Using ssh with Inspec via the docker container


#1

Guys,

A couple of caveats - I am new to both Inspect and Docker so I am bound to be doing something wrong.

I have created a bunch of tests in Inspec and attempted to test them on a target host using SSH and keys. I am using the containerised version of Inspec but I can’t get it to authenticate. I’m sure it’s obvious but my head is getting sore banging on the desk.

So here’s what I’m doing

Daves-MacBook-Pro:InSpec dave$ docker run -it --rm -v $(pwd):/share chef/inspec exec initial -t ssh://dave@distribution --key-files=~/.ssh/id_rsa --user=dave --log-level=debug
D, [2018-06-12T21:20:25.321296 #1] DEBUG – : [SSH] dave@distribution<{:user_known_hosts_file=>"/dev/null", :port=>22, :compression=>false, :compression_level=>0, :keepalive=>true, :keepalive_interval=>60, :timeout=>15, :auth_methods=>[“none”, “publickey”], :keys_only=>true, :keys=>["~/.ssh/id_rsa"], :password=>"", :forward_agent=>nil, :proxy_command=>nil, :verify_host_key=>false}> (uname -s)
D, [2018-06-12T21:20:25.321553 #1] DEBUG – : [SSH] opening connection to dave@distribution<{:user_known_hosts_file=>"/dev/null", :port=>22, :compression=>false, :compression_level=>0, :keepalive=>true, :keepalive_interval=>60, :timeout=>15, :auth_methods=>[“none”, “publickey”], :keys_only=>true, :keys=>["~/.ssh/id_rsa"], :password=>"", :forward_agent=>nil, :proxy_command=>nil, :verify_host_key=>false}>
I, [2018-06-12T21:20:25.709652 #1] INFO – : [SSH] connection failed, retrying in 1 seconds (#<Net::SSH::AuthenticationFailed: Authentication failed for user dave@distribution>)
D, [2018-06-12T21:20:26.711534 #1] DEBUG – : [SSH] opening connection to dave@distribution<{:user_known_hosts_file=>"/dev/null", :port=>22, :compression=>false, :compression_level=>0, :keepalive=>true, :keepalive_interval=>60, :timeout=>15, :auth_methods=>[“none”, “publickey”], :keys_only=>true, :keys=>["~/.ssh/id_rsa"], :password=>"", :forward_agent=>nil, :proxy_command=>nil, :verify_host_key=>false}>
I, [2018-06-12T21:20:26.863483 #1] INFO – : [SSH] connection failed, retrying in 1 seconds (#<Net::SSH::AuthenticationFailed: Authentication failed for user dave@distribution>)
D, [2018-06-12T21:20:27.863964 #1] DEBUG – : [SSH] opening connection to dave@distribution<{:user_known_hosts_file=>"/dev/null", :port=>22, :compression=>false, :compression_level=>0, :keepalive=>true, :keepalive_interval=>60, :timeout=>15, :auth_methods=>[“none”, “publickey”], :keys_only=>true, :keys=>["~/.ssh/id_rsa"], :password=>"", :forward_agent=>nil, :proxy_command=>nil, :verify_host_key=>false}>
I, [2018-06-12T21:20:28.135679 #1] INFO – : [SSH] connection failed, retrying in 1 seconds (#<Net::SSH::AuthenticationFailed: Authentication failed for user dave@distribution>)
D, [2018-06-12T21:20:29.137781 #1] DEBUG – : [SSH] opening connection to dave@distribution<{:user_known_hosts_file=>"/dev/null", :port=>22, :compression=>false, :compression_level=>0, :keepalive=>true, :keepalive_interval=>60, :timeout=>15, :auth_methods=>[“none”, “publickey”], :keys_only=>true, :keys=>["~/.ssh/id_rsa"], :password=>"", :forward_agent=>nil, :proxy_command=>nil, :verify_host_key=>false}>
I, [2018-06-12T21:20:29.389034 #1] INFO – : [SSH] connection failed, retrying in 1 seconds (#<Net::SSH::AuthenticationFailed: Authentication failed for user dave@distribution>)
D, [2018-06-12T21:20:30.392144 #1] DEBUG – : [SSH] opening connection to dave@distribution<{:user_known_hosts_file=>"/dev/null", :port=>22, :compression=>false, :compression_level=>0, :keepalive=>true, :keepalive_interval=>60, :timeout=>15, :auth_methods=>[“none”, “publickey”], :keys_only=>true, :keys=>["~/.ssh/id_rsa"], :password=>"", :forward_agent=>nil, :proxy_command=>nil, :verify_host_key=>false}>
W, [2018-06-12T21:20:30.736623 #1] WARN – : [SSH] connection failed, terminating (#<Net::SSH::AuthenticationFailed: Authentication failed for user dave@distribution>)
Transport error, can’t connect to ‘ssh’ backend: SSH session could not be established

To prove that the key file is valid

Daves-MacBook-Pro:InSpec dave$ ssh distribution -i ~/.ssh/id_rsa
Last login: Tue Jun 12 22:18:24 2018 from 192.168.1.150
Distribution-Server:~ dave$

What am I doing wrong - apologies if it’s really obvious :slight_smile:

Regards

Dave


#2

If you run InSpec via docker, you need to make sure you ssh directory is mapped into the container too, otherwise InSpec running inside the container has no access to your local ssh key.
~/.ssh/id_rsa

You can test that by:

docker run -it --rm -v $(pwd):/share -v /Users/chartmann/.ssh:/ssh centos /bin/bash
[root@bc70254721d3 /]# ls /ssh
id_rsa  id_rsa.pub  known_hosts
[root@bc70254721d3 /]# 

Therefore

docker run -it --rm -v $(pwd):/share -v /Users/dave/.ssh:/ssh chef/inspec exec initial -t ssh://dave@distribution --key-files=/ssh/id_rsa --user=dave --log-level=debug

should work


#3

Many thanks, I’ve been meaning to update the question myself - the problem was my understanding of containers. I realised (after my head was sore from banging on the desk) that the container couldn’t see the key file. Thanks for confirming.