[SOLVED] SSH connection to GitHub from within Docker

Issue

I'm going through some of the questions here to figure out how to connect to GitHub over SSH from within Docker, but I've had no luck. My docker build requires an SSH connection. Please help if you see what's wrong:

I have a private key at ~/.ssh/id_ed25519_docker that I have added to GitHub. The key has no passphrase. This works from my shell:

ssh -i ~/.ssh/id_ed25519_docker -vT [email protected]

...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: ~/.ssh/id_ed25519_docker ED25519 SHA256:V...4 explicit agent
debug1: Server accepts key: ~/.ssh/id_ed25519_docker ED25519 SHA256:V...4 explicit agent
debug1: Authentication succeeded (publickey).

This is my build command (from a Makefile recipe):

export DOCKER_BUILDKIT=1; docker build --ssh default=~/.ssh/id_ed25519_docker .

Here is my Dockerfile

# syntax=docker/dockerfile:experimental
FROM alpine

# Install ssh client and git
RUN apk add --no-cache openssh-client git

# Download public key for github.com
RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts

# Configure
RUN echo "Host *\n  AddKeysToAgent yes\n  IdentityFile ~/.ssh/id_ed25519_docker" > ~/.ssh/config

# Connect
RUN ssh -vT [email protected]

The last line errors:

 > [5/6] RUN ssh -vT [email protected]:                                                                                                                                                                           
#10 0.234 OpenSSH_9.0p1, OpenSSL 1.1.1q  5 Jul 2022                                                                                                                                                            
#10 0.234 debug1: Reading configuration data /etc/ssh/ssh_config
#10 0.263 debug1: Connecting to github.com [140.82.114.3] port 22.
#10 0.298 debug1: Connection established.
#10 0.298 debug1: identity file /root/.ssh/id_rsa type -1
#10 0.298 debug1: identity file /root/.ssh/id_rsa-cert type -1
#10 0.298 debug1: identity file /root/.ssh/id_ecdsa type -1
#10 0.299 debug1: identity file /root/.ssh/id_ecdsa-cert type -1
#10 0.299 debug1: identity file /root/.ssh/id_ecdsa_sk type -1
#10 0.299 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
#10 0.299 debug1: identity file /root/.ssh/id_ed25519 type -1
#10 0.299 debug1: identity file /root/.ssh/id_ed25519-cert type -1
#10 0.299 debug1: identity file /root/.ssh/id_ed25519_sk type -1
#10 0.299 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
#10 0.299 debug1: identity file /root/.ssh/id_xmss type -1
#10 0.299 debug1: identity file /root/.ssh/id_xmss-cert type -1
#10 0.299 debug1: identity file /root/.ssh/id_dsa type -1
#10 0.299 debug1: identity file /root/.ssh/id_dsa-cert type -1
#10 0.299 debug1: Local version string SSH-2.0-OpenSSH_9.0
#10 0.339 debug1: Remote protocol version 2.0, remote software version babeld-f33ee42f
#10 0.339 debug1: compat_banner: no match: babeld-f33ee42f
#10 0.339 debug1: Authenticating to github.com:22 as 'git'
#10 0.339 debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
#10 0.339 debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
#10 0.339 debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
#10 0.340 debug1: SSH2_MSG_KEXINIT sent
#10 0.341 debug1: SSH2_MSG_KEXINIT received
#10 0.341 debug1: kex: algorithm: curve25519-sha256
#10 0.341 debug1: kex: host key algorithm: ssh-ed25519
#10 0.341 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
#10 0.341 debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
#10 0.341 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
#10 0.387 debug1: SSH2_MSG_KEX_ECDH_REPLY received
#10 0.387 debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
#10 0.387 debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
#10 0.387 debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
#10 0.387 debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
#10 0.387 debug1: Host 'github.com' is known and matches the ED25519 host key.
#10 0.387 debug1: Found key in /root/.ssh/known_hosts:3
#10 0.393 debug1: rekey out after 134217728 blocks
#10 0.393 debug1: SSH2_MSG_NEWKEYS sent
#10 0.393 debug1: expecting SSH2_MSG_NEWKEYS
#10 0.433 debug1: SSH2_MSG_NEWKEYS received
#10 0.433 debug1: rekey in after 134217728 blocks
#10 0.433 debug1: Will attempt key: /root/.ssh/id_rsa 
#10 0.433 debug1: Will attempt key: /root/.ssh/id_ecdsa 
#10 0.433 debug1: Will attempt key: /root/.ssh/id_ecdsa_sk 
#10 0.433 debug1: Will attempt key: /root/.ssh/id_ed25519 
#10 0.433 debug1: Will attempt key: /root/.ssh/id_ed25519_sk 
#10 0.433 debug1: Will attempt key: /root/.ssh/id_xmss 
#10 0.433 debug1: Will attempt key: /root/.ssh/id_dsa 
#10 0.433 debug1: SSH2_MSG_EXT_INFO received
#10 0.433 debug1: kex_input_ext_info: server-sig-algs=<[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
#10 0.473 debug1: SSH2_MSG_SERVICE_ACCEPT received
#10 0.515 debug1: Authentications that can continue: publickey
#10 0.515 debug1: Next authentication method: publickey
#10 0.515 debug1: Trying private key: /root/.ssh/id_rsa
#10 0.515 debug1: Trying private key: /root/.ssh/id_ecdsa
#10 0.515 debug1: Trying private key: /root/.ssh/id_ecdsa_sk
#10 0.515 debug1: Trying private key: /root/.ssh/id_ed25519
#10 0.515 debug1: Trying private key: /root/.ssh/id_ed25519_sk
#10 0.515 debug1: Trying private key: /root/.ssh/id_xmss
#10 0.515 debug1: Trying private key: /root/.ssh/id_dsa
#10 0.515 debug1: No more authentication methods to try.
#10 0.515 [email protected]: Permission denied (publickey).

The Docker Client API version is 1.41. What am I missing? Going on hour 5 with this and going crazy :(

PS. In case it's relevant: I've tried changing the RUN at the end of my Dockerfile to refer to the key by name:

RUN ssh -i ~/.ssh/id_ed25519_docker -vT [email protected]

However this doesn't work; I see this new warning at the top of the log:

#10 0.265 Warning: Identity file /root/.ssh/id_ed25519_docker not accessible: No such file or directory.

Solution

I got things working with the following changes:

Changed my docker build command to remove any reference to the key name:

docker build --ssh default .

Changed my Dockerfile to:

# syntax=docker/dockerfile:1
FROM alpine

# Install ssh client and git
RUN apk add --no-cache openssh-client git

# Download public key for github.com
RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts

# Connect
RUN --mount=type=ssh ssh -vT [email protected]

The key was to add --mount-type=ssh just before the execution that needed access to my host machine's ssh agent. Without this, the execution cannot communicate with the host's ssh agent.

Docs: https://docs.docker.com/develop/develop-images/build_enhancements/#using-ssh-to-access-private-data-in-builds

Answered By - BeetleJuice

Answer Checked By - Senaida (WPSolving Volunteer)