How to debug a non-working passwordless RSA certificate in OpenSSH on Alpine?
I have solved this one, though I don't fully understand why this solves it. (I will accept any answers in preference to my own if anyone has an explanation).
In my Dockerfile
I was setting up a user thus:
# -s specify a shell; -D = don't prompt for a passwordRUN adduser -s /bin/sh -D nonpriv
As far as I know that is just a user with a home directory and a null password. However, it looks like I do in fact need to specify a password, so I now also do this:
# It looks like passwordless access does not work unless the user# has a password!RUN echo 'nonpriv:Password123' | chpasswd
That seems odd to me, since the PPK access system should not care what the password of the user is, or whether it has one.
I can now SSH into self:
/ $ whoaminonpriv/ $ ssh localhostWelcome to Alpine!The Alpine Wiki contains a large amount of how-to guides and generalinformation about administrating Alpine systems.See <http://wiki.alpinelinux.org>.You can setup the system with the command: setup-alpineYou may change this message by editing /etc/motd.d4dded05c2d1:~$
In my case fully password-less ssh required also the following settings:
Host * StrictHostKeyChecking no UserKnownHostsFile=/dev/null
in the /etc/ssh/ssh_config
file in the docker
ENV APPUSER=myuser ENV UID=110 ENV GID=110 RUN set -x ; addgroup -g "$GID" -S "$APPUSER" && \ adduser \ -g "$GID" \ -D \ -s "/bin/bash" \ -h "/home/$APPUSER" \ -u "$UID" \ -G "$APPUSER" "$APPUSER" && exit 0 ; exit 1RUN echo "$APPUSER:secret-pass" | chpasswdRUN ssh-keygen -ARUN apk add --no-cache procps su-exec sudo coreutils supervisor && \ apk add --no-cache openrc openssh && \ mkdir -p /run/openrc/ && touch /run/openrc/softlevel && rc-update add sshd && rc-status && \rm -rf /tmp/* /var/cache/apk/* && \apk del .build-dependenciesUSER myuserRUN ssh-keygen -q -t rsa -N '' -C '' -f ~/.ssh/id_rsa && \ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys && \ chmod 644 ~/.ssh/authorized_keys