SSH Forwarding in Docker

If you’re building your application inside a Docker container, and you need to pull dependencies from a git server (e.g. Github or Gitlab) using SSH, you need to forward your SSH session to the container.

Here’s how I did it in Docker 24.0.

When you run docker build, tell it to expose your SSH keys to the build with the following:

docker build --ssh default .

Inside your Dockerfile, use RUN --mount=type=ssh. So, for example, if you’re using NPM, that would be something like the following:

RUN --mount=type=ssh npm install

Restricting SSH key use

Try to restrict the scope of the SSH keys to just the step that fetches your dependencies.

For example, if you’re using Erlang’s rebar3, that would look like this:

RUN --mount=type=ssh rebar3 get-deps
RUN rebar3 compile --deps_only

Host key verification failed

When fetching from (e.g.) Github, you might see the following error:

Host key verification failed.
fatal: Could not read from remote repository.

To fix this, put the following in your Dockerfile:

RUN mkdir -p -m 0700 $HOME/.ssh && \
    ssh-keyscan github.com >> $HOME/.ssh/known_hosts && \
    ssh-keyscan gitlab.com >> $HOME/.ssh/known_hosts

The above has Github and Gitlab; delete as appropriate.

MitM

Note that you’re potentially vulnerable to a MitM attack, because this blindly accepts the keys. If you’re concerned about that, read this Server Fault question.

References

These are a bit dated, but they were useful in figuring out the details:

• Build secrets and SSH forwarding in Docker 18.09
• Securely using SSH keys in Docker to access private Github repositories
• Fix ‘Host key verification failed’ inside Dockerfile