge on how to fix this and waiting for someone with more 🧠 in the issue to chime in

@uhthomas
Copy link

Am also seeing this on MacOS. Running ssh-add resolves it for the lifetime of the session.

Docker for Mac: 3.1.0
MacOS: Darwin C02CM0ZFMD6R 19.6.0 Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64 x86_64

@uhthomas
Copy link

Can we keep this open?

@dantereve
Copy link

dantereve commented Apr 21, 2021
edited
Loading

Ah, I see the issue. I removed ssh-agent from my ohmyzsh plugins and now it works.

I still find it a bit weird that Docker for Mac can't find/use the ssh-agent that was started by ohmyzsh.

Is this a bug with the ohmyzsh ssh-agent plugin or an issue with how Docker for Mac detects the ssh-agent?

@rhiannon-eldridge-lrn
That's a good solution, but you don't have to remove the ssh-agent plugin.

If you want to keep using it, add this line in your ~/.zshrc:

zstyle :omz:plugins:ssh-agent agent-forwarding on

This line must be before :

source $ZSH/oh-my-zsh.sh

In my ~/.zshrc it looks like this :

plugins=(git z ssh-agent zsh-autosuggestions colored-man-pages zsh-syntax-highlighting history-substring-search)

zstyle :omz:plugins:ssh-agent agent-forwarding on

source $ZSH/oh-my-zsh.sh

@docker-robott
Copy link
Collaborator

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked

@docker docker locked and limited conversation to collaborators May 21, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
lifecycle/locked lifecycle/stale version/2.3.4.0 version/2.4.2.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@mmenozzi @dbarvitsky @uhthomas @georgettica @dantereve @docker-robott @rhiannon-eldridge-lrn