Issue
The problem sounds elementary in its nature but I cannot find a secure and simple solution.
The issue is the following, I have a project and I want to pull dependencies from private git repos to build a runtime environment and remove both SSH key and SSH passphrase afterward. I cannot skip passphrase as it is enforced by git remote repos.
- I struggle to push the SSH passphrase, so the SSH won't ask for a passphrase
- I struggle to understand how to do it securely
The question of how can I do it, so the approach also will be secure?
I am operating in Docker and potentially can install any open-source software on it.
Solution
With buildkit enabled:
The docker build has a --ssh option to allow the Docker Engine to forward SSH agent connections.
You can ssh-add your private keys to a ssh-agent.
From the ssh-add man pages:
If any file requires a passphrase,
ssh-addasks for the passphrase from the user.
From the ssh-agent man pages:
The idea is that the agent is run in the user's local PC, laptop, or terminal. Authentication data need not be stored on any other machine, and authentication passphrases never go over the network. However, the connection to the agent is forwarded over SSH remote logins, and the user can thus use the privileges given by the identities anywhere in the network in a secure way.
The
ssh-agentwill never send a private key over its request channel. ...
Example Dockerfile from the doc:
# syntax=docker/dockerfile:experimental
FROM alpine
# Install ssh client and git
RUN apk add --no-cache openssh-client git
# Download public key for github.com
RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
# Clone private repository
RUN --mount=type=ssh git clone [email protected]:myorg/myproject.git myproject
Build the image: docker build --ssh default
Answered By - masseyb