From 1e2e5e16c1c52e935bba5bea8738c3323dd7df03 Mon Sep 17 00:00:00 2001 From: Jaeho Shin Date: Tue, 24 Jan 2017 06:42:04 -0800 Subject: [PATCH 01/43] Fixes tini path --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 09e82d4..8bf3f66 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,5 +8,5 @@ RUN mkdir /root/.ssh && \ COPY ssh-find-agent.sh /root/ssh-find-agent.sh EXPOSE 22 VOLUME ["/root/.ssh/authorized_keys"] -ENTRYPOINT ["/usr/bin/tini","--"] +ENTRYPOINT ["/sbin/tini","--"] CMD ["/usr/sbin/sshd","-D"] From e565e45ab9b72c421560628463b4d4446c74ec69 Mon Sep 17 00:00:00 2001 From: Jaeho Shin Date: Tue, 24 Jan 2017 06:42:20 -0800 Subject: [PATCH 02/43] Ensures ssh uses no connection sharing (`-S none`) --- pinata-ssh-forward.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index 4b236d4..9f9a738 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -18,7 +18,7 @@ IP=`docker inspect --format '{{(index (index .NetworkSettings.Ports "22/tcp") 0) ssh-keyscan -p ${LOCAL_PORT} ${IP} > ${LOCAL_STATE}/known_hosts 2>/dev/null ssh -f -o "UserKnownHostsFile=${LOCAL_STATE}/known_hosts" \ - -A -p ${LOCAL_PORT} root@${IP} \ + -A -S none -p ${LOCAL_PORT} root@${IP} \ /root/ssh-find-agent.sh echo 'Agent forwarding successfully started.' From 99bca4ca28ad2858288bf266b4e832ccb03cc88b Mon Sep 17 00:00:00 2001 From: Charlie Leathers Date: Tue, 24 Jan 2017 18:11:37 -0800 Subject: [PATCH 03/43] Updates installation directions to include cd command MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hi. First off, great project! It's been super helpful at work, so keep up the good work 👍 I'd like to add a `cd` command to your README.md. My coworker was attempting to get a project going earlier today and didn't think to change directories into the repo which ended up causing him some trouble. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1389361..b0370c0 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ Assuming you have a `/usr/local` ``` $ git clone git://github.com/avsm/docker-ssh-agent-forward +$ cd docker-ssh-agent-forward $ make $ make install ``` From d79b54f4204649e9e4f68becae3b237521f5998e Mon Sep 17 00:00:00 2001 From: Martin Honermeyer Date: Fri, 3 Feb 2017 19:49:56 +0100 Subject: [PATCH 04/43] Volume-based approach (WIP) --- Dockerfile | 10 +++++----- Makefile | 2 +- docker-entrypoint.sh | 5 +++++ pinata-build-sshd.sh | 1 - pinata-ssh-forward.sh | 16 +++++++++++----- pinata-ssh-mount.sh | 4 +--- ssh-find-agent.sh | 9 --------- ssh-forward-agent.sh | 4 ++++ 8 files changed, 27 insertions(+), 24 deletions(-) create mode 100755 docker-entrypoint.sh delete mode 100755 ssh-find-agent.sh create mode 100755 ssh-forward-agent.sh diff --git a/Dockerfile b/Dockerfile index 09e82d4..20c5327 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,12 @@ FROM alpine MAINTAINER Anil Madhavapeddy -RUN apk update && apk add openssh && \ - apk add --update --repository http://dl-cdn.alpinelinux.org/alpine/edge/community/ tini +RUN apk update && apk add openssh socat RUN mkdir /root/.ssh && \ chmod 700 /root/.ssh && \ ssh-keygen -A -COPY ssh-find-agent.sh /root/ssh-find-agent.sh +COPY ssh-forward-agent.sh /root/ssh-forward-agent.sh +COPY docker-entrypoint.sh / EXPOSE 22 -VOLUME ["/root/.ssh/authorized_keys"] -ENTRYPOINT ["/usr/bin/tini","--"] +VOLUME ["/ssh-agent"] +ENTRYPOINT ["/docker-entrypoint.sh"] CMD ["/usr/sbin/sshd","-D"] diff --git a/Makefile b/Makefile index 49c0488..038f634 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ install: @mkdir -p $(PREFIX)/share/pinata-ssh-agent cp Dockerfile $(PREFIX)/share/pinata-ssh-agent cp ssh-build.sh $(PREFIX)/share/pinata-ssh-agent/ssh-build - cp ssh-find-agent.sh $(PREFIX)/share/pinata-ssh-agent/ssh-find-agent.sh + cp ssh-forward-agent.sh $(PREFIX)/share/pinata-ssh-agent/ssh-forward-agent.sh @mkdir -p $(BINDIR) cp pinata-build-sshd.sh $(BINDIR)/pinata-build-sshd cp pinata-ssh-forward.sh $(BINDIR)/pinata-ssh-forward diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh new file mode 100755 index 0000000..09d23df --- /dev/null +++ b/docker-entrypoint.sh @@ -0,0 +1,5 @@ +#!/bin/sh +set -e +cp /tmp/.pinata-sshd/authorized_keys /root/.ssh/authorized_keys +chown root:root /root/.ssh/authorized_keys +exec "$@" diff --git a/pinata-build-sshd.sh b/pinata-build-sshd.sh index 23e9a85..99b6e0d 100755 --- a/pinata-build-sshd.sh +++ b/pinata-build-sshd.sh @@ -1,4 +1,3 @@ #!/bin/sh -cd /usr/local/share/pinata-ssh-agent docker build -t pinata-sshd . diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index 4b236d4..7ad3244 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -1,4 +1,5 @@ -#!/bin/sh -e +#!/bin/sh +set -e IMAGE_NAME=pinata-sshd CONTAINER_NAME=pinata-sshd @@ -9,17 +10,22 @@ docker rm -f ${CONTAINER_NAME} >/dev/null 2>&1 || true rm -rf ${LOCAL_STATE} mkdir -p ${LOCAL_STATE} +ssh-add -L >${LOCAL_STATE}/authorized_keys + docker run --name ${CONTAINER_NAME} \ - -v ~/.ssh/id_rsa.pub:/root/.ssh/authorized_keys \ - -v ${LOCAL_STATE}:/tmp \ + -v ${LOCAL_STATE}:/tmp/.pinata-sshd \ -d -p ${LOCAL_PORT}:22 ${IMAGE_NAME} > /dev/null -IP=`docker inspect --format '{{(index (index .NetworkSettings.Ports "22/tcp") 0).HostIp }}' ${CONTAINER_NAME}` +if [ "${DOCKER_HOST}" ]; then + IP=$(echo $DOCKER_HOST | awk -F '//' '{print $2}' | awk -F ':' '{print $1}') +else + IP=127.0.0.1 +fi ssh-keyscan -p ${LOCAL_PORT} ${IP} > ${LOCAL_STATE}/known_hosts 2>/dev/null ssh -f -o "UserKnownHostsFile=${LOCAL_STATE}/known_hosts" \ -A -p ${LOCAL_PORT} root@${IP} \ - /root/ssh-find-agent.sh + /root/ssh-forward-agent.sh echo 'Agent forwarding successfully started.' echo 'Run "pinata-ssh-mount" to get a command-line fragment that' diff --git a/pinata-ssh-mount.sh b/pinata-ssh-mount.sh index 9835091..9a8dad0 100755 --- a/pinata-ssh-mount.sh +++ b/pinata-ssh-mount.sh @@ -1,5 +1,3 @@ #!/bin/sh -LOCAL_STATE=~/.pinata-sshd -AGENT=`cat ${LOCAL_STATE}/agent_socket_path | sed -e 's,/tmp/,,g'` -echo "-v ${LOCAL_STATE}/$AGENT:/tmp/ssh-agent.sock --env SSH_AUTH_SOCK=/tmp/ssh-agent.sock" +echo "--volumes-from pinata-sshd --env SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock" diff --git a/ssh-find-agent.sh b/ssh-find-agent.sh deleted file mode 100755 index 9dfb677..0000000 --- a/ssh-find-agent.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -e -# Log the location of the SSH agent to a file - -finish() { - rm -f /tmp/agent_socket_path -} -trap finish EXIT -echo $SSH_AUTH_SOCK > /tmp/agent_socket_path -tail -f /dev/null diff --git a/ssh-forward-agent.sh b/ssh-forward-agent.sh new file mode 100755 index 0000000..d3fe0a7 --- /dev/null +++ b/ssh-forward-agent.sh @@ -0,0 +1,4 @@ +#!/bin/sh -e +# Forward SSH agent socket to a well-known location + +socat UNIX-LISTEN:/ssh-agent/ssh-agent.sock,fork UNIX-CONNECT:$SSH_AUTH_SOCK From 186366c470841fa7bdb17b82af910166fcdd55d0 Mon Sep 17 00:00:00 2001 From: Martin Honermeyer Date: Sun, 5 Feb 2017 04:36:49 +0100 Subject: [PATCH 05/43] Make pinata-ssh-mount fish compatible --- pinata-ssh-mount.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pinata-ssh-mount.sh b/pinata-ssh-mount.sh index 9a8dad0..0d65a4e 100755 --- a/pinata-ssh-mount.sh +++ b/pinata-ssh-mount.sh @@ -1,3 +1,4 @@ #!/bin/sh -echo "--volumes-from pinata-sshd --env SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock" +echo "--volumes-from=pinata-sshd" +echo "--env=SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock" From 2ba664c04c62a0e746a24b128c36d28862c3df12 Mon Sep 17 00:00:00 2001 From: Martin Honermeyer Date: Sun, 5 Feb 2017 13:40:49 +0100 Subject: [PATCH 06/43] Inject authorized keys via env instead of volume --- docker-entrypoint.sh | 2 +- pinata-ssh-forward.sh | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 09d23df..6a23658 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/sh set -e -cp /tmp/.pinata-sshd/authorized_keys /root/.ssh/authorized_keys +echo $AUTHORIZED_KEYS | base64 -d >/root/.ssh/authorized_keys chown root:root /root/.ssh/authorized_keys exec "$@" diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index 7ad3244..b389a59 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -5,15 +5,14 @@ IMAGE_NAME=pinata-sshd CONTAINER_NAME=pinata-sshd LOCAL_STATE=~/.pinata-sshd LOCAL_PORT=2244 +AUTHORIZED_KEYS=$(ssh-add -L | base64 -w0) docker rm -f ${CONTAINER_NAME} >/dev/null 2>&1 || true rm -rf ${LOCAL_STATE} mkdir -p ${LOCAL_STATE} -ssh-add -L >${LOCAL_STATE}/authorized_keys - docker run --name ${CONTAINER_NAME} \ - -v ${LOCAL_STATE}:/tmp/.pinata-sshd \ + -e AUTHORIZED_KEYS="${AUTHORIZED_KEYS}" \ -d -p ${LOCAL_PORT}:22 ${IMAGE_NAME} > /dev/null if [ "${DOCKER_HOST}" ]; then From 01524e42c11403c824eadb9f927c3f175565ec7c Mon Sep 17 00:00:00 2001 From: Martin Honermeyer Date: Sun, 5 Feb 2017 13:58:56 +0100 Subject: [PATCH 07/43] Use temp file for known hosts --- pinata-ssh-forward.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index b389a59..e5d431f 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -3,13 +3,13 @@ set -e IMAGE_NAME=pinata-sshd CONTAINER_NAME=pinata-sshd -LOCAL_STATE=~/.pinata-sshd LOCAL_PORT=2244 AUTHORIZED_KEYS=$(ssh-add -L | base64 -w0) +KNOWN_HOSTS_FILE=$(mktemp) + +trap "rm ${KNOWN_HOSTS_FILE}" EXIT docker rm -f ${CONTAINER_NAME} >/dev/null 2>&1 || true -rm -rf ${LOCAL_STATE} -mkdir -p ${LOCAL_STATE} docker run --name ${CONTAINER_NAME} \ -e AUTHORIZED_KEYS="${AUTHORIZED_KEYS}" \ @@ -20,9 +20,9 @@ if [ "${DOCKER_HOST}" ]; then else IP=127.0.0.1 fi -ssh-keyscan -p ${LOCAL_PORT} ${IP} > ${LOCAL_STATE}/known_hosts 2>/dev/null +ssh-keyscan -p ${LOCAL_PORT} ${IP} > ${KNOWN_HOSTS_FILE} 2>/dev/null -ssh -f -o "UserKnownHostsFile=${LOCAL_STATE}/known_hosts" \ +ssh -f -o "UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \ -A -p ${LOCAL_PORT} root@${IP} \ /root/ssh-forward-agent.sh From d615ba5d2893b592694524156cede98b75b96a15 Mon Sep 17 00:00:00 2001 From: Martin Honermeyer Date: Sun, 5 Feb 2017 14:14:04 +0100 Subject: [PATCH 08/43] Rename LOCAL_* variables to HOST_* (because that's what it is now) --- pinata-ssh-forward.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index e5d431f..1544909 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -3,7 +3,7 @@ set -e IMAGE_NAME=pinata-sshd CONTAINER_NAME=pinata-sshd -LOCAL_PORT=2244 +HOST_PORT=2244 AUTHORIZED_KEYS=$(ssh-add -L | base64 -w0) KNOWN_HOSTS_FILE=$(mktemp) @@ -13,17 +13,17 @@ docker rm -f ${CONTAINER_NAME} >/dev/null 2>&1 || true docker run --name ${CONTAINER_NAME} \ -e AUTHORIZED_KEYS="${AUTHORIZED_KEYS}" \ - -d -p ${LOCAL_PORT}:22 ${IMAGE_NAME} > /dev/null + -d -p ${HOST_PORT}:22 ${IMAGE_NAME} > /dev/null if [ "${DOCKER_HOST}" ]; then - IP=$(echo $DOCKER_HOST | awk -F '//' '{print $2}' | awk -F ':' '{print $1}') + HOST_IP=$(echo $DOCKER_HOST | awk -F '//' '{print $2}' | awk -F ':' '{print $1}') else - IP=127.0.0.1 + HOST_IP=127.0.0.1 fi -ssh-keyscan -p ${LOCAL_PORT} ${IP} > ${KNOWN_HOSTS_FILE} 2>/dev/null +ssh-keyscan -p ${HOST_PORT} ${HOST_IP} > ${KNOWN_HOSTS_FILE} 2>/dev/null ssh -f -o "UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \ - -A -p ${LOCAL_PORT} root@${IP} \ + -A -p ${HOST_PORT} root@${HOST_IP} \ /root/ssh-forward-agent.sh echo 'Agent forwarding successfully started.' From 979dd6a4e73e34856f813f16b3acc55cfba8c06a Mon Sep 17 00:00:00 2001 From: Martin Honermeyer Date: Mon, 6 Feb 2017 23:54:34 +0100 Subject: [PATCH 09/43] Make agent socket accessible by all --- ssh-forward-agent.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/ssh-forward-agent.sh b/ssh-forward-agent.sh index d3fe0a7..9d07372 100755 --- a/ssh-forward-agent.sh +++ b/ssh-forward-agent.sh @@ -2,3 +2,4 @@ # Forward SSH agent socket to a well-known location socat UNIX-LISTEN:/ssh-agent/ssh-agent.sock,fork UNIX-CONNECT:$SSH_AUTH_SOCK +chmod 777 /ssh-agent/ssh-agent.sock From 2b35f4fe82071c4adb73dc74bac9537527dba8bc Mon Sep 17 00:00:00 2001 From: Martin Honermeyer Date: Tue, 7 Feb 2017 00:47:18 +0100 Subject: [PATCH 10/43] Make ssh-agent a named volume --- pinata-ssh-forward.sh | 4 ++++ pinata-ssh-mount.sh | 2 +- ssh-forward-agent.sh | 5 +++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index 1544909..6544faf 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -3,6 +3,7 @@ set -e IMAGE_NAME=pinata-sshd CONTAINER_NAME=pinata-sshd +VOLUME_NAME=ssh-agent HOST_PORT=2244 AUTHORIZED_KEYS=$(ssh-add -L | base64 -w0) KNOWN_HOSTS_FILE=$(mktemp) @@ -11,8 +12,11 @@ trap "rm ${KNOWN_HOSTS_FILE}" EXIT docker rm -f ${CONTAINER_NAME} >/dev/null 2>&1 || true +docker volume create ${VOLUME_NAME} + docker run --name ${CONTAINER_NAME} \ -e AUTHORIZED_KEYS="${AUTHORIZED_KEYS}" \ + -v ${VOLUME_NAME}:/ssh-agent \ -d -p ${HOST_PORT}:22 ${IMAGE_NAME} > /dev/null if [ "${DOCKER_HOST}" ]; then diff --git a/pinata-ssh-mount.sh b/pinata-ssh-mount.sh index 0d65a4e..3a70aae 100755 --- a/pinata-ssh-mount.sh +++ b/pinata-ssh-mount.sh @@ -1,4 +1,4 @@ #!/bin/sh -echo "--volumes-from=pinata-sshd" +echo "--volume=ssh-agent:/ssh-agent" echo "--env=SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock" diff --git a/ssh-forward-agent.sh b/ssh-forward-agent.sh index 9d07372..0022f40 100755 --- a/ssh-forward-agent.sh +++ b/ssh-forward-agent.sh @@ -1,5 +1,6 @@ #!/bin/sh -e # Forward SSH agent socket to a well-known location +FORWARDED_SOCKET=/ssh-agent/ssh-agent.sock -socat UNIX-LISTEN:/ssh-agent/ssh-agent.sock,fork UNIX-CONNECT:$SSH_AUTH_SOCK -chmod 777 /ssh-agent/ssh-agent.sock +rm -f ${FORWARDED_SOCKET} +socat UNIX-LISTEN:${FORWARDED_SOCKET},fork,mode=777 UNIX-CONNECT:${SSH_AUTH_SOCK} From e79d9cad577f7864f04961764a425e09feebc11b Mon Sep 17 00:00:00 2001 From: Martin Honermeyer Date: Tue, 7 Feb 2017 17:46:42 +0100 Subject: [PATCH 11/43] Fix for new volume create syntax --- pinata-ssh-forward.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index 6544faf..a46e776 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -12,7 +12,7 @@ trap "rm ${KNOWN_HOSTS_FILE}" EXIT docker rm -f ${CONTAINER_NAME} >/dev/null 2>&1 || true -docker volume create ${VOLUME_NAME} +docker volume create --name ${VOLUME_NAME} docker run --name ${CONTAINER_NAME} \ -e AUTHORIZED_KEYS="${AUTHORIZED_KEYS}" \ From f5567fda112650e7fa1952b9633e9be4b6583d4d Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Tue, 7 Feb 2017 17:00:10 -0800 Subject: [PATCH 12/43] combine apk commands --- Dockerfile | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 20c5327..3d80995 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,20 @@ FROM alpine MAINTAINER Anil Madhavapeddy -RUN apk update && apk add openssh socat + +RUN apk add --no-cache openssh socat + RUN mkdir /root/.ssh && \ chmod 700 /root/.ssh && \ ssh-keygen -A + COPY ssh-forward-agent.sh /root/ssh-forward-agent.sh + COPY docker-entrypoint.sh / + EXPOSE 22 + VOLUME ["/ssh-agent"] + ENTRYPOINT ["/docker-entrypoint.sh"] + CMD ["/usr/sbin/sshd","-D"] From 953624dc3b3ea8a1bee60478a43966d4af7accc6 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Tue, 7 Feb 2017 17:04:09 -0800 Subject: [PATCH 13/43] run ssh-add -l during forward setup --- pinata-ssh-forward.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index c3f10d0..39577dd 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -26,6 +26,10 @@ else fi ssh-keyscan -p ${HOST_PORT} ${HOST_IP} > ${KNOWN_HOSTS_FILE} 2>/dev/null +ssh -f -o "UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \ + -A -S none -p ${HOST_PORT} root@${HOST_IP} \ + ssh-add -l + ssh -f -o "UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \ -A -S none -p ${HOST_PORT} root@${HOST_IP} \ /root/ssh-forward-agent.sh From b495728672f5e9c3db1284e8d0303faf66d08fe9 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Tue, 7 Feb 2017 17:07:22 -0800 Subject: [PATCH 14/43] line breaks for readability --- pinata-ssh-forward.sh | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index 39577dd..b4f4aa4 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -1,5 +1,5 @@ #!/bin/sh -set -e +set -eo pipefail IMAGE_NAME=pinata-sshd CONTAINER_NAME=pinata-sshd @@ -10,28 +10,41 @@ KNOWN_HOSTS_FILE=$(mktemp) trap "rm ${KNOWN_HOSTS_FILE}" EXIT -docker rm -f ${CONTAINER_NAME} >/dev/null 2>&1 || true +docker rm -f "${CONTAINER_NAME}" >/dev/null 2>&1 || true -docker volume create --name ${VOLUME_NAME} +docker volume create --name "${VOLUME_NAME}" -docker run --name ${CONTAINER_NAME} \ +docker run \ + --name "${CONTAINER_NAME}" \ -e AUTHORIZED_KEYS="${AUTHORIZED_KEYS}" \ -v ${VOLUME_NAME}:/ssh-agent \ - -d -p ${HOST_PORT}:22 ${IMAGE_NAME} > /dev/null + -d \ + -p "${HOST_PORT}:22" \ + ${IMAGE_NAME} >/dev/null if [ "${DOCKER_HOST}" ]; then HOST_IP=$(echo $DOCKER_HOST | awk -F '//' '{print $2}' | awk -F ':' '{print $1}') else HOST_IP=127.0.0.1 fi -ssh-keyscan -p ${HOST_PORT} ${HOST_IP} > ${KNOWN_HOSTS_FILE} 2>/dev/null - -ssh -f -o "UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \ - -A -S none -p ${HOST_PORT} root@${HOST_IP} \ +ssh-keyscan -p ${HOST_PORT} ${HOST_IP} >${KNOWN_HOSTS_FILE} 2>/dev/null + +ssh \ + -A \ + -f \ + -o "UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \ + -p "${HOST_PORT}" \ + -S none \ + "root@${HOST_IP}" \ ssh-add -l -ssh -f -o "UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \ - -A -S none -p ${HOST_PORT} root@${HOST_IP} \ +ssh \ + -A \ + -f \ + -o "UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \ + -p "${HOST_PORT}" \ + -S none \ + "root@${HOST_IP}" \ /root/ssh-forward-agent.sh echo 'Agent forwarding successfully started.' From 9defdce3d6d3bf0e55933856efd1e79594e9a622 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Tue, 7 Feb 2017 17:08:25 -0800 Subject: [PATCH 15/43] always exit on any error --- docker-entrypoint.sh | 7 +++++-- pinata-build-sshd.sh | 1 + pinata-ssh-mount.sh | 1 + ssh-build.sh | 1 + ssh-forward-agent.sh | 4 +++- 5 files changed, 11 insertions(+), 3 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 6a23658..9bf0894 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,5 +1,8 @@ #!/bin/sh -set -e -echo $AUTHORIZED_KEYS | base64 -d >/root/.ssh/authorized_keys +set -eo pipefail + +echo "$AUTHORIZED_KEYS" | base64 -d >/root/.ssh/authorized_keys + chown root:root /root/.ssh/authorized_keys + exec "$@" diff --git a/pinata-build-sshd.sh b/pinata-build-sshd.sh index 99b6e0d..f72ef14 100755 --- a/pinata-build-sshd.sh +++ b/pinata-build-sshd.sh @@ -1,3 +1,4 @@ #!/bin/sh +set -eo pipefail docker build -t pinata-sshd . diff --git a/pinata-ssh-mount.sh b/pinata-ssh-mount.sh index 3a70aae..24fc284 100755 --- a/pinata-ssh-mount.sh +++ b/pinata-ssh-mount.sh @@ -1,4 +1,5 @@ #!/bin/sh +set -eo pipefail echo "--volume=ssh-agent:/ssh-agent" echo "--env=SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock" diff --git a/ssh-build.sh b/ssh-build.sh index 4a65084..a8dfcaf 100755 --- a/ssh-build.sh +++ b/ssh-build.sh @@ -1,4 +1,5 @@ #!/bin/sh +set -eo pipefail IMAGE_NAME=pinata-sshd diff --git a/ssh-forward-agent.sh b/ssh-forward-agent.sh index 0022f40..cddaf44 100755 --- a/ssh-forward-agent.sh +++ b/ssh-forward-agent.sh @@ -1,5 +1,7 @@ -#!/bin/sh -e +#!/bin/sh # Forward SSH agent socket to a well-known location +set -eo pipefail + FORWARDED_SOCKET=/ssh-agent/ssh-agent.sock rm -f ${FORWARDED_SOCKET} From a3235dd1773f477daa263b0aa13e2976d0ff527f Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Tue, 7 Feb 2017 17:11:22 -0800 Subject: [PATCH 16/43] shellcheck --- pinata-ssh-forward.sh | 6 +++--- ssh-forward-agent.sh | 6 ++++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index b4f4aa4..76aba75 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -8,7 +8,7 @@ HOST_PORT=2244 AUTHORIZED_KEYS=$(ssh-add -L | base64 -w0) KNOWN_HOSTS_FILE=$(mktemp) -trap "rm ${KNOWN_HOSTS_FILE}" EXIT +trap 'rm ${KNOWN_HOSTS_FILE}' EXIT docker rm -f "${CONTAINER_NAME}" >/dev/null 2>&1 || true @@ -23,11 +23,11 @@ docker run \ ${IMAGE_NAME} >/dev/null if [ "${DOCKER_HOST}" ]; then - HOST_IP=$(echo $DOCKER_HOST | awk -F '//' '{print $2}' | awk -F ':' '{print $1}') + HOST_IP=$(echo "$DOCKER_HOST" | awk -F '//' '{print $2}' | awk -F ':' '{print $1}') else HOST_IP=127.0.0.1 fi -ssh-keyscan -p ${HOST_PORT} ${HOST_IP} >${KNOWN_HOSTS_FILE} 2>/dev/null +ssh-keyscan -p "${HOST_PORT}" "${HOST_IP}" >"${KNOWN_HOSTS_FILE}" 2>/dev/null ssh \ -A \ diff --git a/ssh-forward-agent.sh b/ssh-forward-agent.sh index cddaf44..33e0fa2 100755 --- a/ssh-forward-agent.sh +++ b/ssh-forward-agent.sh @@ -4,5 +4,7 @@ set -eo pipefail FORWARDED_SOCKET=/ssh-agent/ssh-agent.sock -rm -f ${FORWARDED_SOCKET} -socat UNIX-LISTEN:${FORWARDED_SOCKET},fork,mode=777 UNIX-CONNECT:${SSH_AUTH_SOCK} +[ -z "$SSH_AUTH_SOCK" ] && exit 1 + +rm -f "${FORWARDED_SOCKET}" +socat UNIX-LISTEN:"${FORWARDED_SOCKET}",fork,mode=777 UNIX-CONNECT:"${SSH_AUTH_SOCK}" From 68c211eccb49ce497b4770a129b6a417db713393 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Tue, 7 Feb 2017 17:15:40 -0800 Subject: [PATCH 17/43] remove duplicate script --- ssh-build.sh | 6 ------ 1 file changed, 6 deletions(-) delete mode 100755 ssh-build.sh diff --git a/ssh-build.sh b/ssh-build.sh deleted file mode 100755 index a8dfcaf..0000000 --- a/ssh-build.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -set -eo pipefail - -IMAGE_NAME=pinata-sshd - -docker build -q -t ${IMAGE_NAME} . From c5d235399d2c92ee15ca6c2c9e00e67ff45136d3 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Tue, 7 Feb 2017 17:16:15 -0800 Subject: [PATCH 18/43] move to hub.docker.com/r/uber --- README.md | 2 +- pinata-build-sshd.sh | 2 +- pinata-ssh-forward.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b0370c0..8008618 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Still experimental -- contact anil@recoil.org if you want help. Assuming you have a `/usr/local` ``` -$ git clone git://github.com/avsm/docker-ssh-agent-forward +$ git clone git://github.com/uber/docker-ssh-agent-forward $ cd docker-ssh-agent-forward $ make $ make install diff --git a/pinata-build-sshd.sh b/pinata-build-sshd.sh index f72ef14..a3242a7 100755 --- a/pinata-build-sshd.sh +++ b/pinata-build-sshd.sh @@ -1,4 +1,4 @@ #!/bin/sh set -eo pipefail -docker build -t pinata-sshd . +docker build -t uber/ssh-agent-forward . diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index 76aba75..1897372 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -1,7 +1,7 @@ #!/bin/sh set -eo pipefail -IMAGE_NAME=pinata-sshd +IMAGE_NAME=uber/ssh-agent-forward CONTAINER_NAME=pinata-sshd VOLUME_NAME=ssh-agent HOST_PORT=2244 From de4c4ba5023d1e5ecc825be420333ecdd98a4635 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Tue, 7 Feb 2017 17:22:30 -0800 Subject: [PATCH 19/43] fixes --- README.md | 9 ++++++++- pinata-ssh-forward.sh | 12 ++++++++---- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 8008618..4f9089f 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ and the you can run `pinata-ssh-mount` to get a Docker CLI fragment that adds the SSH agent socket and set `SSH_AUTH_SOCK` within the container. ``` -$ pinata-ssh-mount +$ pinata-ssh-mount -v /Users/avsm/.pinata-sshd/ssh-1azk9Mmd27/agent.16:/tmp/ssh-agent.sock --env SSH_AUTH_SOCK=/tmp/ssh-agent.sock $ docker run -it `pinata-ssh-mount` ocaml/opam ssh git@github.com @@ -36,6 +36,13 @@ Hi avsm! You've successfully authenticated, but GitHub does not provide shell ac Connection to github.com closed. ``` +## TODO + +pinata-docker-pull.sh script + +update this readme to match the new socat stuff + + ## Contributors * Justin Cormack diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index 1897372..4866396 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -5,11 +5,16 @@ IMAGE_NAME=uber/ssh-agent-forward CONTAINER_NAME=pinata-sshd VOLUME_NAME=ssh-agent HOST_PORT=2244 -AUTHORIZED_KEYS=$(ssh-add -L | base64 -w0) KNOWN_HOSTS_FILE=$(mktemp) trap 'rm ${KNOWN_HOSTS_FILE}' EXIT +if [ "$(uname)" = "Darwin" ]; then + AUTHORIZED_KEYS=$(ssh-add -L | base64) +else + AUTHORIZED_KEYS=$(ssh-add -L | base64 -w0) +fi + docker rm -f "${CONTAINER_NAME}" >/dev/null 2>&1 || true docker volume create --name "${VOLUME_NAME}" @@ -20,7 +25,7 @@ docker run \ -v ${VOLUME_NAME}:/ssh-agent \ -d \ -p "${HOST_PORT}:22" \ - ${IMAGE_NAME} >/dev/null + "${IMAGE_NAME}" >/dev/null if [ "${DOCKER_HOST}" ]; then HOST_IP=$(echo "$DOCKER_HOST" | awk -F '//' '{print $2}' | awk -F ':' '{print $1}') @@ -31,7 +36,6 @@ ssh-keyscan -p "${HOST_PORT}" "${HOST_IP}" >"${KNOWN_HOSTS_FILE}" 2>/dev/null ssh \ -A \ - -f \ -o "UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \ -p "${HOST_PORT}" \ -S none \ @@ -52,4 +56,4 @@ echo 'Run "pinata-ssh-mount" to get a command-line fragment that' echo 'can be added to "docker run" to mount the SSH agent socket.' echo "" echo 'For example:' -echo 'docker run -it `pinata-ssh-mount` ocaml/opam ssh git@github.com' +echo "docker run -it \$(pinata-ssh-mount) uber/ssh-agent-forward ssh -T git@github.com" From d4fca3abf0a75127720788cf22fc66216773b4f4 Mon Sep 17 00:00:00 2001 From: Martin Honermeyer Date: Wed, 8 Feb 2017 08:44:07 +0100 Subject: [PATCH 20/43] Work around missing base64 option on OSX --- pinata-ssh-forward.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index a46e776..b489c83 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -5,7 +5,7 @@ IMAGE_NAME=pinata-sshd CONTAINER_NAME=pinata-sshd VOLUME_NAME=ssh-agent HOST_PORT=2244 -AUTHORIZED_KEYS=$(ssh-add -L | base64 -w0) +AUTHORIZED_KEYS=$(ssh-add -L | base64 | tr -d '\n') KNOWN_HOSTS_FILE=$(mktemp) trap "rm ${KNOWN_HOSTS_FILE}" EXIT From 976c723c1a5021cae61a29dd732c90baa5033382 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 13 Feb 2017 10:51:14 -0800 Subject: [PATCH 21/43] rearrange for less layer rebuilds --- Dockerfile | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3d80995..074ea3f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,4 @@ FROM alpine -MAINTAINER Anil Madhavapeddy RUN apk add --no-cache openssh socat @@ -7,14 +6,13 @@ RUN mkdir /root/.ssh && \ chmod 700 /root/.ssh && \ ssh-keygen -A -COPY ssh-forward-agent.sh /root/ssh-forward-agent.sh - -COPY docker-entrypoint.sh / - EXPOSE 22 VOLUME ["/ssh-agent"] ENTRYPOINT ["/docker-entrypoint.sh"] -CMD ["/usr/sbin/sshd","-D"] +CMD ["/usr/sbin/sshd", "-D"] + +COPY docker-entrypoint.sh / +COPY ssh-entrypoint.sh / From 76a95d816daa8f4e20e730d97492a0868a032fed Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 13 Feb 2017 10:54:35 -0800 Subject: [PATCH 22/43] pin to alpine 3.5 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 074ea3f..0de5cf6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine +FROM alpine:3.5 RUN apk add --no-cache openssh socat From 3e0b7254b2303cd155d0da1f0127f9d91608f48c Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 13 Feb 2017 10:55:34 -0800 Subject: [PATCH 23/43] pull from dockerhub instead of build --- Makefile | 4 +--- pinata-ssh-pull.sh | 2 ++ 2 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 pinata-ssh-pull.sh diff --git a/Makefile b/Makefile index 038f634..31e6642 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ all: - ./pinata-build-sshd.sh + ./pinata-ssh-pull.sh @echo Please run "make install" PREFIX ?= /usr/local @@ -8,8 +8,6 @@ BINDIR ?= $(PREFIX)/bin install: @if [ ! -d "$(PREFIX)" ]; then echo Error: need a $(PREFIX) directory; exit 1; fi @mkdir -p $(PREFIX)/share/pinata-ssh-agent - cp Dockerfile $(PREFIX)/share/pinata-ssh-agent - cp ssh-build.sh $(PREFIX)/share/pinata-ssh-agent/ssh-build cp ssh-forward-agent.sh $(PREFIX)/share/pinata-ssh-agent/ssh-forward-agent.sh @mkdir -p $(BINDIR) cp pinata-build-sshd.sh $(BINDIR)/pinata-build-sshd diff --git a/pinata-ssh-pull.sh b/pinata-ssh-pull.sh new file mode 100644 index 0000000..b3af313 --- /dev/null +++ b/pinata-ssh-pull.sh @@ -0,0 +1,2 @@ +#!/bin/sh +exec docker pull uber/ssh-agent-forward From 9bec4b3bd140ec0b23b9ff38dd1da90756d23ef5 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 13 Feb 2017 11:05:38 -0800 Subject: [PATCH 24/43] rename and rearrange --- Makefile | 6 ++---- README.md | 22 +++++++++++++--------- pinata-build-sshd.sh | 4 ---- pinata-ssh-build.sh | 2 ++ pinata-ssh-forward.sh | 6 ++++-- pinata-ssh-pull.sh | 0 ssh-forward-agent.sh => ssh-entrypoint.sh | 0 7 files changed, 21 insertions(+), 19 deletions(-) delete mode 100755 pinata-build-sshd.sh create mode 100755 pinata-ssh-build.sh mode change 100644 => 100755 pinata-ssh-pull.sh rename ssh-forward-agent.sh => ssh-entrypoint.sh (100%) diff --git a/Makefile b/Makefile index 31e6642..3f7afeb 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ all: - ./pinata-ssh-pull.sh + ./pinata-ssh-pull.sh || ./pinata-ssh-build.sh @echo Please run "make install" PREFIX ?= /usr/local @@ -7,9 +7,7 @@ BINDIR ?= $(PREFIX)/bin install: @if [ ! -d "$(PREFIX)" ]; then echo Error: need a $(PREFIX) directory; exit 1; fi - @mkdir -p $(PREFIX)/share/pinata-ssh-agent - cp ssh-forward-agent.sh $(PREFIX)/share/pinata-ssh-agent/ssh-forward-agent.sh @mkdir -p $(BINDIR) - cp pinata-build-sshd.sh $(BINDIR)/pinata-build-sshd cp pinata-ssh-forward.sh $(BINDIR)/pinata-ssh-forward cp pinata-ssh-mount.sh $(BINDIR)/pinata-ssh-mount + cp pinata-ssh-pull.sh $(BINDIR)/pinata-ssh-pull diff --git a/README.md b/README.md index 4f9089f..33d992d 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ Forward SSH agent socket into a container -Still experimental -- contact anil@recoil.org if you want help. +Still experimental -- contact anil@recoil.org or bryan@uber.com if you want help. + ## Installation @@ -16,17 +17,18 @@ $ make install On every boot, do: ``` -$ pinata-ssh-forward +pinata-ssh-forward ``` -and the you can run `pinata-ssh-mount` to get a Docker CLI fragment -that adds the SSH agent socket and set `SSH_AUTH_SOCK` within the container. +and the you can run `pinata-ssh-mount` to get a Docker CLI fragment that adds +the SSH agent socket and sets `SSH_AUTH_SOCK` within the container. ``` $ pinata-ssh-mount --v /Users/avsm/.pinata-sshd/ssh-1azk9Mmd27/agent.16:/tmp/ssh-agent.sock --env SSH_AUTH_SOCK=/tmp/ssh-agent.sock +--volume=ssh-agent:/ssh-agent +--env=SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock -$ docker run -it `pinata-ssh-mount` ocaml/opam ssh git@github.com +$ docker run -it $(pinata-ssh-mount) ocaml/opam ssh git@github.com The authenticity of host 'github.com (192.30.252.128)' can't be established. RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48. Are you sure you want to continue connecting (yes/no)? yes @@ -36,15 +38,17 @@ Hi avsm! You've successfully authenticated, but GitHub does not provide shell ac Connection to github.com closed. ``` -## TODO +## Developing -pinata-docker-pull.sh script +To build an image yourself rather than fetching from Docker Hub, run `./pinata-ssh-build.sh` -update this readme to match the new socat stuff +We didn't bother installing the build script with the Makefile since using the +hub image should be the common case. ## Contributors * Justin Cormack +* https://github.com/uber/docker-ssh-agent-forward/graphs/contributors [License](LICENSE.md) is ISC. diff --git a/pinata-build-sshd.sh b/pinata-build-sshd.sh deleted file mode 100755 index a3242a7..0000000 --- a/pinata-build-sshd.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -set -eo pipefail - -docker build -t uber/ssh-agent-forward . diff --git a/pinata-ssh-build.sh b/pinata-ssh-build.sh new file mode 100755 index 0000000..a3ceae2 --- /dev/null +++ b/pinata-ssh-build.sh @@ -0,0 +1,2 @@ +#!/bin/sh +exec docker build -t uber/ssh-agent-forward:latest . diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index f9a5ef8..ed2ddaf 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -1,7 +1,7 @@ #!/bin/sh set -eo pipefail -IMAGE_NAME=uber/ssh-agent-forward +IMAGE_NAME=uber/ssh-agent-forward:latest CONTAINER_NAME=pinata-sshd VOLUME_NAME=ssh-agent HOST_PORT=2244 @@ -29,6 +29,7 @@ else fi ssh-keyscan -p "${HOST_PORT}" "${HOST_IP}" >"${KNOWN_HOSTS_FILE}" 2>/dev/null +# show the keys that are being forwarded ssh \ -A \ -o "UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \ @@ -37,6 +38,7 @@ ssh \ "root@${HOST_IP}" \ ssh-add -l +# keep the agent running ssh \ -A \ -f \ @@ -44,7 +46,7 @@ ssh \ -p "${HOST_PORT}" \ -S none \ "root@${HOST_IP}" \ - /root/ssh-forward-agent.sh + /ssh-entrypoint.sh echo 'Agent forwarding successfully started.' echo 'Run "pinata-ssh-mount" to get a command-line fragment that' diff --git a/pinata-ssh-pull.sh b/pinata-ssh-pull.sh old mode 100644 new mode 100755 diff --git a/ssh-forward-agent.sh b/ssh-entrypoint.sh similarity index 100% rename from ssh-forward-agent.sh rename to ssh-entrypoint.sh From 4743cd6fdced5228db7fe5b2d8df4cd382314b3a Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 13 Feb 2017 11:10:14 -0800 Subject: [PATCH 25/43] readme --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 33d992d..80f23d3 100644 --- a/README.md +++ b/README.md @@ -38,9 +38,11 @@ Hi avsm! You've successfully authenticated, but GitHub does not provide shell ac Connection to github.com closed. ``` + ## Developing -To build an image yourself rather than fetching from Docker Hub, run `./pinata-ssh-build.sh` +To build an image yourself rather than fetching from Docker Hub, run +`./pinata-ssh-build.sh` from your clone of this repo. We didn't bother installing the build script with the Makefile since using the hub image should be the common case. From 812ac1ae35709c20da994a36c39b348016247a0d Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 13 Feb 2017 11:12:45 -0800 Subject: [PATCH 26/43] ssh -T git@github --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 80f23d3..57604cf 100644 --- a/README.md +++ b/README.md @@ -28,14 +28,13 @@ $ pinata-ssh-mount --volume=ssh-agent:/ssh-agent --env=SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock -$ docker run -it $(pinata-ssh-mount) ocaml/opam ssh git@github.com +$ docker run -it $(pinata-ssh-mount) ocaml/opam ssh -T git@github.com The authenticity of host 'github.com (192.30.252.128)' can't be established. RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'github.com,192.30.252.128' (RSA) to the list of known hosts. PTY allocation request failed on channel 0 Hi avsm! You've successfully authenticated, but GitHub does not provide shell access. -Connection to github.com closed. ``` From e2d17563f029ae49bbcd5e0ff35c08c07fdd2c36 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 13 Feb 2017 11:27:46 -0800 Subject: [PATCH 27/43] use our own image --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 57604cf..e5a7692 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ $ pinata-ssh-mount --volume=ssh-agent:/ssh-agent --env=SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock -$ docker run -it $(pinata-ssh-mount) ocaml/opam ssh -T git@github.com +$ docker run -it $(pinata-ssh-mount) uber/docker-ssh-agent-forward ssh -T git@github.com The authenticity of host 'github.com (192.30.252.128)' can't be established. RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48. Are you sure you want to continue connecting (yes/no)? yes From 4ad8329d0e906f1a7fadd831adced95fa1ae7f51 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 13 Feb 2017 12:24:44 -0800 Subject: [PATCH 28/43] use short flags --- README.md | 4 ++-- pinata-ssh-mount.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index e5a7692..aaf5c30 100644 --- a/README.md +++ b/README.md @@ -25,8 +25,8 @@ the SSH agent socket and sets `SSH_AUTH_SOCK` within the container. ``` $ pinata-ssh-mount ---volume=ssh-agent:/ssh-agent ---env=SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock +-v ssh-agent:/ssh-agent +-e SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock $ docker run -it $(pinata-ssh-mount) uber/docker-ssh-agent-forward ssh -T git@github.com The authenticity of host 'github.com (192.30.252.128)' can't be established. diff --git a/pinata-ssh-mount.sh b/pinata-ssh-mount.sh index 24fc284..a4bb5a4 100755 --- a/pinata-ssh-mount.sh +++ b/pinata-ssh-mount.sh @@ -1,5 +1,5 @@ #!/bin/sh set -eo pipefail -echo "--volume=ssh-agent:/ssh-agent" -echo "--env=SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock" +echo "-v ssh-agent:/ssh-agent" +echo "-e SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock" From cddf2cd32a784e56a241925d49df328870a63adf Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 13 Feb 2017 12:39:35 -0800 Subject: [PATCH 29/43] better pull --- README.md | 6 ++++++ pinata-ssh-pull.sh | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index aaf5c30..d42582b 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,12 @@ PTY allocation request failed on channel 0 Hi avsm! You've successfully authenticated, but GitHub does not provide shell access. ``` +To fetch the latest image, do: + +``` +pinata-ssh-pull +``` + ## Developing diff --git a/pinata-ssh-pull.sh b/pinata-ssh-pull.sh index b3af313..f8f97f6 100755 --- a/pinata-ssh-pull.sh +++ b/pinata-ssh-pull.sh @@ -1,2 +1,2 @@ #!/bin/sh -exec docker pull uber/ssh-agent-forward +exec docker pull uber/ssh-agent-forward:latest From 0e7a9357f0ce2143dc4d8998bd19f9a4af8d9189 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 13 Feb 2017 12:47:59 -0800 Subject: [PATCH 30/43] fix link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d42582b..3ba072e 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,6 @@ hub image should be the common case. ## Contributors * Justin Cormack -* https://github.com/uber/docker-ssh-agent-forward/graphs/contributors +* https://github.com/uber-common/docker-ssh-agent-forward/graphs/contributors [License](LICENSE.md) is ISC. From 4f7cbbef429b7515c3385dbd786ec36b89235218 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 13 Feb 2017 12:51:52 -0800 Subject: [PATCH 31/43] shorter name --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3ba072e..f0fceff 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ $ pinata-ssh-mount -v ssh-agent:/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock -$ docker run -it $(pinata-ssh-mount) uber/docker-ssh-agent-forward ssh -T git@github.com +$ docker run -it $(pinata-ssh-mount) uber/ssh-agent-forward ssh -T git@github.com The authenticity of host 'github.com (192.30.252.128)' can't be established. RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48. Are you sure you want to continue connecting (yes/no)? yes From ecf800314cd02b82c611c0cb0b27b64cf56050e7 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Tue, 14 Feb 2017 10:53:47 -0800 Subject: [PATCH 32/43] fix for yosemite --- pinata-ssh-forward.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index ed2ddaf..b43034c 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -6,7 +6,7 @@ CONTAINER_NAME=pinata-sshd VOLUME_NAME=ssh-agent HOST_PORT=2244 AUTHORIZED_KEYS=$(ssh-add -L | base64 | tr -d '\n') -KNOWN_HOSTS_FILE=$(mktemp) +KNOWN_HOSTS_FILE=$(mktemp -t dsaf) trap 'rm ${KNOWN_HOSTS_FILE}' EXIT From a3c3b71c58f96affe2e535454a05bd1d55ab7e0e Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Tue, 14 Feb 2017 10:54:25 -0800 Subject: [PATCH 33/43] echo a single line --- README.md | 3 +-- pinata-ssh-mount.sh | 4 +--- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index f0fceff..fb7b24a 100644 --- a/README.md +++ b/README.md @@ -25,8 +25,7 @@ the SSH agent socket and sets `SSH_AUTH_SOCK` within the container. ``` $ pinata-ssh-mount --v ssh-agent:/ssh-agent --e SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock +-v ssh-agent:/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock $ docker run -it $(pinata-ssh-mount) uber/ssh-agent-forward ssh -T git@github.com The authenticity of host 'github.com (192.30.252.128)' can't be established. diff --git a/pinata-ssh-mount.sh b/pinata-ssh-mount.sh index a4bb5a4..790e079 100755 --- a/pinata-ssh-mount.sh +++ b/pinata-ssh-mount.sh @@ -1,5 +1,3 @@ #!/bin/sh set -eo pipefail - -echo "-v ssh-agent:/ssh-agent" -echo "-e SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock" +echo "-v ssh-agent:/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock" From a23575ebfff82b8de5eb896cf6e8183b2a113a86 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Tue, 14 Feb 2017 12:54:07 -0800 Subject: [PATCH 34/43] Fix clone link in readme --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fb7b24a..4ee1d1e 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Still experimental -- contact anil@recoil.org or bryan@uber.com if you want help Assuming you have a `/usr/local` ``` -$ git clone git://github.com/uber/docker-ssh-agent-forward +$ git clone git://github.com/uber-common/docker-ssh-agent-forward $ cd docker-ssh-agent-forward $ make $ make install @@ -27,7 +27,8 @@ the SSH agent socket and sets `SSH_AUTH_SOCK` within the container. $ pinata-ssh-mount -v ssh-agent:/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock -$ docker run -it $(pinata-ssh-mount) uber/ssh-agent-forward ssh -T git@github.com +$ docker run -it $(pinata-ssh-mount) +/ssh-agent-forward ssh -T git@github.com The authenticity of host 'github.com (192.30.252.128)' can't be established. RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48. Are you sure you want to continue connecting (yes/no)? yes From dfc7673ef1335d1aca3b01e6333c1ddba51e5bab Mon Sep 17 00:00:00 2001 From: Martin Honermeyer Date: Tue, 14 Feb 2017 22:56:57 +0100 Subject: [PATCH 35/43] Use mktemp syntax compatible with Yosemite --- pinata-ssh-forward.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index b489c83..ca8d922 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -6,7 +6,7 @@ CONTAINER_NAME=pinata-sshd VOLUME_NAME=ssh-agent HOST_PORT=2244 AUTHORIZED_KEYS=$(ssh-add -L | base64 | tr -d '\n') -KNOWN_HOSTS_FILE=$(mktemp) +KNOWN_HOSTS_FILE=$(mktemp -t dsaf.XXX) trap "rm ${KNOWN_HOSTS_FILE}" EXIT From cd9b12b2a2c7ac3b0cb6b72d20ad311a6ec25327 Mon Sep 17 00:00:00 2001 From: Martin Honermeyer Date: Tue, 14 Feb 2017 23:51:29 +0100 Subject: [PATCH 36/43] Generate SSH host key during container startup FIXME Find a way to ensure sshd is ready without waiting an arbitrary second. --- Dockerfile | 3 +-- docker-entrypoint.sh | 4 ++++ pinata-ssh-forward.sh | 5 +++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 20c5327..e29a90d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,8 +2,7 @@ FROM alpine MAINTAINER Anil Madhavapeddy RUN apk update && apk add openssh socat RUN mkdir /root/.ssh && \ - chmod 700 /root/.ssh && \ - ssh-keygen -A + chmod 700 /root/.ssh COPY ssh-forward-agent.sh /root/ssh-forward-agent.sh COPY docker-entrypoint.sh / EXPOSE 22 diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 6a23658..f55b510 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,5 +1,9 @@ #!/bin/sh set -e + echo $AUTHORIZED_KEYS | base64 -d >/root/.ssh/authorized_keys chown root:root /root/.ssh/authorized_keys + +ssh-keygen -A + exec "$@" diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index ca8d922..f99fa03 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -24,6 +24,11 @@ if [ "${DOCKER_HOST}" ]; then else HOST_IP=127.0.0.1 fi + +# FIXME Find a way to get rid of this additional 1s wait +sleep 1 +while [ 1 ] && ! nc -z -w5 ${HOST_IP} ${HOST_PORT}; do sleep 0.1; done + ssh-keyscan -p ${HOST_PORT} ${HOST_IP} > ${KNOWN_HOSTS_FILE} 2>/dev/null ssh -f -o "UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \ From 494b72d3f946380c760cf6c8bce629be4b9dbb65 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Thu, 23 Mar 2017 16:41:41 -0700 Subject: [PATCH 37/43] put tini back. not everyone uses docker's init --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1e99d2f..fb2e183 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM alpine:3.5 -RUN apk add --no-cache openssh socat +RUN apk add --no-cache openssh socat tini RUN mkdir /root/.ssh && \ chmod 700 /root/.ssh @@ -9,7 +9,7 @@ EXPOSE 22 VOLUME ["/ssh-agent"] -ENTRYPOINT ["/docker-entrypoint.sh"] +ENTRYPOINT ["/sbin/tini", "--", "/docker-entrypoint.sh"] CMD ["/usr/sbin/sshd", "-D"] From d5d39314da16ad0c89f55d1f0decf4b1f6e39cd6 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 18 Dec 2017 15:53:39 -0800 Subject: [PATCH 38/43] alpine 3.7 and new style --- Dockerfile | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index fb2e183..4b73c74 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,10 @@ -FROM alpine:3.5 +FROM alpine:3.7 -RUN apk add --no-cache openssh socat tini - -RUN mkdir /root/.ssh && \ - chmod 700 /root/.ssh +RUN { set -eux; \ + \ + mkdir /root/.ssh; \ + chmod 700 /root/.ssh; \ +} EXPOSE 22 @@ -13,5 +14,11 @@ ENTRYPOINT ["/sbin/tini", "--", "/docker-entrypoint.sh"] CMD ["/usr/sbin/sshd", "-D"] +RUN apk add --no-cache \ + openssh \ + socat \ + tini \ + ; + COPY docker-entrypoint.sh / COPY ssh-entrypoint.sh / From 590369a426e0829fea8162590938208db36865e3 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 18 Dec 2017 15:54:19 -0800 Subject: [PATCH 39/43] remove unhelpful, non-portable options --- pinata-ssh-mount.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/pinata-ssh-mount.sh b/pinata-ssh-mount.sh index 790e079..a6f9922 100755 --- a/pinata-ssh-mount.sh +++ b/pinata-ssh-mount.sh @@ -1,3 +1,2 @@ #!/bin/sh -set -eo pipefail echo "-v ssh-agent:/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock" From 14357c1fda1be598fbb3b9cc108de32e2514ebd4 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 18 Dec 2017 15:54:47 -0800 Subject: [PATCH 40/43] use bash which always has pipefail --- pinata-ssh-forward.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index ee403d9..3582cde 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/usr/bin/env bash set -eo pipefail IMAGE_NAME=uber/ssh-agent-forward:latest @@ -20,7 +20,8 @@ docker run \ -v ${VOLUME_NAME}:/ssh-agent \ -d \ -p "${HOST_PORT}:22" \ - "${IMAGE_NAME}" >/dev/null + "${IMAGE_NAME}" >/dev/null \ +; if [ "${DOCKER_HOST}" ]; then HOST_IP=$(echo "$DOCKER_HOST" | awk -F '//' '{print $2}' | awk -F ':' '{print $1}') From bbc77f23919df4189c15102c6c44b1eabfcefdc7 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 18 Dec 2017 15:56:27 -0800 Subject: [PATCH 41/43] shellcheck --- pinata-ssh-forward.sh | 2 +- pinata-ssh-mount.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index 3582cde..52da7a2 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -31,7 +31,7 @@ fi # FIXME Find a way to get rid of this additional 1s wait sleep 1 -while [ 1 ] && ! nc -z -w5 ${HOST_IP} ${HOST_PORT}; do sleep 0.1; done +while ! nc -z -w5 ${HOST_IP} ${HOST_PORT}; do sleep 0.1; done ssh-keyscan -p "${HOST_PORT}" "${HOST_IP}" >"${KNOWN_HOSTS_FILE}" 2>/dev/null diff --git a/pinata-ssh-mount.sh b/pinata-ssh-mount.sh index a6f9922..56e9b78 100755 --- a/pinata-ssh-mount.sh +++ b/pinata-ssh-mount.sh @@ -1,2 +1,2 @@ -#!/bin/sh +#!/usr/bin/env bash echo "-v ssh-agent:/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock" From 39d54119b39cfd449c611cf93eaf791f247f7e97 Mon Sep 17 00:00:00 2001 From: Kinsey Ann Durham Date: Wed, 7 Mar 2018 13:27:25 -0700 Subject: [PATCH 42/43] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4ee1d1e..67b9b1c 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,9 @@ To fetch the latest image, do: pinata-ssh-pull ``` +## Troubleshooting + +If pinata-ssh-forward fails to run, run `ssh-add -l`. If there are no identities, then run `ssh-add`. ## Developing @@ -52,7 +55,6 @@ To build an image yourself rather than fetching from Docker Hub, run We didn't bother installing the build script with the Makefile since using the hub image should be the common case. - ## Contributors * Justin Cormack From 7e26e9bf574b4cda7bd12c6e8b7529a852cb2322 Mon Sep 17 00:00:00 2001 From: Sibusiso Vilakazi Date: Wed, 27 Oct 2021 16:49:46 +0200 Subject: [PATCH 43/43] Create launch.json --- .vscode/launch.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .vscode/launch.json diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 0000000..5c7247b --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,7 @@ +{ + // Use IntelliSense to learn about possible attributes. + // Hover to view descriptions of existing attributes. + // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 + "version": "0.2.0", + "configurations": [] +} \ No newline at end of file