The problem sounds elementary in its nature but I cannot find a secure and simple solution.
The issue is the following, I have a project and I want to pull dependencies from private git repos to build a runtime environment and remove both SSH key and SSH passphrase afterward. I cannot skip passphrase as it is enforced by git remote repos.
The question of how can I do it, so the approach also will be secure?
I am operating in Docker and potentially can install any open-source software on it.
With buildkit
enabled:
The docker build has a --ssh option to allow the Docker Engine to forward SSH agent connections.
You can ssh-add
your private keys to a ssh-agent
.
From the ssh-add
man
pages:
If any file requires a passphrase,
ssh-add
asks for the passphrase from the user.
From the ssh-agent
man
pages:
The idea is that the agent is run in the user's local PC, laptop, or terminal. Authentication data need not be stored on any other machine, and authentication passphrases never go over the network. However, the connection to the agent is forwarded over SSH remote logins, and the user can thus use the privileges given by the identities anywhere in the network in a secure way.
The
ssh-agent
will never send a private key over its request channel. ...
Example Dockerfile
from the doc:
# syntax=docker/dockerfile:experimental
FROM alpine
# Install ssh client and git
RUN apk add --no-cache openssh-client git
# Download public key for github.com
RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
# Clone private repository
RUN --mount=type=ssh git clone git@github.com:myorg/myproject.git myproject
Build the image: docker build --ssh default