compose: docker-compose fails with ssh:// protocol with PasswordRequiredException: Private key file is encrypted

It seems that current paramiko code in code in docker-compose is flawed and fails to use ssh key loaded in the agent.

It seems that the same bug also afectts docker-py at https://github.com/docker/docker-py/issues/2251 but I am sure that this use-case is covered by paramiko because other tools using it have no problems using the ssh key (example ansible).

It should not be hard to replicate the issue locally using a loopback ssh connection, no need for a remote server.

export DOCKER_HOST=ssh://$USER@localhost
docker info
# ^ this works, docker is able to use the ssh protocol

docker-compose build

The command abone will choke with an error similar to below:

$ docker-compose build                                                                                                                                                                                 {u'stackOrchestrator': u'swarm'}
Connected (version 2.0, client OpenSSH_7.4)
Authentication (publickey) failed.
Authentication (publickey) failed.
Traceback (most recent call last):
File "/Users/ssbarnea/.pyenv/versions/2.7.15/bin/docker-compose", line 11, in <module>
sys.exit(main())
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/compose/cli/main.py", line 71, in main
command()
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/compose/cli/main.py", line 124, in perform_command
project = project_from_options('.', options)
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/compose/cli/command.py", line 42, in project_from_options
compatibility=options.get('--compatibility'),
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/compose/cli/command.py", line 123, in get_project
host=host, environment=environment
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/compose/cli/command.py", line 94, in get_client
environment=environment, tls_version=get_tls_version(environment)
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/compose/cli/docker_client.py", line 127, in docker_client
client = APIClient(**kwargs)
File "/Users/ssbarnea/os/docker-py/docker/api/client.py", line 166, in __init__
base_url, timeout, pool_connections=num_pools
File "/Users/ssbarnea/os/docker-py/docker/transport/sshconn.py", line 94, in __init__
password=None
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/paramiko/client.py", line 437, in connect
passphrase,
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/paramiko/client.py", line 749, in _auth
raise saved_exception
paramiko.ssh_exception.PasswordRequiredException: Private key file is encrypted

I removed the encrypted key, hopping that docker will use the agent one, but instead It fails with

paramiko.ssh_exception.AuthenticationException: Authentication failed.

The proof that I do have key working (and obviously doing ssh works):

$ ssh-add -l
4096 SHA256:IIgRCJ84QIlEIoYJ1RiFYRwPlbxXVr3z/7jo+FTM6zg  (RSA)

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 15 (1 by maintainers)

Most upvoted comments

I encountered the same error. It seems like ~/.ssh/config is not respected.

Adding the key to ssh-agent fixed it for me. ssh-add -K ~/.ssh/customkey. Make sure you don’t have too many keys in your agent otherwise it will try all keys and it might fail before reaching the correct one.

+8
jsgv on Apr 14, 2020

Can’t help it on Windows. Used -k (Load only keys and not certificates) since there was no -K option in ssh-add. I also created config file with User and IdentityFile properties for given host, even though I believe it’s not needed in my case. docker -H commands work, but docker-compose -H still are giving me paramiko.ssh_exception.AuthenticationException: Authentication failed.

+5
azsdaja on Jul 6, 2020

It proved to be caused by paramiko https://github.com/paramiko/paramiko/issues/1383 – in case someone else encounters it we could maybe add a runtime warning if the ssh:// url does not contain a user. Missing user does not mean that ~/.ssh/config one will be used, just mean current user.

docker will user the one from ssh config but docker-compose or docker-py would not!

+2
ssbarnea on Feb 9, 2019

@moracabanas How can I upgrade docker-compose on this setup to 1.28.2?

If you right click the Docker Desktop icon in your taskbar and click “Check for Updates” it will bring up a window with the new version. After it installs you can run docker-compose version again and you should see 1.28.5 or greater.

+1
swilliams96 on Mar 24, 2021

Hi! Would you mind trying with docker-compose 1.28.0-rc2 / rc3 please? This version connects via shellout to the ssh client, it is not using paramiko.

I’ve just tried this with docker-compose 1.28.2 and it works perfectly. Thanks!

+1
mpkayeuk on Feb 9, 2021

Hi! Would you mind trying with docker-compose 1.28.0-rc2 / rc3 please? This version connects via shellout to the ssh client, it is not using paramiko.

+1
aiordache on Jan 13, 2021
Read more comments on GitHub
← compose: docker-compose fails with invalid volume specification
compose: docker-compose hangs →