11

I'm using boot2docker on Windows 7. VirtualBox is mounting my Windows ~/.ssh directory from Windows (c:\Users\Me\.ssh) inside the boot2docker VM (/c/Users/Me/.ssh).

My Dockerfile is configuring an image to be used as a development environment. It copies to the container a set of SSH keys and a config that are used for automatic deployment. This works fine. When the container starts up, it automatically clones a git repository within the image without prompts.

I'm now trying to use the same image but allow for the user to mount via docker run -v ... their own .ssh directory so they can optionally use their own SSH keys instead. When I do that by adding in -v /home/myself/.ssh:/home/guest/.ssh to the command that runs the container, I get the SSH warning about the permissions being too open:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for '/home/guest/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/guest/.ssh/id_rsa

I tried adding into the ENTRYPOINT script a line to chmod -R 700 /home/guest/.ssh but it appears that that is either ineffective or it is executed before the volume is mounted.

I also tried changing the permissions of /home/guest/.ssh from within the running container and was unable to do so. I get no error when running chmod -R 700 /home/guest/.ssh but the permissions do not change.

I saw in another question about Docker volume permissions the suggestion that the questioner use ACLs, but I didn't know if that was a good idea, or if it would even work.

Regardless, what is the simplest way to allow a user to use their own SSH keys and SSH config inside a Docker container?

hourback
  • 1,150
  • 4
  • 12
  • 27
  • 1
    You could copy the .ssh files into a new directory and chmod them, in the startup of the shell. – Bryan Nov 21 '14 at 20:14
  • So, have the Dockerfile COPY id_rsa* and config to /home/guest, for example, and in a ~/.profile copy /home/guest/id_rsa* to /home/guest/.ssh/ and avoid mounting the external .ssh volume? – hourback Nov 21 '14 at 20:16
  • Oh, no, I get it I think. Still give the container the SSH files via a volume, but use the shell to copy them to .ssh. Okay. I'll give that a shot. – hourback Nov 21 '14 at 20:19
  • @Bryan Brilliant! If it doesn't strike you as kludgy, works great for me. Thank you. – hourback Nov 21 '14 at 20:32
  • Copied info out to an answer, so this qn doesn't show up as 'unanswered' – Bryan Nov 21 '14 at 20:37

1 Answers1

7

Slightly kludgy, but you could copy the .ssh files into a new directory and chmod them, in the startup of the shell.

I.e. give the container the SSH files via a volume, but use the shell ~/.profile to copy them to ~/.ssh.

Bryan
  • 11,398
  • 3
  • 53
  • 78
  • see https://nickjanetakis.com/blog/docker-tip-56-volume-mounting-ssh-keys-into-a-docker-container – Tom Sep 16 '18 at 11:37
  • if you are using vscode devcontainers, you can use the `postCreateCommand` to copy and chmod the ssh files. At this point it usually makes sense to create a `postCreateCommand.sh` script and call it in the `postCreateCommand` – Felix B. Sep 21 '20 at 12:36