Use SSH agent forwarding instead of SSH keys

[phansys]

Q	A
Fixed tickets	#595
License	MIT

Using SSH agent forwarding.

[sstok]

You need to also configure the host system, but which hostname is used?

Oh wait it should work. But it doesn't 💀

 [RuntimeException]
  Permission denied (publickey).
  fatal: Could not read from remote repository.
  Please make sure you have the correct access rights
  and the repository exists.
  error: Could not fetch gushphp

[sstok]

It seems it's not possible to forward the SSH agent socket into a container, I found multiple issues and complaints indicating this is not possible.

@phansys please confirm this is possible, and I simple need to change something on my system (macOS) 🙏

[phansys]

Sure @sstok, this works. I've created this PR with the Docker image using these settings. I had to do this change because with the keys approach, the container was prompting for the passphrase every time:

$ gush pull-request:create -vvv
CMD git rev-parse --show-toplevel
CMD git rev-parse --abbrev-ref HEAD
CMD git config --local --get remote.gushphp.url
CMD git config --local --get remote.gushphp.url
CMD git remote update gushphp
Enter passphrase for key '/root/.ssh/id_rsa': 
CMD git rev-list gushphp/master..ssh_auth_sock --count

Open request on gushphp/gushphp
================================

 phansys wants to merge 3 commits into gushphp/gushphp:master from phansys:ssh_auth_sock.

CMD git ls-remote [email protected]:phansys/gushphp.git
Enter passphrase for key '/root/.ssh/id_rsa': 

[sstok]

Indeed, but I wonder why it's not working on my system 😫

[phansys]

Do you have SSH agent running locally?
Check these points:

• Your local ssh-agent must be running
• Your key must be available to ssh-agent

[phansys]

Please, let me know if you have any news on this. I'll try to help where possible.

[sstok]

SSH agent is running, because on the host system I get a result with ssh-add -L but in the Docker container it's not working.

Using a modified version as I can't get in the container shell.

FROM php:7.0.8-alpine

COPY ./src /usr/src/gush/src
COPY ./gush /usr/src/gush/gush
COPY ./composer.json /usr/src/gush/composer.json

WORKDIR /usr/src/gush

RUN set -xe \
    && apk add --no-cache \
    git \
    openssh-client \
    bash

#RUN curl -s https://getcomposer.org/installer | php \
#    && chmod +x composer.phar \
#    && php composer.phar install --prefer-dist --optimize-autoloader --no-interaction --no-dev \
#    && rm composer.phar \
#    && rm composer.json \
#    && rm composer.lock

RUN mkdir /root/project
WORKDIR /root/project

ENTRYPOINT ["/bin/bash"]

docker build -t gush .

docker run -it \
    -v $SSH_AUTH_SOCK:/ssh-agent \
    -v ~/.ssh/known_hosts:/root/.ssh/known_hosts \
    -v ~/.gush:/root/.gush \
    -v "$(pwd)":/root/project \
    -e SSH_AUTH_SOCK=/ssh-agent \
    -e GUSH_CONFIG=/root/.gush \
    -e GUSH_LOCAL_CONFIG=/root/project \
    gush

Result:

bash-4.3# ssh-add -L
Error connecting to agent: Connection refused
bash-4.3# stat $SSH_AUTH_SOCK
  File: /ssh-agent
  Size: 0           Blocks: 0          IO Block: 512    socket
Device: 29h/41d Inode: 12648490    Links: 1
Access: (0666/srw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-08-04 13:22:27.000000000
Modify: 2016-08-04 13:22:27.000000000
Change: 2016-08-04 13:22:27.000000000

bash-4.3#

[phansys]

The container can't be different (or at least is what I think). IMO, there is no need to ssh-agent to be running on the container, I think you should check with ssh -T [email protected] instead: Testing SSH agent forwarding.

[sstok]

ssh-agent is not running on the Container, but on the host system ;)

On the host I get an successful authentication and a result when running ssh-add -L
But in the bash of the container I get Error connecting to agent: Connection refused

bash-4.3# ssh -T [email protected]
Permission denied (publickey).

[cordoval]

hmm i am going to try now

[phansys]

Let me change my entrypoint in order to compare my output with yours.

[phansys]

bash-4.3# stat $SSH_AUTH_SOCK
  File: /ssh-agent
  Size: 0           Blocks: 0          IO Block: 4096   socket
Device: 2dh/45d Inode: 11          Links: 1
Access: (0775/srwxrwxr-x)  Uid: ( 1000/ UNKNOWN)   Gid: ( 1000/ UNKNOWN)
Access: 2016-08-03 18:07:14.000000000
Modify: 2016-07-31 14:15:39.000000000
Change: 2016-07-31 14:15:39.000000000

bash-4.3# ssh -T [email protected]
Hi phansys! You've successfully authenticated, but GitHub does not provide shell access.

[phansys]

Note the difference at Access section:
Yours:

Access: (0666/srw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)

Mine:

Access: (0775/srwxrwxr-x)  Uid: ( 1000/ UNKNOWN)   Gid: ( 1000/ UNKNOWN)

[cordoval]

test it outside of gush project, i am getting errors like this:

  [RuntimeException]
  Permission denied (publickey).
  fatal: Could not read from remote repository.
  Please make sure you have the correct access rights
  and the repository exists.

[phansys]

Let me do some changes in order to match the @sstok's output, changing file permissions, executing docker run specifying another user with --user option.

[phansys]

I've updated the file permissions manually and my access is kept intact:

bash-4.3# stat $SSH_AUTH_SOCK
  File: /ssh-agent
  Size: 0           Blocks: 0          IO Block: 4096   socket
Device: 2dh/45d Inode: 11          Links: 1
Access: (0666/srw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-08-04 15:04:15.000000000
Modify: 2016-07-31 14:15:39.000000000
Change: 2016-08-04 15:04:13.000000000

bash-4.3# ssh -T [email protected]
Hi phansys! You've successfully authenticated, but GitHub does not provide shell access.

[sstok]

docker run -it \
    -v $SSH_AUTH_SOCK:/ssh-agent \
    -v ~/.ssh/known_hosts:/root/.ssh/known_hosts \
    -v ~/.gush:/root/.gush \
    -v "$(pwd)":/root/project \
    -v /etc/passwd:/etc/passwd:ro \
    -e SSH_AUTH_SOCK=/ssh-agent \
    -e GUSH_CONFIG=/root/.gush \
    -e GUSH_LOCAL_CONFIG=/root/project \
    -u $UID \
    gush "$@"

bash-4.3$ id
uid=501 gid=0(root)
bash-4.3$ ssh -T [email protected]
No user exists for uid 501

[phansys]

bash-4.3# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

[phansys]

Passing -u $UID to docker run I can reproduce your issue:

bash-4.3$ id
uid=1000 gid=0(root)
bash-4.3$ stat $SSH_AUTH_SOCK
  File: /ssh-agent
  Size: 0           Blocks: 0          IO Block: 4096   socket
Device: 2dh/45d Inode: 11          Links: 1
Access: (0666/srw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-08-04 15:04:15.000000000
Modify: 2016-07-31 14:15:39.000000000
Change: 2016-08-04 15:04:13.000000000

bash-4.3$ ssh -T [email protected]
No user exists for uid 1000
bash-4.3$ id
uid=1000 gid=0(root)

[phansys]

Could you then pass the hardcoded UID -u 0 or it could be better to try fixing permissions inside the container? Please, tell me about your results.

[sstok]

using the -u 0 did not solve the problem. I have absolutely no idea why it's not working 💀

[phansys]

So, just for recap, now your UID is 0 at the container and you still have no access?
Which is the output for ssh -T [email protected] now? Could you try running verbose? ssh -T [email protected] -vvv

[sstok]

See attachments.

git-t-with-default.txt
git-t-with-uid-0.txt

[phansys]

The difference between your output and mine is from line 89, and note that your debug level stop at 1 there while mine forwards to 2:
Yours

debug1: SSH2_MSG_NEWKEYS received
debug1: pubkey_prepare: ssh_get_authentication_socket: Connection refused

Mine

debug1: SSH2_MSG_NEWKEYS received
debug2: key: [email protected] (0x558ddb96e440), agent

[phansys]

Could you please check the bitmask for your private and public key @sstok? https://help.ubuntu.com/community/SSH/OpenSSH/Keys

[cordoval]

hmm the problem of permission is common on the internets i bet, i just saw days ago an entry but didn't follow it through. I hope we can solve this.

[sstok]

SSH agent is running, I can connect with the native system (macOS), but as soon as I enter Docker it refuses to connect! 😠

It almost seems Docker refuses to mount the socket file or something.

On macOS:

$ echo "he" > $SSH_AUTH_SOCK
zsh: operation not supported on socket: /private/tmp/com.apple.launchd.zYkDnlWlB6/Listeners

In Docker:

bash-4.3# echo "he" > $SSH_AUTH_SOCK
bash: /ssh-agent: No such device or address

Btw I'm using the latest version of Docker: Docker version 1.12.0, build 8eab29e

[sstok]

I did some testing with a PHP script, creating a local socket and on the host it works.
BUT!! As soon as Docker tries to communicate with the mounted socket everything fails (again).

Creating a socket in the Docker env, does work so it seems Docker is unable to mount a socket file (I guess it was possible, but buggy or something...).

Attempting to connect to '/tmp/php-my-socket.sock'
Warning: socket_connect(): unable to connect [111]: Connection refused in /root/project/socket-client.php on line 22
socket_connect() failed.
Reason: () Connection refused

Even changing the chmod of the socket to world writable, did NOT solve it.
At least now I can stop pulling hairs out of my head 💀

I'm going to try one last thing, I needed to update Docker so maybe an old version is conflicting (should not be the case on a Mac, but still). And update Virtualbox.

Edit. Docker toolbox and Docker for Mac are not the same, Docker for Mac does not use VirtualBox, but rather HyperKit, a lightweight OS X virtualization solution built on top of Hypervisor.framework in OS X 10.10 Yosemite and higher. 🤔

[sstok]

OK, reinstalling the Docker toolbox did not solve the mounting problem 💀
And now it's no longer a socket either!

I give-up.

[phansys]

Don't give up @sstok, just for clarification, I'm using Linux, while you and @cordoval are on Mac; I don't know if there is some different configuration, but I'll try to do a further investigation later.