Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
How to SSH agent forward into a docker container
docker run -rm -t -i -v $(dirname $SSH_AUTH_SOCK) -e SSH_AUTH_SOCK=$SSH_AUTH_SOCK ubuntu /bin/bash
@mattfreer

This comment has been minimized.

Show comment Hide comment
@mattfreer

mattfreer Feb 7, 2014

In order for this to work you need to specify volume like so:

docker run -rm -t -i -v $(dirname $SSH_AUTH_SOCK):$(dirname $SSH_AUTH_SOCK) -e SSH_AUTH_SOCK=$SSH_AUTH_SOCK ubuntu /bin/bash

In order for this to work you need to specify volume like so:

docker run -rm -t -i -v $(dirname $SSH_AUTH_SOCK):$(dirname $SSH_AUTH_SOCK) -e SSH_AUTH_SOCK=$SSH_AUTH_SOCK ubuntu /bin/bash

@pda

This comment has been minimized.

Show comment Hide comment
@pda

pda May 23, 2014

docker run --volume $SSH_AUTH_SOCK:/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent ubuntu ssh-add -l

pda commented May 23, 2014

docker run --volume $SSH_AUTH_SOCK:/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent ubuntu ssh-add -l
@joneslee85

This comment has been minimized.

Show comment Hide comment
@joneslee85

joneslee85 Jun 19, 2014

Wow, I was wondering how this solutions works with socket file share, it wasn't supposed to work though. But then again, now I realise that docker containers share same kernel level with the guest OS. Good tips 👍

Wow, I was wondering how this solutions works with socket file share, it wasn't supposed to work though. But then again, now I realise that docker containers share same kernel level with the guest OS. Good tips 👍

@elhu

This comment has been minimized.

Show comment Hide comment
@elhu

elhu Jul 24, 2014

Is there any pre-requisite for the Docker host? My host can connect to a SSH server using private key authentication just fine, but the container fails to find a private key (which makes sense since it doesn't have it) and fallbacks to password authentication...

elhu commented Jul 24, 2014

Is there any pre-requisite for the Docker host? My host can connect to a SSH server using private key authentication just fine, but the container fails to find a private key (which makes sense since it doesn't have it) and fallbacks to password authentication...

@plasticine

This comment has been minimized.

Show comment Hide comment
@plasticine

plasticine Jul 30, 2014

I can’t see how this would work, given that the permissions on $SSH_AUTH_SOCK in the host won’t allow access from the container user? I must be missing something? :/

I can’t see how this would work, given that the permissions on $SSH_AUTH_SOCK in the host won’t allow access from the container user? I must be missing something? :/

@slmingol

This comment has been minimized.

Show comment Hide comment
@slmingol

slmingol Jul 31, 2014

This exposes the value of the $SSH_AUTH_SOCK (whichiis the path to a socket file on the host) as a volume into the docker container (at the location /ssh-agent). Inside the container you then set the environment variable $SSH_AUTH_SOCK with the path to the volume inside, /ssh-agent). Since this environment variable is now set, ssh-agent -l can make use of it inside the container. When you run these commands inside the docker container you're root and so you have access.

This exposes the value of the $SSH_AUTH_SOCK (whichiis the path to a socket file on the host) as a volume into the docker container (at the location /ssh-agent). Inside the container you then set the environment variable $SSH_AUTH_SOCK with the path to the volume inside, /ssh-agent). Since this environment variable is now set, ssh-agent -l can make use of it inside the container. When you run these commands inside the docker container you're root and so you have access.

@arunthampi

This comment has been minimized.

Show comment Hide comment
@arunthampi

arunthampi Aug 1, 2014

If you're running this command in a Vagrant created VM, you might have problems with the file in $SSH_AUTH_SOCK being a symlink, so this worked for me:

docker run -i -t -v $(readlink -f $SSH_AUTH_SOCK):/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent ubuntu /bin/bash

If you're running this command in a Vagrant created VM, you might have problems with the file in $SSH_AUTH_SOCK being a symlink, so this worked for me:

docker run -i -t -v $(readlink -f $SSH_AUTH_SOCK):/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent ubuntu /bin/bash

@tobowers

This comment has been minimized.

Show comment Hide comment
@tobowers

tobowers Dec 30, 2014

Anyone get this to work in boot2docker yet?

Anyone get this to work in boot2docker yet?

@penguincoder

This comment has been minimized.

Show comment Hide comment
@penguincoder

penguincoder Feb 10, 2015

+1 @arunthampi That works very well in my Vagrant+Docker setup. I was using a Docker container to run Capistrano commands, so I had a few other things. I needed to add a --env CAP_USER=$CAP_USER and then in my Vagrant VM .bashrc source a file that contained my remote CAP_USER username.

File /home/vagrant/.cap_user contains just remote-user
Then in file: /home/vagrant/.bashrc I have a line like this:

    test -f ~/.cap_user && export CAP_USER=$(cat ~/.cap_user) || true

I set that file up in the VM using the Vagrantfile shell provisioner to copy both files into the VM.

Viola. Capistrano deploying happening inside a Docker container.

+1 @arunthampi That works very well in my Vagrant+Docker setup. I was using a Docker container to run Capistrano commands, so I had a few other things. I needed to add a --env CAP_USER=$CAP_USER and then in my Vagrant VM .bashrc source a file that contained my remote CAP_USER username.

File /home/vagrant/.cap_user contains just remote-user
Then in file: /home/vagrant/.bashrc I have a line like this:

    test -f ~/.cap_user && export CAP_USER=$(cat ~/.cap_user) || true

I set that file up in the VM using the Vagrantfile shell provisioner to copy both files into the VM.

Viola. Capistrano deploying happening inside a Docker container.

@dts

This comment has been minimized.

Show comment Hide comment
@dts

dts Mar 1, 2015

@tobowers: Works for me on boot2docker on mac, but I have to do it in two steps, SSH into the host VM, then run @arunthampi's code. Like so:

 $ boot2docker ssh
 $ docker run -i -t -v $(readlink -f $SSH_AUTH_SOCK):/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent ubuntu /bin/bash

Once you're in to the host VM, you can check out forwarding status with ssh-add -L. If you get the publickeys you expect, proceed into the container.

dts commented Mar 1, 2015

@tobowers: Works for me on boot2docker on mac, but I have to do it in two steps, SSH into the host VM, then run @arunthampi's code. Like so:

 $ boot2docker ssh
 $ docker run -i -t -v $(readlink -f $SSH_AUTH_SOCK):/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent ubuntu /bin/bash

Once you're in to the host VM, you can check out forwarding status with ssh-add -L. If you get the publickeys you expect, proceed into the container.

@bigeasy

This comment has been minimized.

Show comment Hide comment
@bigeasy

bigeasy Apr 1, 2015

@dts You forgot -A.

$ boot2docker ssh -A
$ ssh-add -l
2048 97:f0:e8:b3:c6:cb:2b:06:93:31:f5:a5:c6:0c:22:07 /Users/alan/.ssh/id_rsa (RSA)
$ docker run -i -t -v $(readlink -f $SSH_AUTH_SOCK):/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent ubuntu /bin/bash
$ apt-get -q=2 update && apt-get -q=2 install ssh > /dev/null 2>&1
$ ssh-add -l
2048 97:f0:e8:b3:c6:cb:2b:06:93:31:f5:a5:c6:0c:22:07 /Users/alan/.ssh/id_rsa (RSA)

bigeasy commented Apr 1, 2015

@dts You forgot -A.

$ boot2docker ssh -A
$ ssh-add -l
2048 97:f0:e8:b3:c6:cb:2b:06:93:31:f5:a5:c6:0c:22:07 /Users/alan/.ssh/id_rsa (RSA)
$ docker run -i -t -v $(readlink -f $SSH_AUTH_SOCK):/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent ubuntu /bin/bash
$ apt-get -q=2 update && apt-get -q=2 install ssh > /dev/null 2>&1
$ ssh-add -l
2048 97:f0:e8:b3:c6:cb:2b:06:93:31:f5:a5:c6:0c:22:07 /Users/alan/.ssh/id_rsa (RSA)
@andrerocker

This comment has been minimized.

Show comment Hide comment
@andrerocker

andrerocker Aug 7, 2015

@tobowers On boot2docker Just your home dir is available on boot2docker-vm, maybe if you symlink the ssh-agent socket to $HOME/something this can work.

@tobowers On boot2docker Just your home dir is available on boot2docker-vm, maybe if you symlink the ssh-agent socket to $HOME/something this can work.

@rosskevin

This comment has been minimized.

Show comment Hide comment
@rosskevin

rosskevin Oct 1, 2015

I'm trying this, but with docker-compose. I was typing a comment, but too much for this gist. Any help is appreciated over on http://stackoverflow.com/questions/32897709/ssh-key-forwarding-inside-docker-compose-container

I'm trying this, but with docker-compose. I was typing a comment, but too much for this gist. Any help is appreciated over on http://stackoverflow.com/questions/32897709/ssh-key-forwarding-inside-docker-compose-container

@f3l1x

This comment has been minimized.

Show comment Hide comment
@f3l1x

f3l1x Apr 5, 2016

Great thanks.

docker run --volume $SSH_AUTH_SOCK:/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent ubuntu ssh-add -l

Works pretty well!

f3l1x commented Apr 5, 2016

Great thanks.

docker run --volume $SSH_AUTH_SOCK:/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent ubuntu ssh-add -l

Works pretty well!

@kynan

This comment has been minimized.

Show comment Hide comment
@kynan

kynan Oct 23, 2016

Has anyone managed to use SSH agent forwarding in combination with running the container as a different user e.g. docker run -u $(id -u):$(id -g) --volume $SSH_AUTH_SOCK:/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent ...?

SSH actually checks that the effective UID is present in the password database and fails with You don't exist, go away! otherwise.

kynan commented Oct 23, 2016

Has anyone managed to use SSH agent forwarding in combination with running the container as a different user e.g. docker run -u $(id -u):$(id -g) --volume $SSH_AUTH_SOCK:/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent ...?

SSH actually checks that the effective UID is present in the password database and fails with You don't exist, go away! otherwise.

@whistler

This comment has been minimized.

Show comment Hide comment
@whistler

whistler Oct 27, 2016

I get the following error when trying this out. I'm using a mac and have tried this on both docker for mac and docker-machine. I had to first install git on the ubuntu image.

docker run --volume $SSH_AUTH_SOCK:/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent ubuntu ssh-add -l                             ✹ ✭
Error connecting to agent: Connection refused

whistler commented Oct 27, 2016

I get the following error when trying this out. I'm using a mac and have tried this on both docker for mac and docker-machine. I had to first install git on the ubuntu image.

docker run --volume $SSH_AUTH_SOCK:/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent ubuntu ssh-add -l                             ✹ ✭
Error connecting to agent: Connection refused
@gautaz

This comment has been minimized.

Show comment Hide comment
@gautaz

gautaz Nov 3, 2016

@whistler, sharing the auth socket is currently not working for docker for mac, see:
docker/for-mac#410

It seems there is a work in progress that should be available before the end of November:
docker/for-mac#483

gautaz commented Nov 3, 2016

@whistler, sharing the auth socket is currently not working for docker for mac, see:
docker/for-mac#410

It seems there is a work in progress that should be available before the end of November:
docker/for-mac#483

@jrolfs

This comment has been minimized.

Show comment Hide comment
@jrolfs

jrolfs Dec 23, 2016

@gautaz thanks for the heads up!

jrolfs commented Dec 23, 2016

@gautaz thanks for the heads up!

@vladkras

This comment has been minimized.

Show comment Hide comment
@vladkras

vladkras Jul 18, 2017

What if I have Windows? How to use SSH_AUTH_SOCK?

I can clone repo with common git for WIndows, but not inside the container

vladkras commented Jul 18, 2017

What if I have Windows? How to use SSH_AUTH_SOCK?

I can clone repo with common git for WIndows, but not inside the container

@sylvain261

This comment has been minimized.

Show comment Hide comment
@sylvain261

sylvain261 Aug 8, 2017

It would very helpfull to get a clarification on how to share ssh keys when the hots is windows (maybe by a key copy..)

It would very helpfull to get a clarification on how to share ssh keys when the hots is windows (maybe by a key copy..)

@leandrw

This comment has been minimized.

Show comment Hide comment
@leandrw

leandrw Aug 9, 2017

@Sylvain, give a chance to WSL (Windows Subsystem for Linux).

leandrw commented Aug 9, 2017

@Sylvain, give a chance to WSL (Windows Subsystem for Linux).

@dragon788

This comment has been minimized.

Show comment Hide comment
@dragon788

dragon788 Nov 7, 2017

@kynan if you aren't using a remote user database for your system (eg LDAP/AD) you can map in /etc/passwd read-only so SSH can find your user.

@kynan if you aren't using a remote user database for your system (eg LDAP/AD) you can map in /etc/passwd read-only so SSH can find your user.

@ghost

This comment has been minimized.

Show comment Hide comment
@ghost

ghost Nov 9, 2017

Maybe, there is similar way to integrate gpg into docker container?

ghost commented Nov 9, 2017

Maybe, there is similar way to integrate gpg into docker container?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment