3 stable releases

1.0.4 Apr 23, 2024

#15 in #secret-store

26 downloads per month

MIT license

51KB
366 lines

podman_ssh_auth

Store and use encrypted docker-hub secret_token with SSH key
version: 1.0.4 date: 2024-04-23 author: bestia.dev repository: GitHub

work-in-progress rustlang docker-hub

License Rust

Lines in Rust code Lines in Doc comments Lines in Comments Lines in examples Lines in tests

Hashtags: #maintained #ready-for-use #rustlang #automation #workflow
My projects on GitHub are more like a tutorial than a finished product: bestia-dev tutorials.
I recommend using the CRUSTDE - Containerized Rust Development Environment to write Rust projects on Linux, isolated from your system.

Motivation

To access docker-hub you need a username+password or an access secret_token.
IMPORTANT: Treat access secret_tokens like your password and keep them secret. Store your secret_tokens securely in a credential manager for example.
Access secret_tokens are impossible to remember for an average human. We need to store them somewhere.
FYI: Podman is an alternative "drop-in replacement" for Docker.
I am sure they both store the docker-hub secret_token for login with the command:

podman login --username user_name docker.io
docker login --username user_name docker.io

WARNING: Be aware that they store the secret_token in "plain-text" in the file: ${XDG_RUNTIME_DIR}/containers/auth.json.
Ok, it is not really plain-text, but base64 encoding is not a security feature.
This means that every attacker that can get to this well-known file, can log in to our Docker Hub account. No bueno!!!

I want to secure this secret_token with encryption with an SSH key.
We have already a lot of experience creating, managing and securing our SSH keys. The private key is secured by a passphrase we can remember and type. Every use of the secret_token will need user interaction to type the passphrase. Very secure.

If we are very self-confident in our current session, we can store the SSH key in ssh-agent and write our passphrase only once.
WARNING: a dedicated attacker could read from ssh-agent and discover the access secret_token without our user interaction. Use this at your discretion.

Replacement command

Put the executable podman_ssh_auth into the folder you intend to use it.
After copying, make it executable with chmod +x podman_ssh_auth.
Instead of podman push... use podman_ssh_auth push.
If it finds the encrypted secret_token it will ask you for the passphrase to the private SSH key. Else it will ask you to store the secret_token.

Development details

Read the development details in a separate md file: DEVELOPMENT.md

Releases changelog

Read the releases changelog in a separate md file: RELEASES.md

TODO

And code happily ever after...

Open-source and free as a beer

My open-source projects are free as a beer (MIT license).
I just love programming.
But I need also to drink. If you find my projects and tutorials helpful, please buy me a beer by donating to my PayPal.
You know the price of a beer in your local bar ;-)
So I can drink a free beer for your health :-)
Na zdravje! Alla salute! Prost! Nazdravlje! 🍻

//bestia.dev
//github.com/bestia-dev
//bestiadev.substack.com
//youtube.com/@bestia-dev-tutorials

Dependencies

~28–43MB
~755K SLoC