Dockerfile:使用无密码私钥克隆 repo。错误:“身份验证代理”或“read_passphrase:无法打开 /dev/tty”

Dockerfile:使用无密码私钥克隆 repo。错误:“身份验证代理”或“read_passphrase:无法打开 /dev/tty”

我尝试使用 Dockerfile 和 SSH 密钥对从 GitLab 克隆一个测试项目:ssh-keygen -t rsa -P ""。私钥无密码,公钥在 GitLab 帐户上发布。

任何人都可以快速测试这一点,只需在 GitLab 上打开一个帐户并发布您的 SSH 公钥,然后添加一个新的空项目进行克隆。

即使没有 Docker,使用也可以。即使没有 Docker,克隆项目也可以。ssh -i C:\path\to\my\private_key\id_rsa [email protected]

我将私钥加载到 Dockerfile 中,最后将其删除。这并不重要,但对于所有看到此处安全风险的人来说:我在使用后直接删除密钥对,无论是在客户端还是在服务器上。我只尝试在克隆时绕过用户帐户的密码输入,因为这在 Dockerfile 运行期间似乎不起作用,并且会是真正的安全风险,因为它可能会将密码留在日志中。

开始:进入 Dockerfile 目录,将私钥“id_rsa”粘贴到新的“.ssh”子文件夹中。然后:

docker build -t NEW_IMAGENAME . --build-arg ssh_prv_key="$(cat ./.ssh/id_rsa)"

到目前为止的工作代码:

FROM vcatechnology/linux-mint:18.2
ARG ssh_prv_key
RUN apt-get update && \
    apt upgrade -y && \
    apt-get install -y git  
RUN apt-get install -y openssh-client # openssh-server
RUN mkdir /root/.ssh/
RUN echo "Host *\n  User git\n  HostName gitlab.com\n  AddKeysToAgent yes\n  IdentityFile /root/.ssh/id_rsa" >> /etc/ssh/ssh_config
RUN echo "$ssh_prv_key" > /root/.ssh/id_rsa && \
    chmod 600 /root/.ssh/id_rsa

RUN ssh-keyscan -t rsa -H gitlab.com >> /root/.ssh/known_hosts
RUN ssh -o StrictHostKeyChecking=no [email protected] || true
RUN eval "$(ssh-agent -s)"
RUN chmod 666 /dev/tty

这导致:

docker build -t CONTAINERNAME . --build-arg ssh_prv_key="$(cat /.ssh/id_rsa)"
[+] Building 254.9s (14/17)
 => [internal] load build definition from Dockerfile                                                                                                                                                                                    0.0s
 => => transferring dockerfile: 6.84kB                                                                                                                                                                                                  0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                       0.0s
 => => transferring context: 2B                                                                                                                                                                                                         0.0s
 => [internal] load metadata for docker.io/vcatechnology/linux-mint:18.2                                                                                                                                                                0.8s
 => CACHED [ 1/14] FROM docker.io/vcatechnology/linux-mint:18.2@sha256:0557a4999d43c0c622f3a57c3db5b13536024fb5999ecf4f03c6ffec0e4fdb47                                                                                                 0.0s
 => [ 2/14] RUN apt-get update &&  apt upgrade -y &&  apt-get install -y git                                                                                                                                                          244.3s
 => [ 3/14] RUN apt-get install -y openssh-client # openssh-server                                                                                                                                                                      3.1s
 => [ 4/14] RUN mkdir /root/.ssh/                                                                                                                                                                                                       0.6s
 => [ 5/14] RUN echo "Host *\n  User git\n  HostName gitlab.com\n  AddKeysToAgent yes\n  IdentityFile /root/.ssh/id_rsa" >> /etc/ssh/ssh_config                                                                                         0.6s
 => [ 6/14] RUN echo "$(cat /.ssh/id_rsa)" > /root/.ssh/id_rsa &&     chmod 600 /root/.ssh/id_rsa                                                                                                                                       0.6s
 => [ 7/14] RUN ssh-keyscan -t rsa -H gitlab.com >> /root/.ssh/known_hosts                                                                                                                                                              1.3s
 => [ 8/14] RUN ssh -o StrictHostKeyChecking=no [email protected] || true                                                                                                                                                                  1.6s
 => [ 9/14] RUN eval "$(ssh-agent -s)"                                                                                                                                                                                                  0.6s
 => [10/14] RUN chmod 666 /dev/tty                                                                                                                                                                                                      0.6s

Dockerfile 中此工作代码之后的最后步骤如下,尽管前三行中的每一行都会停止脚本:

RUN ssh-add /root/.ssh/id_rsa
RUN ssh -tti /root/.ssh/id_rsa [email protected]
RUN git clone [email protected]:GITLAB_USERNAME/test.git
RUN rm -r /root/.ssh
  1. 如果RUN ssh-add /root/.ssh/id_rsa直接出现在最后一个工作代码之后:

      => ERROR [11/14] RUN ssh-add /root/.ssh/id_rsa                                                                                                                                                                                         0.6s
     ------
      > [11/14] RUN ssh-add /root/.ssh/id_rsa:
     #14 0.579 Could not open a connection to your authentication agent.
     ------
     executor failed running [/bin/sh -c ssh-add /root/.ssh/id_rsa]: exit code: 2
    

这个错误Could not open a connection to your authentication agent.很有名,参见无法打开与身份验证代理的连接。但我没法用那个线程来解决这个问题。

  1. 如果直接出现在最后一个工作代码之后:RUN ssh -tti /root/.ssh/id_rsa [email protected]

     #14 1.545 Permission denied (publickey,keyboard-interactive).
     ------
     executor failed running [/bin/sh -c ssh -tti /root/.ssh/id_rsa [email protected]]: exit code: 255
    
  2. 如果直接出现在最后一个工作代码之后:RUN git clone [email protected]:GITLAB_USERNAME/test.git

     #16 0.450 Cloning into 'test'...
     #16 1.466 Permission denied (publickey,keyboard-interactive).
     #16 1.467 fatal: Could not read from remote repository.
     #16 1.467
     #16 1.467 Please make sure you have the correct access rights
     #16 1.467 and the repository exists.
     ------
     executor failed running [/bin/sh -c git clone [email protected]:GITLAB_USERNAME/test.git]: exit code: 128
    

因此,ssh 显然需要“ssh-add”将私钥添加到“ssh-agent”才能完全知道客户端上的私钥,而且我猜它还需要让 ssh 知道到服务器的路径。ssh -tti /root/.ssh/id_rsa [email protected]

  1. 如果(-T 避免RUN ssh -Tvvv [email protected]由于 stdin 不是终端,因此不会分配伪终端)直接位于最后一段工作代码之后(这在最终的 Dockerfile 中不是必需的,它只是一个检查):

      => ERROR [12/12] RUN ssh -Tvvv [email protected]                                                                                                                                                                                          1.2s
     ------
      > [12/12] RUN ssh -Tvvv [email protected]:
     #16 0.376 OpenSSH_7.2p2 Ubuntu-4ubuntu2.10, OpenSSL 1.0.2g  1 Mar 2016
     #16 0.376 debug1: Reading configuration data /etc/ssh/ssh_config
     #16 0.376 debug1: /etc/ssh/ssh_config line 19: Applying options for *
     #16 0.376 debug1: /etc/ssh/ssh_config line 57: Applying options for *
     #16 0.376 debug2: resolving "gitlab.com" port 22
     #16 0.397 debug2: ssh_connect_direct: needpriv 0
     #16 0.397 debug1: Connecting to gitlab.com [172.65.251.78] port 22.
     #16 0.450 debug1: Connection established.
     #16 0.450 debug1: permanently_set_uid: 0/0
     #16 0.450 debug1: key_load_public: No such file or directory
     #16 0.450 debug1: identity file /root/.ssh/id_rsa type -1
     #16 0.450 debug1: key_load_public: No such file or directory
     #16 0.450 debug1: identity file /root/.ssh/id_rsa-cert type -1
     #16 0.451 debug1: Enabling compatibility mode for protocol 2.0
     #16 0.451 debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
     #16 0.977 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
     #16 0.977 debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
     #16 0.977 debug2: fd 3 setting O_NONBLOCK
     #16 0.977 debug1: Authenticating to gitlab.com:22 as 'git'
     #16 0.977 debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
     #16 0.977 debug3: send packet: type 20
     #16 0.977 debug1: SSH2_MSG_KEXINIT sent
     #16 0.994 debug3: receive packet: type 20
     #16 0.994 debug1: SSH2_MSG_KEXINIT received
     #16 0.994 debug2: local client KEXINIT proposal
     #16 0.994 debug2: KEX algorithms: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
     #16 0.994 debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
     #16 0.994 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
     #16 0.994 debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
     #16 0.994 debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
     #16 0.994 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
     #16 0.994 debug2: compression ctos: none,[email protected],zlib
     #16 0.994 debug2: compression stoc: none,[email protected],zlib
     #16 0.994 debug2: languages ctos:
     #16 0.994 debug2: languages stoc:
     #16 0.994 debug2: first_kex_follows 0
     #16 0.994 debug2: reserved 0
     #16 0.994 debug2: peer server KEXINIT proposal
     #16 0.994 debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
     #16 0.994 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
     #16 0.994 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
     #16 0.994 debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
     #16 0.994 debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
     #16 0.994 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
     #16 0.994 debug2: compression ctos: none,[email protected]
     #16 0.994 debug2: compression stoc: none,[email protected]
     #16 0.994 debug2: languages ctos:
     #16 0.994 debug2: languages stoc:
     #16 0.994 debug2: first_kex_follows 0
     #16 0.994 debug2: reserved 0
     #16 0.994 debug1: kex: algorithm: [email protected]
     #16 0.994 debug1: kex: host key algorithm: ecdsa-sha2-nistp256
     #16 0.994 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
     #16 0.994 debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
     #16 1.014 debug3: send packet: type 30
     #16 1.014 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
     #16 1.182 debug3: receive packet: type 31
     #16 1.185 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw
     #16 1.186 debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
     #16 1.187 debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
     #16 1.187 debug1: read_passphrase: can't open /dev/tty: No such device or address
     #16 1.188 Host key verification failed.
     ------
     executor failed running [/bin/sh -c ssh -Tvvv [email protected]]: exit code: 255    
    

我尝试了很多次,但到目前为止,我还是无法解决错误read_passphrase: can't open /dev/tty: No such device or address。该文件存在,否则我无法使用将其权限更改为 666。chmod 666 /dev/tty我猜想只需要一个终端就可以输入一个空密码。

如何使用无密码 SSH 密钥对从 GitLab 克隆 repo,并且只使用一个 Dockerfile?

如果没有机会在一个 Dockerfile 中执行此操作,则可接受的解决方法是使用 docker-compose 文件;但这不是首选答案。

编辑:查看容器时可以找到所需的路径和文件。

(The start was: docker build -t . --build-arg ssh_prv_key="$(cat ./.ssh/id_rsa)", until the end of the working code only!)
docker run -d -it --name test_bash -d NEW_IMAGENAME:latest
docker exec -it test_bash bash
cd root/.ssh;ls

最后一个命令显示 id_rsa 和 known_hosts。

d3cbc35351fd / # cd root/.ssh;ls
id_rsa  known_hosts

如果我在容器内运行,系统会要求我输入密码:d3cbc35351fd .ssh # ssh -Tvvv [email protected]

Enter passphrase for key '/root/.ssh/id_rsa':
debug2: bad passphrase given, try again...
Enter passphrase for key '/root/.ssh/id_rsa':
debug2: bad passphrase given, try again...
Enter passphrase for key '/root/.ssh/id_rsa':
debug2: no passphrase given, try next key

这是使用“”,''并直接按下回车键的尝试,但它们都不起作用。

如果我无法在 Dockerfile 中使用 SSH,也无法在该 Dockerfile 映像的容器中使用 SSH,我想知道是否可以从 Dockerfile 或容器中克隆存储库。我猜抑制密码输入将是解决这个问题的下一个重要步骤,但即使这样也可能无法完全解决问题,因为我已经尝试在容器中输入一个空密码,但无济于事。

答案1

如果出于安全原因想要删除图像中的私钥,或者需要更多信息,请参阅在 Docker 容器内使用 SSH 密钥并给出更为详尽的答案。


主要错误是由于

echo "$ssh_prv_key" > /root/.ssh/id_rsa

它传递了格式错误的 ssh_prv_key,虽然私钥需要很多行,但只传递了一行。这个想法来自在docker文件中将私钥添加到ssh-agent这暗示着Gitlab CI/Docker:ssh-add 不断要求输入密码

--> 因此,不要使用RUN echo ...私钥,而是使用COPY ...!!!

另一个小错误是,它不起作用,但是RUN ssh -o StrictHostKeyChecking=no [email protected] || true

两个都

RUN echo "Host *\n\t StrictHostKeyChecking no" >> /etc/ssh/ssh_config

RUN ssh-keyscan -t rsa -H gitlab.com >> /root/.ssh/known_hosts 

工作并达到同一目标,只需选择其中之一。

另一个步骤是放下ssh-agentssh-add。只有在以下情况下才需要这两个步骤密码,请参阅在docker文件中将私钥添加到ssh-agent

它现在正在工作。

Dockerfile 如下所示:

FROM ubuntu:latest
RUN apt-get update && apt-get install -y git
RUN mkdir -p /root/.ssh && chmod 700 /root/.ssh
COPY /.ssh/id_rsa /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa
RUN ssh-keyscan -t rsa -H gitlab.com >> /root/.ssh/known_hosts
RUN git clone [email protected]:GITLAB_USERNAME/test.git
RUN rm -r /root/.ssh

要从 Dockerfile 创建映像:

  • 转到 Dockerfile 的目录。

  • 将您的私钥“id_rsa”(或任何您拥有的名称,然后当然更改代码)粘贴到新的子文件夹“/.ssh/”(或将其粘贴到 Dockerfile 目录中并将代码更改为COPY id_rsa /root/.ssh/id_rsa)。

  • 开始 (不要忘记最后的“。”,这是构建上下文):

    docker build -t test .
    

答案2

ssh-agent 在构建过程中没有按预期工作,但是您根本不需要它。

我构建了一个可以工作的最小样本

FROM ubuntu:latest
ARG ssh_prv_key

RUN apt-get update \
&& apt-get install -y git

RUN mkdir -p /root/.ssh &&  chmod 700 /root/.ssh

RUN echo "$ssh_prv_key" > /root/.ssh/id_rsa && \
    chmod 600 /root/.ssh/id_rsa

# Check if the key was successfully copied
# RUN cat -n /root/.ssh/id_rsa

# Dummy ssh to store the host into known_hosts
# The expected output is something like: 
# Hi <user>! You've successfully authenticated, but GitHub does not provide shell access.
RUN ssh -T -o StrictHostKeyChecking=no [email protected] || true

RUN git clone ssh://[email protected]/<myrepo>

答案3

在我的例子中,错误read_passphrase: can't open /dev/tty: No such device or address是由 ssh 提示添加新主机的权限引起的。根据这个答案添加到你的 ssh 配置中

StrictHostKeyChecking no

如果您的 ssh 客户端支持它,accept-new则出于no安全考虑请使用 。

相关内容