Skip to main content
Ryan_Parman
February 24, 2022
Question

[Feature Request] Using 1P SSH from inside a local Docker container

  • February 24, 2022
  • 39 replies
  • 6393 views

My team and I regularly use Docker for lightweight local environments that are pre-configured with things we need to develop that project. (It helps avoid things like "works on my machine".) If I need to work on a Terraform module, I can launch the Docker environment that has all the tools I need pre-installed and ready-to-go, and I can make my changes, run tests, and perform all sorts of general software development tasks. When I'm done, I press Ctrl+D.

We can easily read specific environment variables from the host environment and pass them into the Docker environment (e.g., AWS credentials, Terraform variables), and for Git, we can mount the local SSH directory into the container in read-only mode so that we can fetch and push (-v ~/.ssh:/root/.ssh:ro) to GitHub Enterprise.

Herein lies the problem with migrating the SSH keys into 1Password and not having them on-disk. There's nothing to mount, and 1Password only runs on the host. The low-fi solution is to keep my SSH keys on-disk for Docker, while copying them into 1P for use with that SSH agent, but then what's the point to using 1Password SSH?

A higher-fi solution (since this is desktop-use Docker; not for deployment) would be the ability to mount a unix socket from the host into the Docker container, and have some kind of tiny agent built for Linux (namely Alpine Linux) that can run and facilitate whatever signals need to be sent so that when I run git pull inside the Docker container, this agent sends a signal to 1Password on the host asking for authentication.


1Password Version: 80600043 (beta channel)
Extension Version: N/A
OS Version: macOS 12.3β

39 replies

Jack_P_1P
1Password Employee
December 22, 2022

Hi @aetos:

Are you able to configure which command is used to connect to your container? If you use ssh -A to forward your SSH agent, then you should be prompted to use 1Password for SSH. Let me know how you get on with that.

Jack

December 23, 2022

I use docker run -it and do not use SSH to connect to the container.

February 9, 2023

Did anyone get any further with this from a Windows box? I'd be really interested to know if anyone has got that to work as that's exactly what I'm trying to do. I want to develop in VSCode/devcontainers from my Windows machine but have 1P handle the ssh keys to my repos in GitHub.

Jack_P_1P
1Password Employee
February 9, 2023

Hi @ajm1811:

Are you using WSL2 or Hyper-V backed containers? I've just tested on my end, and I was able to use WSL2 backed containers with 1Password SSH agent. Let me know.

Jack

February 9, 2023

Thanks for the reply @Jack_P_1P. I'm using WSL2. Running ssh-add -l from inside the container does indeed list my key. Also ssh -T mailto:git@github.com passes as well. But when I try to clone my repo from inside the container I get this:

Any idea what I'm missing?

Jack_P_1P
1Password Employee
February 10, 2023

Hi @ajm1811:

Thanks for following up! I've done a bit more investigation into this, and have determined the cause. When VSCode deploys a devcontainer, it copies some of your dotfiles from your Windows profile into your container for a consistent experience. One of the files copied in is your ~/.gitconfig file. Because of this, any settings that are set in your Windows ~/.gitconfig file are now set in the container.

The solution for this is two separate actions to take:
- If when you installed Git for Windows, you selected "Use bundled OpenSSH" or an option to pick which SSH client wasn't available, uninstall and reinstall Git for Windows, and select "Use external OpenSSH".

- Additionally, remove the setting sshCommand = C:/Windows/System32/OpenSSH/ssh.exe from your ~/.gitconfig file in your Windows profile.

This will result in Git in the context of Windows no longer having a bundled SSH, which means it'll use the system SSH (which is supported by 1Password SSH agent). When your ~/.gitconfig is copied into the container, it won't contain the line setting the SSH command, so your container won't attempt to use an SSH it can't access.

Let me know how you get on with that!

Jack

February 11, 2023

@Jack_P_1P - it worked!! I had to uninstall git a couple of times, delete any remaining files and then reboot before reinstalling but it's working now. Thanks so much.

Jack_P_1P
1Password Employee
February 13, 2023

Glad to hear it @ajm1811! Feel free to get in touch if there's anything else we can help you with.

Jack

March 18, 2023

@floris_1P can you help me with this? - this is in docker for mac - followed all steps here https://developer.1password.com/docs/ssh/agent/compatibility/#ssh-auth-sock

However, this works great.

export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
docker run -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" alpine sh -c 'apk add openssh && ssh-add -l'


fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/aarch64/APKINDEX.tar.gz
(1/10) Installing openssh-keygen (9.1_p1-r2)
(2/10) Installing ncurses-terminfo-base (6.3_p20221119-r0)
(3/10) Installing ncurses-libs (6.3_p20221119-r0)
(4/10) Installing libedit (20221030.3.1-r0)
(5/10) Installing openssh-client-common (9.1_p1-r2)
(6/10) Installing openssh-client-default (9.1_p1-r2)
(7/10) Installing openssh-sftp-server (9.1_p1-r2)
(8/10) Installing openssh-server-common (9.1_p1-r2)
(9/10) Installing openssh-server (9.1_p1-r2)
(10/10) Installing openssh (9.1_p1-r2)
Executing busybox-1.35.0-r29.trigger
OK: 15 MiB in 25 packages
256 SHA256:[XXXXXX] SSH Key ED25519 M2 (ED25519)

My current docker-compose has the following:

environment:
- SSH_AUTH_SOCK='/run/host-services/ssh-auth.sock'
volumes:
- /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock

Jack_P_1P
1Password Employee
March 24, 2023

Hi @girish:

I notice this looks like Visual Studio Code's remote development extension. Is that correct? Would you mind sharing the contents of ~/.ssh/config from macOS, rather than your Docker container? I'll be able to dig in more once I've seen your SSH config.

Jack