Socat-based approach

Dockerfile

@@ -1,12 +1,11 @@
 FROM alpine
 MAINTAINER Anil Madhavapeddy <[email protected]>
-RUN apk update && apk add openssh && \
-    apk add --update --repository http://dl-cdn.alpinelinux.org/alpine/edge/community/ tini
+RUN apk update && apk add openssh socat
 RUN mkdir /root/.ssh && \
-    chmod 700 /root/.ssh && \
-    ssh-keygen -A
-COPY ssh-find-agent.sh /root/ssh-find-agent.sh
+    chmod 700 /root/.ssh
+COPY ssh-forward-agent.sh /root/ssh-forward-agent.sh
+COPY docker-entrypoint.sh /
 EXPOSE 22
-VOLUME ["/root/.ssh/authorized_keys"]
-ENTRYPOINT ["/usr/bin/tini","--"]
+VOLUME ["/ssh-agent"]
+ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/usr/sbin/sshd","-D"]

Makefile

@@ -10,7 +10,7 @@ install:
 	@mkdir -p $(PREFIX)/share/pinata-ssh-agent
 	cp Dockerfile $(PREFIX)/share/pinata-ssh-agent
 	cp ssh-build.sh $(PREFIX)/share/pinata-ssh-agent/ssh-build
-	cp ssh-find-agent.sh $(PREFIX)/share/pinata-ssh-agent/ssh-find-agent.sh
+	cp ssh-forward-agent.sh $(PREFIX)/share/pinata-ssh-agent/ssh-forward-agent.sh
 	@mkdir -p $(BINDIR)
 	cp pinata-build-sshd.sh $(BINDIR)/pinata-build-sshd
 	cp pinata-ssh-forward.sh $(BINDIR)/pinata-ssh-forward

docker-entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+set -e
+
+echo $AUTHORIZED_KEYS | base64 -d >/root/.ssh/authorized_keys
+chown root:root /root/.ssh/authorized_keys
+
+ssh-keygen -A
+
+exec "$@"

pinata-build-sshd.sh

@@ -1,4 +1,3 @@
 #!/bin/sh
 
-cd /usr/local/share/pinata-ssh-agent
 docker build -t pinata-sshd .

pinata-ssh-forward.sh

@@ -1,25 +1,39 @@
-#!/bin/sh -e
+#!/bin/sh
+set -e
 
 IMAGE_NAME=pinata-sshd
 CONTAINER_NAME=pinata-sshd
-LOCAL_STATE=~/.pinata-sshd
-LOCAL_PORT=2244
+VOLUME_NAME=ssh-agent
+HOST_PORT=2244
+AUTHORIZED_KEYS=$(ssh-add -L | base64 | tr -d '\n')
+KNOWN_HOSTS_FILE=$(mktemp -t dsaf.XXX)
+
+trap "rm ${KNOWN_HOSTS_FILE}" EXIT
 
 docker rm -f ${CONTAINER_NAME} >/dev/null 2>&1 || true
-rm -rf ${LOCAL_STATE}
-mkdir -p ${LOCAL_STATE}
+
+docker volume create --name ${VOLUME_NAME}
 
 docker run --name ${CONTAINER_NAME} \
-  -v ~/.ssh/id_rsa.pub:/root/.ssh/authorized_keys \
-  -v ${LOCAL_STATE}:/tmp \
-  -d -p ${LOCAL_PORT}:22 ${IMAGE_NAME} > /dev/null
+  -e AUTHORIZED_KEYS="${AUTHORIZED_KEYS}" \
+  -v ${VOLUME_NAME}:/ssh-agent \
+  -d -p ${HOST_PORT}:22 ${IMAGE_NAME} > /dev/null
+
+if [ "${DOCKER_HOST}" ]; then
+  HOST_IP=$(echo $DOCKER_HOST | awk -F '//' '{print $2}' | awk -F ':' '{print $1}')
+else
+  HOST_IP=127.0.0.1
+fi
+
+# FIXME Find a way to get rid of this additional 1s wait
+sleep 1
+while [ 1 ] && ! nc -z -w5 ${HOST_IP} ${HOST_PORT}; do sleep 0.1; done
 
-IP=`docker inspect --format '{{(index (index .NetworkSettings.Ports "22/tcp") 0).HostIp }}' ${CONTAINER_NAME}`
-ssh-keyscan -p ${LOCAL_PORT} ${IP} > ${LOCAL_STATE}/known_hosts 2>/dev/null
+ssh-keyscan -p ${HOST_PORT} ${HOST_IP} > ${KNOWN_HOSTS_FILE} 2>/dev/null
 
-ssh -f -o "UserKnownHostsFile=${LOCAL_STATE}/known_hosts" \
-  -A -p ${LOCAL_PORT} root@${IP} \
-  /root/ssh-find-agent.sh
+ssh -f -o "UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \
+  -A -p ${HOST_PORT} root@${HOST_IP} \
+  /root/ssh-forward-agent.sh
 
 echo 'Agent forwarding successfully started.'
 echo 'Run "pinata-ssh-mount" to get a command-line fragment that'

pinata-ssh-mount.sh

@@ -1,5 +1,4 @@
 #!/bin/sh
 
-LOCAL_STATE=~/.pinata-sshd
-AGENT=`cat ${LOCAL_STATE}/agent_socket_path | sed -e 's,/tmp/,,g'`
-echo "-v ${LOCAL_STATE}/$AGENT:/tmp/ssh-agent.sock --env SSH_AUTH_SOCK=/tmp/ssh-agent.sock"
+echo "--volume=ssh-agent:/ssh-agent"
+echo "--env=SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock"

ssh-forward-agent.sh

@@ -0,0 +1,6 @@
+#!/bin/sh -e
+# Forward SSH agent socket to a well-known location
+FORWARDED_SOCKET=/ssh-agent/ssh-agent.sock
+
+rm -f ${FORWARDED_SOCKET}
+socat UNIX-LISTEN:${FORWARDED_SOCKET},fork,mode=777 UNIX-CONNECT:${SSH_AUTH_SOCK}