d11wtq/docker-ssh-forward.bash

Created January 29, 2014 23:32

Star 210 You must be signed in to star a gist
Fork 16 You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/d11wtq/8699521.js"></script>
Save d11wtq/8699521 to your computer and use it in GitHub Desktop.

Download ZIP

How to SSH agent forward into a docker container

Raw

docker-ssh-forward.bash

docker run -rm -t -i -v $(dirname $SSH_AUTH_SOCK) -e SSH_AUTH_SOCK=$SSH_AUTH_SOCK ubuntu /bin/bash

GuillermoAndrade commented Jan 14, 2021

-e "$SSH_AUTH_SOCK:/ssh-agent" \

maybe -v here instead of -e ?

timur265 commented Apr 21, 2021 •

edited

Hi everyone. I have the same problem. Has anyone found the solution?
This works for me for the first shell login, but fails for successive attempts

sudo docker run --restart always --network host --name github-runner -v $SSH_AUTH_SOCK:/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent -e REPO_URL="$REPO_NAME" -e ACCESS_TOKEN="$ACCESS_TOKEN" myoung34/github-runner:latest

conf commented May 24, 2021

If you're on a mac, the current incantation should be:

docker run -it --rm -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" debian bash

tomdavies commented Aug 31, 2021

For anyone struggling to get ssh-agent forwarding to work for non-root container users, here's the workaround I came up with, running my entry point script as root, but using socat + su-exec to expose the socket to the non-root user and then run commands as that user:

Add socat and su-exec to the container in your Dockerfile (you might not need the later if you're not using alpine)

USER root
RUN apk add socat su-exec
# for my use case I need www-data to have access to SSH, so 
RUN \
    mkdir -p /home/www-data/.ssh && \
    chown www-data:www-data /home/www-data/.ssh/

In your entrypoint:

#!/bin/sh
# Map docker's "magic" socket to one owned by www-data
socat UNIX-LISTEN:/home/www-data/.ssh/socket,fork,user=www-data,group=www-data,mode=777 \
    UNIX-CONNECT:/run/host-services/ssh-auth.sock \
    &
# set SSH_AUTH_SOCK to the new value
export SSH_AUTH_SOCK=/home/www-data/.ssh/socket
# exec commands as www-data via su-exec
su-exec www-data ssh-add -l
# SSH agent works for the www-data user, in reality you probably have something like su-exec www-data "$@" here

Run your container as @conf states:

docker run -it --rm -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" name cmd

unphased commented Feb 18, 2022

shrug this: -v "$SSH_AUTH_SOCK:$SSH_AUTH_SOCK" -e SSH_AUTH_SOCK=$SSH_AUTH_SOCK worked for me. The original gist did not.

josepsmartinez commented Mar 8, 2022

@unphased Probably due to the symlink situation, as @arunthampi noticed here.

The line the worked for me was docker run -i -t -v $(readlink -f $SSH_AUTH_SOCK):/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent ubuntu /bin/bash

Paprikas commented Jun 7, 2022 •

edited

@unphased
volume $SSH_AUTH_SOCK:/ssh-agent
and ENV SSH_AUTH_SOCK=/ssh-agent worked for me for years.
But after I've upgraded packages to the latest (ubuntu 22), the agent just stopped working! I mean - ssh-add -l was saying that it does not have access to the agent.
Thank you, your snippet works! Spent the whole day on this issue ))

wirwolf commented Dec 22, 2023

Check if you use docker from snap. In my Kubuntu 22.04 I remove docker from snap and install using apt and problem is fixed

vokshirg commented Feb 6, 2024

the latest official documentation helped me with docker-compose setup
https://docs.docker.com/desktop/networking/#ssh-agent-forwarding

sourcecodemage commented Mar 5, 2024

is there a version of setup for Redhat linux and distributions based on it like CentOS and Rocky?

sourcecodemage commented Mar 5, 2024

the latest official documentation helped me with docker-compose setup https://docs.docker.com/desktop/networking/#ssh-agent-forwarding

That seems to be specific to Docker Desktop. What about Colima and/or Podman?

philippkemmeter commented Mar 13, 2024

Based on @tomdavies post, i created this Dockerfile which uses the USER statement in order to have an unpriviledged container instead of su-exec:

FROM python:3.11.6-alpine

RUN apk --no-cache add --update \
    socat \
    sudo

RUN addgroup --gid 1001 -S ansible && adduser --uid 1001 -S ansible -G ansible -h /home/ansible
RUN echo 'ansible ALL=(ALL:ALL) NOPASSWD:/usr/local/bin/create-ansible-agent-socket.sh' > /etc/sudoers
RUN echo 'socat UNIX-LISTEN:/home/ansible/.ssh/agent,fork,user=ansible,group=ansible,mode=777 UNIX-CONNECT:/root/.ssh/agent' > /usr/local/bin/create-ansible-agent-socket.sh
RUN chmod +x /usr/local/bin/create-ansible-agent-socket.sh
RUN echo 'sudo /usr/local/bin/create-ansible-agent-socket.sh & SSH_AUTH_SOCK=/home/ansible/.ssh/agent "$@"' > /entrypoint.sh

USER ansible
RUN mkdir -p /home/ansible/.ssh && chown ansible:ansible /home/ansible/.ssh

ENTRYPOINT [/bin/sh, /entrypoint.sh]

you run it then with

docker run -it -u ansible \
    -v "$SSH_AUTH_SOCK":/root/.ssh/agent \
    -e SSH_AUTH_SOCK=/root/.ssh/agent \
    name cmd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment