How to SSH agent forward into a docker container

docker-ssh-forward.bash

docker run -rm -t -i -v $(dirname $SSH_AUTH_SOCK) -e SSH_AUTH_SOCK=$SSH_AUTH_SOCK ubuntu /bin/bash

@unphased Probably due to the symlink situation, as @arunthampi noticed here.

The line the worked for me was docker run -i -t -v $(readlink -f $SSH_AUTH_SOCK):/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent ubuntu /bin/bash

@unphased
volume $SSH_AUTH_SOCK:/ssh-agent
and ENV SSH_AUTH_SOCK=/ssh-agent worked for me for years.
But after I've upgraded packages to the latest (ubuntu 22), the agent just stopped working! I mean - ssh-add -l was saying that it does not have access to the agent.
Thank you, your snippet works! Spent the whole day on this issue ))

Check if you use docker from snap. In my Kubuntu 22.04 I remove docker from snap and install using apt and problem is fixed

the latest official documentation helped me with docker-compose setup
https://docs.docker.com/desktop/networking/#ssh-agent-forwarding

is there a version of setup for Redhat linux and distributions based on it like CentOS and Rocky?

the latest official documentation helped me with docker-compose setup https://docs.docker.com/desktop/networking/#ssh-agent-forwarding

That seems to be specific to Docker Desktop. What about Colima and/or Podman?

Based on @tomdavies post, i created this Dockerfile which uses the USER statement in order to have an unpriviledged container instead of su-exec:

FROM python:3.11.6-alpine

RUN apk --no-cache add --update \
    socat \
    sudo

RUN addgroup --gid 1001 -S ansible && adduser --uid 1001 -S ansible -G ansible -h /home/ansible
RUN echo 'ansible ALL=(ALL:ALL) NOPASSWD:/usr/local/bin/create-ansible-agent-socket.sh' > /etc/sudoers
RUN echo 'socat UNIX-LISTEN:/home/ansible/.ssh/agent,fork,user=ansible,group=ansible,mode=777 UNIX-CONNECT:/root/.ssh/agent' > /usr/local/bin/create-ansible-agent-socket.sh
RUN chmod +x /usr/local/bin/create-ansible-agent-socket.sh
RUN echo 'sudo /usr/local/bin/create-ansible-agent-socket.sh & SSH_AUTH_SOCK=/home/ansible/.ssh/agent "$@"' > /entrypoint.sh

USER ansible
RUN mkdir -p /home/ansible/.ssh && chown ansible:ansible /home/ansible/.ssh

ENTRYPOINT [/bin/sh, /entrypoint.sh]

you run it then with

docker run -it -u ansible \
    -v "$SSH_AUTH_SOCK":/root/.ssh/agent \
    -e SSH_AUTH_SOCK=/root/.ssh/agent \
    name cmd

@benjertho After struggling for hours with the same problem (works on first shell login but after that fails), I tried a hack and it worked! Sharing here:

• Add an entrypoint line to dockerfile
  ENTRYPOINT ["/ros_entrypoint.sh"]

• In entrypoint script, add the following at the top:

# Dynamically set SSH_AUTH_SOCK if it's available in the mounted /tmp directory
if [ -n "$(find /tmp -type s -name 'agent.*' 2>/dev/null)" ]; then
  export SSH_AUTH_SOCK=$(find /tmp -type s -name 'agent.*' 2>/dev/null)
fi

• Add the following to your compose.yaml:

environment:
    - SSH_AUTH_SOCK=/tmp/ssh-agent
volumes:
    - /tmp:/tmp

Now the ssh auth sock will be set appropriately every time.

run docker -p  222:22 && apt install openssh-server &&  $(edit /etc/ssh/sshdconfig to enable root login)

on your mac of git bash

eval $(ssh-agent -s)
ssh-add 
ssh -A  toDockerContainer

Thanks! You pointed me in the right direction for a very similar problem. Here’s my take on it, implemented within a Makefile. This is very much specific to a mac os problem with a Docker Desktop solution.

# izumanetworks.com ai-edge-runner
run:
    @if [ -z "$(WORKSPACE_PATH)" ]; then \
        echo "Error: Please specify the path to map using MAP=/path/to/map"; \
        exit 1; \
    fi
    @if [ -z "$(SSH_AUTH_SOCK)" ]; then \
        echo "Error: SSH agent is not running. Please start it with 'eval $$(ssh-agent -s)' and add your key with 'ssh-add'."; \
        exit 1; \
    fi
    docker run -it \
        --name $(CONTAINER_NAME) \
        -e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock \
        -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock \
        -v $(WORKSPACE_PATH):/izuma \
        --entrypoint /bin/bash \
        $(IMAGE_NAME)

The magic is that even though macOS doesn’t have a /run/blah/blah path, Docker Desktop creates /run/host-services/ssh-auth.sock as a special bridge to your host system’s SSH_AUTH_SOCK.

To test, run ssh-add -l inside the container to list your keys and ssh -T [email protected] to verify connectivity. This approach works seamlessly with Docker Desktop on macOS.

the latest official documentation helped me with docker-compose setup https://docs.docker.com/desktop/networking/#ssh-agent-forwarding

That seems to be specific to Docker Desktop. What about Colima and/or Podman?

Did you ever figure this out on Podman specifically?