2

"It is required that your private key files are NOT accessible by others."

screen shot here

My current user has only read rights for the key.pem file (downloaded directly from Amazon). Still this does not resolve the permission issues.

docker-compose:

version: '3'
services:
  pg-tunnel:
    image: cagataygurturk/docker-ssh-tunnel:latest
    volumes:
      - ./config:/root/ssh/config:ro
      - ./key.pem:/root/ssh/key.pem:ro
    environment:
      TUNNEL_HOST: ec2-tunnel
      REMOTE_HOST: ---.rds.amazonaws.com
      LOCAL_PORT: 5432
      REMOTE_PORT: 5432
    ports:
      - 5432:5432

SSH config:

Host ec2-tunnel
        HostName ---.beta.tailscale.net
        IdentityFile /root/ssh/key.pem
        User ec2-user
        ForwardAgent yes
        TCPKeepAlive yes
        ConnectTimeout 5
        ServerAliveCountMax 10
        ServerAliveInterval 15

Versions: OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2, Windows 10, Microsoft Windows [Version 10.0.19044.2006]

Improve this question
3
  • It looks like you're trying to run ssh from inside a container, is that correct? You would need to make sure the permissions inside the container are correct, not in your Windows host.
    – heavyd
    Commented Nov 14, 2022 at 22:29
  • Thank your for answering. What do you mean by the permissions in the container? How can I edit this?
    – Melly Donald
    Commented Nov 15, 2022 at 8:28
  • I fixed your text quote from the screenshot. It is very important to use the correct terms. Public and private key are different things with very different secrecy requirements. // The permissions you set on Windows are (mostly) irrelevant when mounted in a Docker container. They are not fully mapped to Linux octal permissions.
    – Daniel B
    Commented Nov 15, 2022 at 8:52

1 Answer 1

Reset to default
2

After re-evaluating the situation, I once again strongly advice you not use this Docker image. It is hard-coded to not perform host key checking, which critically undermines SSH security to provide some negligible comfort. Additional problems exist with the image.

Your config file has a slight mistake. The image copies everything from /root/ssh to /root/.ssh and then fixes the permissions. For this to be effective, the configuration needs to point at the private key at /root/.ssh. As such, you must use this:

IdentityFile /root/.ssh/key.pem

It will then work.

Using Docker for this task is overkill. I recommend using the OpenSSH client that ships with Windows instead. It will be faster and use tremendously fewer resources. Alternatively, you could use Plink from the PuTTY suite of tools.

Yet another possibility is to use a full VPN tunnel with WireGuard. Setup is relatively easy, too.

Obsolete answer because I didn’t read the original Dockerfile correctly:

This Docker Desktop behavior is documented. From the Troubleshooting page:

Permissions errors on data directories for shared volumes

When sharing files from Windows, Docker Desktop sets permissions on shared volumes to a default value of 0777 (read, write, execute permissions for user and for group).

The default permissions on shared volumes are not configurable. If you are working with applications that require permissions different from the shared volume defaults at container runtime, you need to either use non-host-mounted volumes or find a way to make the applications work with the default file permissions.

So you cannot make this work with a mounted file.

The way forward with this problem is to use a Dockerfile to built your own specialized image:

FROM cagataygurturk/docker-ssh-tunnel:latest

ADD key.pem /root/.ssh/
ADD config /root/.ssh/

RUN chmod 600 /root/.ssh/key.pem /root/.ssh/config

In your docker-compose.yml, have this instead:

version: '3'
services:
  pg-tunnel:
    build: .
    environment:
      TUNNEL_HOST: ec2-tunnel
      REMOTE_HOST: ---.rds.amazonaws.com
      LOCAL_PORT: 5432
      REMOTE_PORT: 5432
    ports:
      - 5432:5432
Improve this answer
8
  • Thank you. I get the following error when building the image: C:\Users\XXX> docker run -it --name magenta_item cagataygurturk/docker-ssh-tunnel:latest cp: can't stat '/root/ssh/*': No such file or directory
    – Melly Donald
    Commented Nov 15, 2022 at 10:57
  • You don’t build images using docker run. Since you have a Compose file, you should be using docker compose build.
    – Daniel B
    Commented Nov 15, 2022 at 11:04
  • Silly question. Thanks again. After building (docker-compose build), do I need to do anything else? When I try to connect to the DB, I get the following error: connection to server at "localhost" (::1), port 5432 failed: Connection refused (0x0000274D/10061)..
    – Melly Donald
    Commented Nov 15, 2022 at 21:51
  • You did run the container using docker compose up, right? And from the logs it did start correctly, yes? Try using 127.0.0.1 instead of localhost. There is a difference.
    – Daniel B
    Commented Nov 16, 2022 at 8:15
  • On docker compose up I get the folllowing error: "cp: can't stat '/root/ssh/*': No such file or directory". Surprising as I cant see any reference to ssh.
    – Melly Donald
    Commented Nov 21, 2022 at 10:46

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .