Docker?Login?登錄憑證安全存儲方式

更新時間：2024年09月30日 09:15:51 作者：Ramboooooooo

本文主要探討Docker鏡像倉庫登錄憑證的存儲問題,Docker利用docker login命令校驗用戶鏡像倉庫的登錄憑證,正確的用戶名密碼會以base64編碼格式保存在Docker配置文件中,這種方式極易泄露且不安全

一、憑證存儲場景描述

Docker 利用 docker login 命令來校驗用戶鏡像倉庫的登錄憑證，實際并不是真正意義上的登錄。

僅僅是一種登錄憑證的試探校驗。如果用戶名密碼都正確的情況下，Docker 則會已倉庫登錄的地址為 key 值，用戶名、密碼以 base64 的編碼格式保存在 Docker 配置文件中。

在 Linux 中的路徑是 $HOME/.docker/config.json

在從未登錄 Docker 倉庫時，該配置文件不存在
首次登錄 Docker 倉庫后，登錄信息和配置文件存儲信息如下

[root@node103 /]# docker login 192.169.5.207:8004
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@node103 /]# cat /root/.docker/config.json 
{
	"auths": {
		"192.169.5.207:8004": {
			"auth": "Y1W2R3t4a5W64768T9W99u0d0G85lgdfHdNdAsMjAyMA=="
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.12 (linux)"
	}
}[root@node103 /]#

通過命令行可以將 base64 加密后的用戶名密碼解碼

[root@node103 /]# echo "Y1W2R3t4a5W64768T9W99u0d0G85lgdfHdNdAsMjAyMA==" | base64 --decode
username:password
[root@node103 /]#

從 config.json 數(shù)據(jù)結(jié)構(gòu)可以了解到，Docker 針對每一個鏡像倉庫，只會保存最近一次有效的用戶名和密碼，之后執(zhí)行 docker login $domain 會直接使用 config.json 中對應域名的用戶名和密碼登錄，當處理完畢以后，可以執(zhí)行 docker logout $domain 將指定倉庫的用戶登錄憑證從 config.json 中刪除。

[root@node103 /]# docker logout 192.169.5.207:8004
Removing login credentials for 192.169.5.207:8004
[root@node103 /]# cat /root/.docker/config.json 
{
	"auths": {},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.12 (linux)"
	}
}
[root@node103 /]#

通過以上的試驗可以發(fā)現(xiàn)，將用戶登錄倉庫的憑據(jù)信息默認保存在 Docker 的 config.json 文件中，是及其不安全并且容易泄露的。除非每個用戶每次在與鏡像倉庫交付完成以后，手動執(zhí)行 docker logout 刪除。

Dokcer 也考慮到了這一點，針對不同的平臺，其提供了不同的輔助工具將倉庫的登錄憑證保存到其它的安全系數(shù)高的存儲產(chǎn)品中。所以我們需要采用別的保存密碼的產(chǎn)品來保存 docker login 的密碼信息。

二、存儲憑證產(chǎn)品選型

點擊此處查看 Docker 提供的產(chǎn)品選型。

本示例以 pass 為例，在 CentOS 操作系統(tǒng)上將 Docker 的 Credetial store 切換到 pass 存儲，不再寫入 config.json 文件中。

三、切換存儲憑證產(chǎn)品

1.安裝 pass 所需的依賴組件

yum install -y gpg rng-tools

2.安裝 pass 存儲程序

由于 pass 不支持 yum 直接下載安裝，我們點擊此處尋找合適的源碼包方式進行安裝

# 進入源碼包下載自定義規(guī)劃目錄
cd /usr/local/src

# 下載指定版本的源碼包
wget https://git.zx2c4.com/password-store/snapshot/password-store-1.7.3.tar.xz

# 將源碼包解壓縮到自定義程序安裝目錄
tar Jxf password-store-1.7.3.tar.xz -C /usr/local/

# 進入源碼解壓后的目錄
cd /usr/local/password-store-1.7.3

# 編譯安裝
make install

# 驗證安裝結(jié)果
[root@node103 /]# pass version
============================================
= pass: the standard unix password manager =
=                                          =
=                  v1.7.3                  =
=                                          =
=             Jason A. Donenfeld           =
=               Jason@zx2c4.com            =
=                                          =
=      http://www.passwordstore.org/       =
============================================
[root@node103 /]#

3.使用 GPG 生成 KEY

[root@node103 ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Rambo
Email address: rambo1203@sina.com
Comment: blog.rambo123.com
You selected this USER-ID:
    "Rambo (blog.rambo123.com) <rambo1203@sina.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

-------------------------------------------------------
| Enter passphrase                                    |
|                                                     |
|                                                     |
| Passphrase ******__________________________________ |
|                                                     |
|       <OK>                             <Cancel>     |
-------------------------------------------------------

----------------------------------------------------------------------
| Warning: You have entered an insecure passphrase.                  |
| A passphrase should be at least 8 characters long.                 |
|                                                                    |
| <Take this one anyway>                      <Enter new passphrase> |
----------------------------------------------------------------------

-------------------------------------------------------
| Please re-enter this passphrase                     |
|                                                     |
| Passphrase ******__________________________________ |
|                                                     |
|       <OK>                             <Cancel>     |
-------------------------------------------------------

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 93B4B164 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   4096R/93B4B164 2020-08-29
      Key fingerprint = 769F 06F1 EA11 7BBB 1725  9BCE 20A6 9A00 93B4 B164
uid                  Rambo (blog.rambo123.com) <rambo1203@sina.com>
sub   4096R/4981C1FF 2020-08-29

[root@node103 ~]#

4.查看 GPG 生成的 KEY

[root@node103 ~]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   4096R/93B4B164 2020-08-29
uid                  Rambo (blog.rambo123.com) <rambo1203@sina.com>
sub   4096R/4981C1FF 2020-08-29

[root@node103 ~]#

5.通過上一步驟得到的 pub 4096R/ 后面的 id 來初始化 pass

[root@node103 ~]# pass init
Usage: pass init [--path=subfolder,-p subfolder] gpg-id...
[root@node103 ~]# pass init "93B4B164"
mkdir: created directory ‘/root/.password-store/'
Password store initialized for 93B4B164
[root@node103 ~]#

6.驗證 pass 的密碼本

# 為 key 設置密碼并保存在 pass 密碼本中
[root@node103 ~]# pass insert admin
# 設置 key 為 admin 的密碼
Enter password for admin: 
Retype password for admin: 
# 顯示 key 為 admin 的密碼
[root@node103 ~]# pass show admin

-------------------------------------------------------
| Please re-enter this passphrase                     |
|                                                     |
| Passphrase ******__________________________________ |
|                                                     |
|       <OK>                             <Cancel>     |
-------------------------------------------------------

# 保存 admin 的密碼為 123456    
123456
[root@node103 ~]# 

# 更多操作請參考 pass help
[root@node103 /]# pass help
============================================
= pass: the standard unix password manager =
=                                          =
=                  v1.7.3                  =
=                                          =
=             Jason A. Donenfeld           =
=               Jason@zx2c4.com            =
=                                          =
=      http://www.passwordstore.org/       =
============================================

Usage:
    pass init [--path=subfolder,-p subfolder] gpg-id...
        Initialize new password storage and use gpg-id for encryption.
        Selectively reencrypt existing passwords using new gpg-id.
    pass [ls] [subfolder]
        List passwords.
    pass find pass-names...
    	List passwords that match pass-names.
    pass [show] [--clip[=line-number],-c[line-number]] pass-name
        Show existing password and optionally put it on the clipboard.
        If put on the clipboard, it will be cleared in 45 seconds.
    pass grep [GREPOPTIONS] search-string
        Search for password files containing search-string when decrypted.
    pass insert [--echo,-e | --multiline,-m] [--force,-f] pass-name
        Insert new password. Optionally, echo the password back to the console
        during entry. Or, optionally, the entry may be multiline. Prompt before
        overwriting existing password unless forced.
    pass edit pass-name
        Insert a new password or edit an existing password using vi.
    pass generate [--no-symbols,-n] [--clip,-c] [--in-place,-i | --force,-f] pass-name [pass-length]
        Generate a new password of pass-length (or 25 if unspecified) with optionally no symbols.
        Optionally put it on the clipboard and clear board after 45 seconds.
        Prompt before overwriting existing password unless forced.
        Optionally replace only the first line of an existing file with a new password.
    pass rm [--recursive,-r] [--force,-f] pass-name
        Remove existing password or directory, optionally forcefully.
    pass mv [--force,-f] old-path new-path
        Renames or moves old-path to new-path, optionally forcefully, selectively reencrypting.
    pass cp [--force,-f] old-path new-path
        Copies old-path to new-path, optionally forcefully, selectively reencrypting.
    pass git git-command-args...
        If the password store is a git repository, execute a git command
        specified by git-command-args.
    pass help
        Show this text.
    pass version
        Show version information.

More information may be found in the pass(1) man page.
[root@node103 /]#

7.安裝 Docker Credential 輔助工具，具體最新版本請點擊此處獲取

# 進入自定義資源下載目錄
cd /usr/local/src

# 下載 Docker Credetial 
wget https://github.com/docker/docker-credential-helpers/archive/refs/tags/v0.6.3.tar.gz

# 解壓 Docker Credential 
tar zxvf docker-credential-pass-v0.6.3-amd64.tar.gz

# 為 Docker Credential 賦予可執(zhí)行權限
chmod +x docker-credential-pass

# 將 Docker Credential 移動到環(huán)境變量中
mv docker-credential-pass /usr/local/bin/

# 查看 Docker Credentail 的版本
[root@node103 /]# docker-credential-pass version
0.6.3
[root@node103 /]#

8.修改 Docker 配置

# 清空 .docker/config.json 文件內(nèi)容，然后將下面配置寫入 config.json 文件中，注意 credsStore 是各輔助安裝包名字的尾綴  
[root@node103 /]# cat /root/.docker/config.json 
{
    "credsStore": "pass"
}
[root@node103 /]#

9.初始化 docker password store

[root@node103 /]# pass insert docker-credential-helpers/docker-pass-initialized-check
# 密碼本保存文件目錄
mkdir: created directory ‘/root/.password-store/docker-credential-helpers'
# 密碼本訪問密碼
Enter password for docker-credential-helpers/docker-pass-initialized-check: 
Retype password for docker-credential-helpers/docker-pass-initialized-check: 
# 密碼本中保存的密碼信息，驗證初始化結(jié)果
[root@node103 /]# docker-credential-pass list
{}
[root@node103 /]# 

# 也可以通過 show 來查看剛剛創(chuàng)建密碼本的密碼（執(zhí)行的過程中無需輸入密碼）
[root@node103 /]# pass show docker-credential-helpers/docker-pass-initialized-check
123456
[root@node103 /]#

10.再次執(zhí)行 docker login 登錄鏡像倉庫，同時查看 $HOME/.docker/config.json 文件內(nèi)容

# 登錄之前查看 config.json 文件中的內(nèi)容
[root@node103 /]# cat /root/.docker/config.json 
{
    "credsStore": "pass"
}

# 采用用戶名密碼登錄鏡像倉庫
[root@node103 /]# docker login 192.169.5.207:8004
Username: admin
Password: 

# 登錄成功也沒有警告提示了
Login Succeeded

# 再次查看 config.json 文件內(nèi)容，發(fā)現(xiàn)用戶名密碼也沒有保存在該文件中，而是保存到了加密文件中去了
[root@node103 /]# cat /root/.docker/config.json 
{
	"auths": {
		"192.169.5.207:8004": {}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.12 (linux)"
	},
	"credsStore": "pass"
}

# 重啟 Docker  以免下次登錄出現(xiàn)以下情況
[root@node103 /]# docker login 192.169.5.207:8004
Authenticating with existing credentials...
Login did not succeed, error: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
Username (admin): ^C
[root@node103 /]# systemctl restart docker
[root@node103 /]# docker login 192.169.5.207:8004
Authenticating with existing credentials...
Login Succeeded
[root@node103 /]#

11.驗證以上登錄鏡像倉庫的用戶名密碼是否保存在 pass 中

由于需要使用 tree 命令，這里需要安裝

yum install tree -y

查看密碼本中的密碼原文

[root@node103 /]# docker-credential-pass list
{"192.169.5.207:8004":"admin"}
[root@node103 /]# pass
Password Store
├── admin
└── docker-credential-helpers
    ├── docker-pass-initialized-check
    └── MTkyLjE2OS41LjIwNzo4MDA0
        └── admin
[root@node103 /]# pass show docker-credential-helpers/MTkyLjE2OS41LjIwNzo4MDA0/admin
這里將顯示設置的密碼明文
[root@node103 /]#

12.保存密碼文件路徑

[root@node103 MTkyLjE2OS41LjIwNzo4MDA0]# cd /root/.password-store/docker-credential-helpers/MTkyLjE2OS41LjIwNzo4MDA0
[root@node103 MTkyLjE2OS41LjIwNzo4MDA0]# ll
total 4
-rw------- 1 root root 591 Aug 29 14:36 admin.gpg
[root@node103 MTkyLjE2OS41LjIwNzo4MDA0]#

四、憑據(jù)存儲使用總結(jié)

Docker 默認采用 config.json 文件保存 docker login 的用戶名密碼
并且這些用戶名密碼都是通過 base64 加密存儲的很容易被泄露
我們應該切換用戶名密碼保存源，如 pass
在需要保存 Docker 用戶名密碼的操作客戶端都安裝 pass 并根據(jù)以上配置即可
配置完成通過 docker login 進行一次登錄驗證
重啟 Docker 在進行一次登錄驗證（此次是不需要輸入登錄密碼的）
dokcer login 的操作腳本都不需要進行相應的變化

以上為個人經(jīng)驗，希望能給大家一個參考，也希望大家多多支持腳本之家。

您可能感興趣的文章:

docker?ps容器未顯示的問題以及排查過程詳解
這篇文章主要給大家介紹了關于docker?ps容器未顯示的問題以及排查過程的相關資料,相信各位在使用docker容器的時候,經(jīng)常docker run -d后臺運行后,使用docker ps的時候發(fā)現(xiàn)這個容器顯示不到,這里給大家介紹下,需要的朋友可以參考下
2023-09-09
docker 的java編譯環(huán)境構(gòu)建詳細介紹
這篇文章主要介紹了docker 的java編譯環(huán)境構(gòu)建詳細介紹的相關資料,具有一定的參考價值，需要的朋友可以參考下
2016-11-11
Docker如何安全地進入到容器內(nèi)部
本文主要介紹了Docker如何安全地進入到容器內(nèi)部，文中通過示例代碼介紹的非常詳細，對大家的學習或者工作具有一定的參考學習價值，需要的朋友們下面隨著小編來一起學習學習吧
2022-06-06
docker-compose+nginx部署前后端分離的項目實踐
本文主要介紹了docker-compose?+?nginx部署前后端分離的項目，文中通過示例代碼介紹的非常詳細，具有一定的參考價值，感興趣的小伙伴們可以參考一下
2022-03-03
Docker 中快速安裝tensorflow環(huán)境的方法步驟
這篇文章主要介紹了Docker 中快速安裝tensorflow環(huán)境的方法步驟，小編覺得挺不錯的，現(xiàn)在分享給大家，也給大家做個參考。一起跟隨小編過來看看吧
2018-10-10
Docker Compose常用命令詳解
本篇文章主要介紹了Docker Compose常用命令詳解，小編覺得挺不錯的，現(xiàn)在分享給大家，也給大家做個參考。一起跟隨小編過來看看吧
2018-12-12
Docker安裝mysql超詳細步驟記錄
mysql大家可能習慣是二進制安裝的,現(xiàn)在容器化發(fā)展迅速,也有很多公司是用docker安裝的,下面這篇文章主要給大家介紹了關于在Docker安裝mysql的超詳細步驟,需要的朋友可以參考下
2022-07-07
docker鏡像訪問本地elasticsearch端口操作
這篇文章主要介紹了docker鏡像訪問本地elasticsearch端口操作，具有很好的參考價值，希望對大家有所幫助。一起跟隨小編過來看看吧
2020-11-11
Docker 私有倉庫恢復實例詳解
這篇文章主要介紹了Docker 私有倉庫恢復實例詳解的相關資料,這里提供了詳細的實現(xiàn)步驟，及注意事項，完成docker私有倉庫的恢復，需要的朋友可以參考下
2016-11-11
docker建立私有倉庫的過程
這篇文章主要介紹了docker私有倉庫的建立,在這需要注意從私有倉庫下載先移出原鏡像，具體操作過程跟隨小編一起看看吧
2022-01-01