Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

On OS X user always has to enter passphrase for protected SSH key #2

Open
udondan opened this issue Jul 12, 2017 · 7 comments
Open

Comments

@udondan
Copy link
Collaborator

udondan commented Jul 12, 2017

Silo forwards the SSH socket into the container. Docker for Mac does currently not support mounting sockets into a container. Therefore the users ssh key (which gets mounted) is used. If this key is protected by a passphrase the user will always have to unlock the key on every silo call.

The original problem is described here:

There is an experimental workaround we might want to look into, as it seems the problem is not going to be addressed anytime soon on Docker side: https://github.com/uber-common/docker-ssh-agent-forward

@dMopp
Copy link

dMopp commented Jul 20, 2017

ssh-add does not help ?

@udondan
Copy link
Collaborator Author

udondan commented Jul 24, 2017

We're doing an ssh-add and that's where the passphrase is requested. Since the Silo container is not persistent the authentication-agent won't know about the previously added key when the container is started again. Therefore you need to enter the passphrase every time ansible/ansible-playbook is invoked.

@woneill
Copy link
Contributor

woneill commented Sep 14, 2017

Using the docker-ssh-agent-forward work around has been working pretty well for me esp. since I'm using gpg-agent with ssh-support mode. Once I've setup the forward, I use this ~/.ansible-silo file:

silo_ssh_key_forwarding() {
  if command -v pinata-ssh-mount >/dev/null 2>&1; then
    forwarding_status=$(docker inspect -f '{{.State.Running}}' pinata-sshd)
    if [ "$forwarding_status" == 'true' ]; then
      return=$(pinata-ssh-mount)
      echo "${return}"
      return
    fi
  fi

  # Original silo_ssh_key_forwarding()
  local auth_sock_link_dir auth_sock_dir return=""

  if [[ ! -z "${SSH_AUTH_SOCK}" ]]; then
    if [[ -L "${SSH_AUTH_SOCK}" ]]; then
      auth_sock_link_dir="$(dirname "$(cd "${SSH_AUTH_SOCK}" && pwd -P)")"
      return+="--volume \"${auth_sock_link_dir}\":\"${auth_sock_link_dir}\" "
    fi
    auth_sock_dir="$(dirname "${SSH_AUTH_SOCK}")"
    return+="--volume \"${auth_sock_dir}\":\"${auth_sock_dir}\" "
    return+="--env SSH_AUTH_SOCK"
  fi
  echo "${return}"
}

udondan added a commit that referenced this issue Dec 7, 2017
@udondan
Copy link
Collaborator Author

udondan commented Jun 6, 2018

@woneill Using your function since a while and pinata works reliably for me and my team.

May I use your function as is to include in the next Silo release? Or if you like, send a PR so you're credited appropriately for the contribution.

@woneill
Copy link
Contributor

woneill commented Jun 6, 2018

Awesome! Feel free to use the function as-is since I likely found it elsewhere and wouldn't want to claim credit inappropriately.

I'm interested in seeing how you suggest new users setup pinata. That's been a stumbling block for me when encouraging people to use docker in general.

@udondan
Copy link
Collaborator Author

udondan commented Jun 8, 2018

Thanks @woneill, documentation for this is pending but I just added the function.

BTW, I am using a fork from Uber as the original is not working for me: https://github.com/uber-common/docker-ssh-agent-forward

udondan added a commit that referenced this issue Jun 8, 2018
#2: Implements pinata forwarded keys for MacOS
@udondan
Copy link
Collaborator Author

udondan commented Jun 8, 2018

2.2.0 just got released with your function. Thanks again. 😸

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants