What is an ssh-agent?

Today I learned about ssh-agent and how it works, thanks to https://twitter.com/plv for that, and if you get the thumbnail of this blog, it’s not about agent 47 or whatsoever. We talk about SSH, keys, and authentication.

The problem

I had to clone (via git) a custom-built package for PHP from a private repository inside a docker container.

I end up doing some googling to know how we can achieve that. Since we could not just copy-paste our ssh keys inside a container like that, there must be some workaround.

So, I end up asking for help and knowledge to know how to do it properly.

The encounter

How it was explained by https://twitter.com/plv, the ssh-agent is a daemon that should run alongside sshd. Whenever you want to use ssh to pull something or access something remotely, it uses an unencrypted version of your ssh keys, so you don’t need to type your passphrase every time you need to use ssh command.

Behind the scene

In my case, I had to access something from a private repository that only my keys allowed me to.

Basically from another machine perspective (here it’s the docker container) which needs to access the same resources as I do uses the ssh-agent. The ssh-agent to be clear is a socket but let’s call it a tunnel.

This tunnel is used to funnel the traffic through the ssh-agent which is accessible on my local machine. To make such thing work, in docker, we can create a volume to the socket using $SSH_AUTH_SOCK.

How to enable it?

Just run ssh-add so it loads your keys into your agent, but ensure that your ssh-agent is up and running.

Next, you will get a prompt that it’s done, just check with ssh-add -l, if there is something you are good to go.

Use cases

  • Whenever you want to make your remote host (VPS for example) to access the same thing as you, just add ssh -A .... and your agent will be forwarded.

  • When using docker, you can use the $SSH_AUTH_SOCK as such

version: '3'
services:
  app:
    container_name: yourcontainer
    environment:
      - SSH_AUTH_SOCK=/ssh-agent 
    image: yourapp
    volumes:
      - ${SSH_AUTH_SOCK}:/ssh-agent

You rename your SSH_AUTH_SOCK in the environment so your system at runtime will know it is a custom ssh-agent, here it’s/ssh-agent In the volume, you are only mapping your host SSH_AUTH_SOCK inside the container Going inside your docker container / remote host, just do ssh -T [email protected], they will be authenticated as you.

BEWARE

Don’t use the ssh -A all the time, if your server is compromised, you might allow an attacker to use your ssh-agent socket, so they can literally access your other data which needs ssh, so to use with extreme care.

Let’s talk about the obvious, using a passphrase when doing ssh-keygen is necessary, you don’t want to have bare-naked keys dangling if your local pc is compromised, you are screwed.

And there you have it, know I know about ssh-agent and you do too. ;)