Cannot use SSH credentials inside the dev container with Git

[flaprimo]

What happened?
I cannot use Git inside the dev container with imported SSH credentials from Windows to interact with the repository.
The error is "Bad owner or permissions on /home/vscode/.ssh/config".

What did you expect to happen instead?
To leverage the imported SSH credentials to interact with Git.

How can we reproduce the bug? (as minimally and precisely as possible)

1. To create some SSH credentials to interact with a repository in windows and edit .ssh/config
2. with an alias for the repository.
3. Start the container on the git tracked project folder in windows having the following configuration.
4. Try to pull code from git.

My devcontainer.json:

// For format details, see https://aka.ms/devcontainer.json. For config options, see the
// README at: https://github.com/devcontainers/templates/tree/main/src/python
{
    "name": "XXXX",
    "image": "mcr.microsoft.com/vscode/devcontainers/python:3.12",
    "customizations": {
        // Configure properties specific to VS Code.
        "vscode": {
            // Set *default* container specific settings.json values on container create.
            "settings": {
                "[python]": {
                    "editor.formatOnType": true,
                    "editor.formatOnSave": true,
                    "terminal.activateEnvInCurrentTerminal": true
                },
                "python.defaultInterpreterPath": ".venv/bin/python"
            },
            // Add the IDs of extensions you want installed when the container is created.
            "extensions": [
                "ms-ceintl.vscode-language-pack-it",
                "ms-python.python",
                "GitHub.copilot-nightly",
                "ms-azuretools.vscode-docker"
            ]
        }
    },
    "forwardPorts": [
        8000,
        6379
    ],
    "hostRequirements": {
        "memory": "2gb"
    },
    "mounts": [
        "source=${localEnv:HOME}${localEnv:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind,consistency=cached"
    ],
    // "postAttachCommand": "chmod +x .devcontainer/setup.sh && .devcontainer/setup.sh"
    // Use 'postCreateCommand' to run commands after the container is created.
    "postCreateCommand": "./.devcontainer/postCreateCommand.sh"
    // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
    // "remoteUser": "root"
}

with "./.devcontainer/postCreateCommand.sh":

# Create venv and install Python dependencies with UV
curl -LsSf https://astral.sh/uv/install.sh | sh
/home/vscode/.cargo/bin/uv sync

# Install pre-commit
source .venv/bin/activate
pre-commit install --install-hooks

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*

Local Environment:

• DevPod Version: 0.5.20
• Operating System: windows 10 + podman + wsl2
• ARCH of the OS: AMD64

DevPod Provider:

• Cloud Provider: NONE
• Kubernetes Provider: NONE
• Local/remote provider: docker (podman)
• Custom provider: NONE

Anything else we need to know?
credentials seem to be mounted correctly inside the container and the permission in the script to be applied.

[pascalbreuninger]

Hi @flaprimo, thanks for reporting the issue.
Have you tried to use SSH Agent forwarding instead of mounting your ssh directory as a whole?

If you SSH agent is active, DevPod automatically forwards your private keys from %USERPROFILE%/.ssh to the workspace unless you opt-out through the context option SSH_AGENT_FORWARDING.

[flaprimo]

Hi @pascalbreuninger thank you for the prompt response.

I've verified that the SSH agent is running on Windows:

PS C:\Users\XYZ> Get-Service ssh-agent

Status   Name               DisplayName
------   ----               -----------
Running  ssh-agent          OpenSSH Authentication Agent

I've removed as you suggested:

• From devcontainer.json:

"mounts": [
        "source=${localEnv:HOME}${localEnv:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind,consistency=cached"
    ]

• From ./.devcontainer/postCreateCommand.sh:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*

But I still cannot perform git operations:

vscode ➜ /workspaces/XXXX $ git pull
ssh: Could not resolve hostname YYYY: Name or service not known
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

To note that in my .ssh/config on Windows I have setup the remote with an alias like so:

Host YYYY
  HostName ssh.dev.azure.com
  IdentitiesOnly yes
  IdentityFile ~/.ssh/XYZ

Credentials are not copied over (should I expect that?):

$ ls ~/.ssh
ls: cannot access '/home/vscode/.ssh': No such file or directory

[pascalbreuninger]

Ah I see, I wasn't aware of the SSH config for you git hoster.
Can you try to recreate this config in your devcontainer but remove the IdentityFile?

And can you confirm running ssh-add -L in your devcontainer has the correct public keys for the identity you need to authenticate against azure?

[flaprimo]

Thank you! It seems that we achieved some things:

• I can confirm that by running ssh-add -L on the Host and the dev container I obtain the same list, so ssh agent forwarding seems to work indeed.
• Re-creating the config file in the dev container adding the entry without IdentityFile also seems to allow the alias to work:

Host YYYY
  HostName ssh.dev.azure.com
  IdentitiesOnly yes

BUT, when trying to do a git pull, it doesn't seem to pair automatically the ssh key:

$ git pull
The authenticity of host 'ssh.dev.azure.com (XXXX)' can't be established.
RSA key fingerprint is SHA256:XXXX.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ssh.dev.azure.com' (RSA) to the list of known hosts.
[email protected]'s password: