gitdockersecuritysshsshpass

How to add ssh passphrase to Docker and removed it after it was used?


The problem sounds elementary in its nature but I cannot find a secure and simple solution.

The issue is the following, I have a project and I want to pull dependencies from private git repos to build a runtime environment and remove both SSH key and SSH passphrase afterward. I cannot skip passphrase as it is enforced by git remote repos.

  1. I struggle to push the SSH passphrase, so the SSH won't ask for a passphrase
  2. I struggle to understand how to do it securely

The question of how can I do it, so the approach also will be secure?

I am operating in Docker and potentially can install any open-source software on it.


Solution

  • With buildkit enabled:

    The docker build has a --ssh option to allow the Docker Engine to forward SSH agent connections.

    You can ssh-add your private keys to a ssh-agent.

    From the ssh-add man pages:

    If any file requires a passphrase, ssh-add asks for the passphrase from the user.

    From the ssh-agent man pages:

    The idea is that the agent is run in the user's local PC, laptop, or terminal. Authentication data need not be stored on any other machine, and authentication passphrases never go over the network. However, the connection to the agent is forwarded over SSH remote logins, and the user can thus use the privileges given by the identities anywhere in the network in a secure way.

    The ssh-agent will never send a private key over its request channel. ...

    Example Dockerfile from the doc:

    # syntax=docker/dockerfile:experimental
    FROM alpine
    
    # Install ssh client and git
    RUN apk add --no-cache openssh-client git
    
    # Download public key for github.com
    RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
    
    # Clone private repository
    RUN --mount=type=ssh git clone git@github.com:myorg/myproject.git myproject
    

    Build the image: docker build --ssh default