如何将 ssh 密码添加到 Docker 并在使用后将其删除?
How to add ssh passphrase to Docker and removed it after it was used?
这个问题在本质上听起来很简单,但我找不到安全和简单的解决方案。
问题如下,我有一个项目,我想从私有 git 存储库中提取依赖项以构建运行时环境,然后删除 SSH 密钥和 SSH 密码。我不能跳过密码,因为它是由 git 远程仓库强制执行的。
- 我很难推送 SSH 密码,所以 SSH 不会要求输入密码
- 我很难理解如何安全地做到这一点
问题是我该怎么做,这样的方法也安全吗?
我在 Docker 中操作,可能可以在上面安装任何开源软件。
启用buildkit:
The docker build has a --ssh option to allow the Docker Engine to forward SSH agent connections.
您可以 ssh-add 您的私钥到 ssh-agent。
来自 ssh-add man 页:
If any file requires a passphrase, ssh-add asks for the passphrase from the user.
来自 ssh-agent man 页:
The idea is that the agent is run in the user's local PC, laptop, or terminal. Authentication data need not be stored on any other machine, and
authentication passphrases never go over the network. However, the connection to the agent is forwarded over SSH remote logins, and the user can
thus use the privileges given by the identities anywhere in the network in
a secure way.
The ssh-agent will never send a private key over its request channel. ...
文档中的示例 Dockerfile:
# syntax=docker/dockerfile:experimental
FROM alpine
# Install ssh client and git
RUN apk add --no-cache openssh-client git
# Download public key for github.com
RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
# Clone private repository
RUN --mount=type=ssh git clone git@github.com:myorg/myproject.git myproject
构建图像:docker build --ssh default
这个问题在本质上听起来很简单,但我找不到安全和简单的解决方案。
问题如下,我有一个项目,我想从私有 git 存储库中提取依赖项以构建运行时环境,然后删除 SSH 密钥和 SSH 密码。我不能跳过密码,因为它是由 git 远程仓库强制执行的。
- 我很难推送 SSH 密码,所以 SSH 不会要求输入密码
- 我很难理解如何安全地做到这一点
问题是我该怎么做,这样的方法也安全吗?
我在 Docker 中操作,可能可以在上面安装任何开源软件。
启用buildkit:
The docker build has a --ssh option to allow the Docker Engine to forward SSH agent connections.
您可以 ssh-add 您的私钥到 ssh-agent。
来自 ssh-add man 页:
If any file requires a passphrase,
ssh-addasks for the passphrase from the user.
来自 ssh-agent man 页:
The idea is that the agent is run in the user's local PC, laptop, or terminal. Authentication data need not be stored on any other machine, and authentication passphrases never go over the network. However, the connection to the agent is forwarded over SSH remote logins, and the user can thus use the privileges given by the identities anywhere in the network in a secure way.
The
ssh-agentwill never send a private key over its request channel. ...
文档中的示例 Dockerfile:
# syntax=docker/dockerfile:experimental
FROM alpine
# Install ssh client and git
RUN apk add --no-cache openssh-client git
# Download public key for github.com
RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
# Clone private repository
RUN --mount=type=ssh git clone git@github.com:myorg/myproject.git myproject
构建图像:docker build --ssh default