Permissions issue with authorized_keys

[sarahnyxx]

There's an issue with this line of the docker-compose.yml file:

docker-bastion/docker-compose.yml

Line 13 in b985547

- $PWD/authorized_keys:/var/lib/bastion/authorized_keys:ro

Mounting the authorized_keys file will cause a problem with UID/GID mapping within the container. When I opened an sh session with docker exec -it bastion /bin/sh and poked around, I discovered that the file is marked with owner and group "1000" (Matching my user on the docker host system I used to run docker-compose up -d).

The sshd daemon will only use the authorized_users file to allow a user to login only if the file is owned by the user being logged in. Being owned by root, or by a UID other than bastion's 4096 causes the SSH client to return Permission denied (publickey, keyboard-interactive).

I debugged this by modifying my docker-compose.yml to mount the authorized_keys file as read-write, and via sh inside the container, to chown bastion:bastion /var/lib/bastion/authorized_keys. After these steps were taken, I was able to login with an ssh client.

Another solution is to sudo chown 4096:4096 authorized_keys from the docker host itself to match the UID/GID to the user in the container, and is probably the better solution. However, this is not documented at all in the README.md

Perhaps I'm just missing an otherwise intuitive understanding that prevents this issue, but passing this along as something I experienced.

Thanks

[jimmysyss]

sudo chown 4096:4096 authorized_keys also works for me on AWS ECS.

It will be awesome if this image can run on AWS Fargate

[gbarros]

I had an issue with access to the authorized_keys file, so I solved it as this StackOverflow suggested.

sudo chmod 600 authorized_keys