Compose: docker-compose fails with ssh:// protocol with PasswordRequiredException: Private key file is encrypted

Created on 9 Feb 2019  路  9Comments  路  Source: docker/compose

It seems that current paramiko code in code in docker-compose is flawed and fails to use ssh key loaded in the agent.

It seems that the same bug also afectts docker-py at https://github.com/docker/docker-py/issues/2251 but I am sure that this use-case is covered by paramiko because other tools using it have no problems using the ssh key (example ansible).

It should not be hard to replicate the issue locally using a loopback ssh connection, no need for a remote server.

export DOCKER_HOST=ssh://$USER@localhost
docker info
# ^ this works, docker is able to use the ssh protocol

docker-compose build

The command abone will choke with an error similar to below:

$ docker-compose build                                                                                                                                                                                 {u'stackOrchestrator': u'swarm'}
Connected (version 2.0, client OpenSSH_7.4)
Authentication (publickey) failed.
Authentication (publickey) failed.
Traceback (most recent call last):
File "/Users/ssbarnea/.pyenv/versions/2.7.15/bin/docker-compose", line 11, in <module>
sys.exit(main())
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/compose/cli/main.py", line 71, in main
command()
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/compose/cli/main.py", line 124, in perform_command
project = project_from_options('.', options)
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/compose/cli/command.py", line 42, in project_from_options
compatibility=options.get('--compatibility'),
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/compose/cli/command.py", line 123, in get_project
host=host, environment=environment
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/compose/cli/command.py", line 94, in get_client
environment=environment, tls_version=get_tls_version(environment)
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/compose/cli/docker_client.py", line 127, in docker_client
client = APIClient(**kwargs)
File "/Users/ssbarnea/os/docker-py/docker/api/client.py", line 166, in __init__
base_url, timeout, pool_connections=num_pools
File "/Users/ssbarnea/os/docker-py/docker/transport/sshconn.py", line 94, in __init__
password=None
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/paramiko/client.py", line 437, in connect
passphrase,
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/paramiko/client.py", line 749, in _auth
raise saved_exception
paramiko.ssh_exception.PasswordRequiredException: Private key file is encrypted

I removed the encrypted key, hopping that docker will use the agent one, but instead It fails with

paramiko.ssh_exception.AuthenticationException: Authentication failed.

The proof that I do have key working (and obviously doing ssh works):

$ ssh-add -l
4096 SHA256:IIgRCJ84QIlEIoYJ1RiFYRwPlbxXVr3z/7jo+FTM6zg  (RSA)
picture ssbarnea

Most helpful comment

I encountered the same error. It seems like ~/.ssh/config is not respected.

Adding the key to ssh-agent fixed it for me. ssh-add -K ~/.ssh/customkey. Make sure you don't have too many keys in your agent otherwise it will try all keys and it might fail before reaching the correct one.

picture jsgv on 14 Apr 2020
👍6

All 9 comments

It proved to be caused by paramiko https://github.com/paramiko/paramiko/issues/1383 -- in case someone else encounters it we could maybe add a runtime warning if the ssh:// url does not contain a user. Missing user does not mean that ~/.ssh/config one will be used, just mean current user.

docker will user the one from ssh config but docker-compose or docker-py would not!

ssbarnea picture ssbarnea on 9 Feb 2019
👍1

How fix it?

maxbaluev picture maxbaluev on 23 Aug 2019

I have the same problem, I'm using windows 10 cmd. Docker info works not docker compose. I have DOCKER_HOST=ssh://[email protected] and the exact same bug as you.
"paramiko.ssh_exception.PasswordRequiredException: Private key file is encrypted"

if the ssh:// url does not contain a user.

root is the user in my url right ? I still have this bug though
I don't have a .ssh/config

NitroBAY picture NitroBAY on 4 Oct 2019

@ssbarnea

NitroBAY picture NitroBAY on 5 Oct 2019

same problem

qm3ster picture qm3ster on 20 Feb 2020

I encountered the same error. It seems like ~/.ssh/config is not respected.

Adding the key to ssh-agent fixed it for me. ssh-add -K ~/.ssh/customkey. Make sure you don't have too many keys in your agent otherwise it will try all keys and it might fail before reaching the correct one.

jsgv picture jsgv on 14 Apr 2020
👍6

Can't help it on Windows. Used -k (Load only keys and not certificates) since there was no -K option in ssh-add.
I also created config file with User and IdentityFile properties for given host, even though I believe it's not needed in my case.
docker -H commands work, but docker-compose -H still are giving me paramiko.ssh_exception.AuthenticationException: Authentication failed.

azsdaja picture azsdaja on 6 Jul 2020
👍4

Does this issue is resolved?

xcellenceit picture xcellenceit on 4 Sep 2020

Having the same problem. Can't deploy with docker context.

franzfloresjr picture franzfloresjr on 21 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

leiblix picture leiblix  路  3Comments
maltefiala picture maltefiala  路  3Comments
foxx picture foxx  路  3Comments
AvdN picture AvdN  路  3Comments
Hendrik-H picture Hendrik-H  路  3Comments