SSH Agent Forwarding

SSH Agent Forwarding

Do not copy secrets into image layers

Bad example:

FROM ubuntu
COPY id_rsa /root/.ssh/
RUN scp user@somewhere:/tmp/data .
RUN rm /root/.ssh/id_rsa

Buildkit to the rescue

Forward the SSH agent socket

Introduced in Docker 18.09

Demo: SSH Agent Forwarding

Buildkit forwards the SSH agent socket

Prepare SSH agent:

ssh-keygen -f id_rsa_test -N ''
eval $(ssh-agent -s)
ssh-add id_rsa_test
ssh-add -l

Forward into build:

export DOCKER_BUILDKIT=1
docker build --ssh default --progress plain .

Compare local and build:

ssh-add -l

Demo: SSH Agent Forwarding without buildkit

Mount existing SSH agent socket

Create environment variable

Prepare SSH agent:

ssh-keygen -f id_rsa_test
eval $(ssh-agent -s)
ssh-add id_rsa_test
ssh-add -l

Forward into build:

docker run -it --rm \
    --mount type=bind,src=${SSH_AUTH_SOCK},dst=${SSH_AUTH_SOCK} \
    --env SSH_AUTH_SOCK \
    alpine-ssh