[Feature Request] Using 1P SSH from inside a local Docker container

Ryan ParmanRyan Parman
Community Member
edited May 3 in SSH

My team and I regularly use Docker for lightweight local environments that are pre-configured with things we need to develop that project. (It helps avoid things like "works on my machine".) If I need to work on a Terraform module, I can launch the Docker environment that has all the tools I need pre-installed and ready-to-go, and I can make my changes, run tests, and perform all sorts of general software development tasks. When I'm done, I press Ctrl+D.

We can easily read specific environment variables from the host environment and pass them into the Docker environment (e.g., AWS credentials, Terraform variables), and for Git, we can mount the local SSH directory into the container in read-only mode so that we can fetch and push (-v ~/.ssh:/root/.ssh:ro) to GitHub Enterprise.

Herein lies the problem with migrating the SSH keys into 1Password and not having them on-disk. There's nothing to mount, and 1Password only runs on the host. The low-fi solution is to keep my SSH keys on-disk for Docker, while copying them into 1P for use with that SSH agent, but then what's the point to using 1Password SSH?

A higher-fi solution (since this is desktop-use Docker; not for deployment) would be the ability to mount a unix socket from the host into the Docker container, and have some kind of tiny agent built for Linux (namely Alpine Linux) that can run and facilitate whatever signals need to be sent so that when I run git pull inside the Docker container, this agent sends a signal to 1Password on the host asking for authentication.


1Password Version: 80600043 (beta channel)
Extension Version: N/A
OS Version: macOS 12.3β

Comments

  • altanoaltano
    Community Member

    Are you SSHing into the Docker container from your local machine with 1Password? If so, can you use SSH agent forwarding? The 1P SSH docs don't mention it isn't supported but I haven't tested it myself.

  • altanoaltano
    Community Member
    edited February 26

    I was curious so I just tested ForwardAgent with 1Password's agent: it works! 🎉

    • Local machine is a Mac with 1Password+agent.
    • I ssh'd into HostA which has my public key in authorized_keys
    • From within that ssh session, I ssh'd into HostB which also has my public key in authorized_keys. HostA does NOT have 1Password (it's a headless Linux lxc container)

    ~/.ssh/config entry is simple:

    host <myhost>
        ForwardAgent yes
    

    Note that ForwardAgent has some serious security considerations everyone should heed: https://vincent.bernat.ch/en/blog/2020-safer-ssh-agent-forwarding. In your case, you're treating your Docker container as a trusted local development machine and were ready to mount your private keys into it, so using ForwardAgent would obviously be even more secure and just fine for your situation.

    1Password experts: is there an opportunity for 1Password's agent to make ForwardAgent more secure by prompting on every use of the key, even through a server we've forwarded the key to? AddKeysToAgent confirm doesn't seem to accomplish this.

  • Ryan ParmanRyan Parman
    Community Member
    edited February 27

    Without looking into your links (yet), it's important to note that the first hop (from host to local container) isn't over SSH. I'm using docker run, not ssh.

    SSH only comes into play during the second hop from the container → GitHub.

    I'm trying to figure out how to leverage 1P8 for the first hop.

  • SeanSithSeanSith
    Community Member
    edited March 29

    I tried a 1Password 8 beta update (to "8700028, on Beta channel") and my preferred setup now works (it didn't before)!

    Nope, I was mistaken. I was testing in the wrong window.

    We're using a setup similar to what is described blog.unixshell.se/2020/01/quick-tip-use-host-ssh-agent-in-docker/.

    Effectively we've been doing the following:

    docker-compose.yml:

    version: '3'
    
    services:
      app:
        image: (most images should work, but I last tested with 'ruby:3.1')
        environment:
          SSH_AUTH_SOCK: /ssh-agent
        volumes:
          - $SSH_AUTH_SOCK:/ssh-agent
    

    then executing docker compose run --rm app /bin/bash and performing SSH activities from there.

    At this point, using the 1Password 8 SSH-Agent, I receive the following error:

    Error response from daemon: error while creating mount source path '/host_mnt/Users/seansith/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock': mkdir /host_mnt/Users/seansith/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock: operation not supported
    

    But when I use the macOS default ssh-agent at /run/host-services/ssh-auth.sock, it works fine.

  • SeanSithSeanSith
    Community Member

    We had been using a setup similar to what is described blog.unixshell.se/2020/01/quick-tip-use-host-ssh-agent-in-docker/.

    Effectively we've been doing the following:

    docker-compose.yml:

    version: '3'
    
    services:
      app:
        image: (most images should work, but I last tested with 'ruby:3.1')
        environment:
          SSH_AUTH_SOCK: /ssh-agent
        volumes:
          - $SSH_AUTH_SOCK:/ssh-agent
    

    then executing docker compose run --rm app /bin/bash and performing SSH activities from there.

    Unfortunately, with the 1Password agent, we receive the following error message:

    Error response from daemon: error while creating mount source path '/host_mnt/Users/seansith/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock': mkdir /host_mnt/Users/seansith/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock: operation not supported
    

    This works just fine with the macOS default SSH agent.

    Setup:

    • macOS 12.3
    • Docker Desktop for Mac 4.6.1
    • 1Password 8 (80700028, on BETA channel)
  • oandreyevoandreyev
    Community Member

    Using Linux and Docker, it's pretty easy to forward agent to docker... but...

    Here the command:

    docker-compose run -it -v $(readlink -f $SSH_AUTH_SOCK):/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent php bash
    

    running ssh -vvv [email protected]

    getting logs:

    debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:DOtczsfW9/BfTeVkOL4jqTmT7z4BOkocRdFs3LjG4ng
    sign_and_send_pubkey: signing failed for RSA "SSH Key | RSA 4096" from agent: agent refused operation
    

    1P logs:

    ==> 1Password_r00018.log <==
    INFO  2022-06-22T15:53:18.791 tokio-runtime-worker(ThreadId(16)) [1P:foundation/op-sys-info/src/process_information/linux.rs:367] no GUI info available to determine top level parent
    ERROR 2022-06-22T15:53:18.791 tokio-runtime-worker(ThreadId(16)) [1P:ssh/op-session-info/src/linux.rs:10] process tree is empty
    WARN  2022-06-22T15:53:18.791 tokio-runtime-worker(ThreadId(16)) [1P:ssh/op-ssh-agent/src/lib.rs:356] Unable to get client_info for pid: 826034
    

    so the problem is that 1P is trying to open Password Prompt and fails.

  • floris_1Pfloris_1P

    Team Member
    edited June 27

    @SeanSith @Ryan Parman
    On macOS, you should be able to 'forward' your SSH_AUTH_SOCK to your Docker container by adding these magic flags to your docker run command:
    -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock"
    More info here and here.

    One thing to keep in mind here though is that you will be authorizing Docker Desktop entirely. So every new Docker container launched from any terminal tab will automatically be authorized to use that key.

  • SeanSithSeanSith
    Community Member

    @floris_1P That socket is/was macOS's default ssh-agent socket. Is 1Password hooking into that/overwriting it somehow to make this work? I'd tried to mount the socket from the original SSH documentation into the container but was probably blocked by sandboxing. I'm curious because that reduces the amount of setup my users will have to go through and potentially unlocks some other usage for us.

  • floris_1Pfloris_1P

    Team Member
    edited June 27

    @SeanSith Could you try if this works:

    export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
    docker run -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" alpine sh -c 'apk add openssh && ssh-add -l'
    
  • SeanSithSeanSith
    Community Member

    @floris_1P Yes, both what you suggested 3 hours ago and your most recent message work. More surprised that it does because I had previously not been able to talk to 1Password when using macOS's default ssh-agent socket. Prior to integrating with 1Password for ssh-agent support, we'd been passing macOS's agent using the same socket. In initial testing, however, /run/host_services/ssh-auth.sock had not worked. Glad that it does now, though, as it helps us avoid having to tweak docker-compose.yml files for our development team.

  • floris_1Pfloris_1P

    Team Member

    Great!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file