what is an ssh-agent ?
What is an ssh-agent?
Today I learned about ssh-agent and how it works, thanks to https://twitter.com/plv for that, and if you get the thumbnail of this blog, it’s not about agent 47 or whatsoever. We talk about SSH, keys, and authentication.
The problem
I had to clone (via git) a custom-built package for PHP from a private repository inside a docker container.
I end up doing some googling to know how we can achieve that. Since we could not just copy-paste our ssh keys inside a container like that, there must be some workaround.
So, I end up asking for help and knowledge to know how to do it properly.
The encounter
How it was explained by https://twitter.com/plv, the ssh-agent is a daemon that should run alongside sshd
. Whenever you want to use ssh to pull something or access something remotely, it uses an unencrypted version of your ssh keys, so you don’t need to type your passphrase every time you need to use ssh command.
Behind the scene
In my case, I had to access something from a private repository that only my keys allowed me to.
Basically from another machine perspective (here it’s the docker container) which needs to access the same resources as I do uses the ssh-agent. The ssh-agent to be clear is a socket but let’s call it a tunnel.
This tunnel is used to funnel the traffic through the ssh-agent which is accessible on my local machine. To make such thing work, in docker, we can create a volume
to the socket using $SSH_AUTH_SOCK
.
How to enable it?
Just run ssh-add
so it loads your keys into your agent, but ensure that your ssh-agent is up and running.
Next, you will get a prompt that it’s done, just check with ssh-add -l
,
if there is something you are good to go.
Use cases
-
Whenever you want to make your remote host (VPS for example) to access the same thing as you, just add
ssh -A ....
and your agent will be forwarded. -
When using docker, you can use the
$SSH_AUTH_SOCK
as such
version: '3'
services:
app:
container_name: yourcontainer
environment:
- SSH_AUTH_SOCK=/ssh-agent
image: yourapp
volumes:
- ${SSH_AUTH_SOCK}:/ssh-agent
You rename your SSH_AUTH_SOCK in the environment so your system at runtime will know it is a custom ssh-agent, here it’s/ssh-agent
In the volume, you are only mapping your host SSH_AUTH_SOCK inside the container
Going inside your docker container / remote host, just do ssh -T [email protected]
, they will be authenticated as you.
BEWARE
Don’t use the ssh -A
all the time, if your server is compromised, you might allow an attacker to use your ssh-agent socket, so they can literally access your other data which needs ssh, so to use with extreme care.
Let’s talk about the obvious, using a passphrase when doing ssh-keygen
is necessary, you don’t want to have bare-naked keys dangling if your local pc is compromised, you are screwed.
And there you have it, know I know about ssh-agent and you do too. ;)