Docker?Login?登錄憑證安全存儲(chǔ)方式

更新時(shí)間：2024年09月30日 09:15:51 作者：Ramboooooooo

本文主要探討Docker鏡像倉庫登錄憑證的存儲(chǔ)問題,Docker利用docker login命令校驗(yàn)用戶鏡像倉庫的登錄憑證,正確的用戶名密碼會(huì)以base64編碼格式保存在Docker配置文件中,這種方式極易泄露且不安全

一、憑證存儲(chǔ)場(chǎng)景描述

Docker 利用 docker login 命令來校驗(yàn)用戶鏡像倉庫的登錄憑證，實(shí)際并不是真正意義上的登錄。

僅僅是一種登錄憑證的試探校驗(yàn)。如果用戶名密碼都正確的情況下，Docker 則會(huì)已倉庫登錄的地址為 key 值，用戶名、密碼以 base64 的編碼格式保存在 Docker 配置文件中。

在 Linux 中的路徑是 $HOME/.docker/config.json

在從未登錄 Docker 倉庫時(shí)，該配置文件不存在
首次登錄 Docker 倉庫后，登錄信息和配置文件存儲(chǔ)信息如下

[root@node103 /]# docker login 192.169.5.207:8004
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@node103 /]# cat /root/.docker/config.json 
{
	"auths": {
		"192.169.5.207:8004": {
			"auth": "Y1W2R3t4a5W64768T9W99u0d0G85lgdfHdNdAsMjAyMA=="
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.12 (linux)"
	}
}[root@node103 /]#

通過命令行可以將 base64 加密后的用戶名密碼解碼

[root@node103 /]# echo "Y1W2R3t4a5W64768T9W99u0d0G85lgdfHdNdAsMjAyMA==" | base64 --decode
username:password
[root@node103 /]#

從 config.json 數(shù)據(jù)結(jié)構(gòu)可以了解到，Docker 針對(duì)每一個(gè)鏡像倉庫，只會(huì)保存最近一次有效的用戶名和密碼，之后執(zhí)行 docker login $domain 會(huì)直接使用 config.json 中對(duì)應(yīng)域名的用戶名和密碼登錄，當(dāng)處理完畢以后，可以執(zhí)行 docker logout $domain 將指定倉庫的用戶登錄憑證從 config.json 中刪除。

[root@node103 /]# docker logout 192.169.5.207:8004
Removing login credentials for 192.169.5.207:8004
[root@node103 /]# cat /root/.docker/config.json 
{
	"auths": {},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.12 (linux)"
	}
}
[root@node103 /]#

通過以上的試驗(yàn)可以發(fā)現(xiàn)，將用戶登錄倉庫的憑據(jù)信息默認(rèn)保存在 Docker 的 config.json 文件中，是及其不安全并且容易泄露的。除非每個(gè)用戶每次在與鏡像倉庫交付完成以后，手動(dòng)執(zhí)行 docker logout 刪除。

Dokcer 也考慮到了這一點(diǎn)，針對(duì)不同的平臺(tái)，其提供了不同的輔助工具將倉庫的登錄憑證保存到其它的安全系數(shù)高的存儲(chǔ)產(chǎn)品中。所以我們需要采用別的保存密碼的產(chǎn)品來保存 docker login 的密碼信息。

二、存儲(chǔ)憑證產(chǎn)品選型

點(diǎn)擊此處查看 Docker 提供的產(chǎn)品選型。

本示例以 pass 為例，在 CentOS 操作系統(tǒng)上將 Docker 的 Credetial store 切換到 pass 存儲(chǔ)，不再寫入 config.json 文件中。

三、切換存儲(chǔ)憑證產(chǎn)品

1.安裝 pass 所需的依賴組件

yum install -y gpg rng-tools

2.安裝 pass 存儲(chǔ)程序

由于 pass 不支持 yum 直接下載安裝，我們點(diǎn)擊此處尋找合適的源碼包方式進(jìn)行安裝

# 進(jìn)入源碼包下載自定義規(guī)劃目錄
cd /usr/local/src

# 下載指定版本的源碼包
wget https://git.zx2c4.com/password-store/snapshot/password-store-1.7.3.tar.xz

# 將源碼包解壓縮到自定義程序安裝目錄
tar Jxf password-store-1.7.3.tar.xz -C /usr/local/

# 進(jìn)入源碼解壓后的目錄
cd /usr/local/password-store-1.7.3

# 編譯安裝
make install

# 驗(yàn)證安裝結(jié)果
[root@node103 /]# pass version
============================================
= pass: the standard unix password manager =
=                                          =
=                  v1.7.3                  =
=                                          =
=             Jason A. Donenfeld           =
=               Jason@zx2c4.com            =
=                                          =
=      http://www.passwordstore.org/       =
============================================
[root@node103 /]#

3.使用 GPG 生成 KEY

[root@node103 ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Rambo
Email address: rambo1203@sina.com
Comment: blog.rambo123.com
You selected this USER-ID:
    "Rambo (blog.rambo123.com) <rambo1203@sina.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

-------------------------------------------------------
| Enter passphrase                                    |
|                                                     |
|                                                     |
| Passphrase ******__________________________________ |
|                                                     |
|       <OK>                             <Cancel>     |
-------------------------------------------------------

----------------------------------------------------------------------
| Warning: You have entered an insecure passphrase.                  |
| A passphrase should be at least 8 characters long.                 |
|                                                                    |
| <Take this one anyway>                      <Enter new passphrase> |
----------------------------------------------------------------------

-------------------------------------------------------
| Please re-enter this passphrase                     |
|                                                     |
| Passphrase ******__________________________________ |
|                                                     |
|       <OK>                             <Cancel>     |
-------------------------------------------------------

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 93B4B164 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   4096R/93B4B164 2020-08-29
      Key fingerprint = 769F 06F1 EA11 7BBB 1725  9BCE 20A6 9A00 93B4 B164
uid                  Rambo (blog.rambo123.com) <rambo1203@sina.com>
sub   4096R/4981C1FF 2020-08-29

[root@node103 ~]#

4.查看 GPG 生成的 KEY

[root@node103 ~]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   4096R/93B4B164 2020-08-29
uid                  Rambo (blog.rambo123.com) <rambo1203@sina.com>
sub   4096R/4981C1FF 2020-08-29

[root@node103 ~]#

5.通過上一步驟得到的 pub 4096R/ 后面的 id 來初始化 pass

[root@node103 ~]# pass init
Usage: pass init [--path=subfolder,-p subfolder] gpg-id...
[root@node103 ~]# pass init "93B4B164"
mkdir: created directory ‘/root/.password-store/'
Password store initialized for 93B4B164
[root@node103 ~]#

6.驗(yàn)證 pass 的密碼本

# 為 key 設(shè)置密碼并保存在 pass 密碼本中
[root@node103 ~]# pass insert admin
# 設(shè)置 key 為 admin 的密碼
Enter password for admin: 
Retype password for admin: 
# 顯示 key 為 admin 的密碼
[root@node103 ~]# pass show admin

-------------------------------------------------------
| Please re-enter this passphrase                     |
|                                                     |
| Passphrase ******__________________________________ |
|                                                     |
|       <OK>                             <Cancel>     |
-------------------------------------------------------

# 保存 admin 的密碼為 123456    
123456
[root@node103 ~]# 

# 更多操作請(qǐng)參考 pass help
[root@node103 /]# pass help
============================================
= pass: the standard unix password manager =
=                                          =
=                  v1.7.3                  =
=                                          =
=             Jason A. Donenfeld           =
=               Jason@zx2c4.com            =
=                                          =
=      http://www.passwordstore.org/       =
============================================

Usage:
    pass init [--path=subfolder,-p subfolder] gpg-id...
        Initialize new password storage and use gpg-id for encryption.
        Selectively reencrypt existing passwords using new gpg-id.
    pass [ls] [subfolder]
        List passwords.
    pass find pass-names...
    	List passwords that match pass-names.
    pass [show] [--clip[=line-number],-c[line-number]] pass-name
        Show existing password and optionally put it on the clipboard.
        If put on the clipboard, it will be cleared in 45 seconds.
    pass grep [GREPOPTIONS] search-string
        Search for password files containing search-string when decrypted.
    pass insert [--echo,-e | --multiline,-m] [--force,-f] pass-name
        Insert new password. Optionally, echo the password back to the console
        during entry. Or, optionally, the entry may be multiline. Prompt before
        overwriting existing password unless forced.
    pass edit pass-name
        Insert a new password or edit an existing password using vi.
    pass generate [--no-symbols,-n] [--clip,-c] [--in-place,-i | --force,-f] pass-name [pass-length]
        Generate a new password of pass-length (or 25 if unspecified) with optionally no symbols.
        Optionally put it on the clipboard and clear board after 45 seconds.
        Prompt before overwriting existing password unless forced.
        Optionally replace only the first line of an existing file with a new password.
    pass rm [--recursive,-r] [--force,-f] pass-name
        Remove existing password or directory, optionally forcefully.
    pass mv [--force,-f] old-path new-path
        Renames or moves old-path to new-path, optionally forcefully, selectively reencrypting.
    pass cp [--force,-f] old-path new-path
        Copies old-path to new-path, optionally forcefully, selectively reencrypting.
    pass git git-command-args...
        If the password store is a git repository, execute a git command
        specified by git-command-args.
    pass help
        Show this text.
    pass version
        Show version information.

More information may be found in the pass(1) man page.
[root@node103 /]#

7.安裝 Docker Credential 輔助工具，具體最新版本請(qǐng)點(diǎn)擊此處獲取

# 進(jìn)入自定義資源下載目錄
cd /usr/local/src

# 下載 Docker Credetial 
wget https://github.com/docker/docker-credential-helpers/archive/refs/tags/v0.6.3.tar.gz

# 解壓 Docker Credential 
tar zxvf docker-credential-pass-v0.6.3-amd64.tar.gz

# 為 Docker Credential 賦予可執(zhí)行權(quán)限
chmod +x docker-credential-pass

# 將 Docker Credential 移動(dòng)到環(huán)境變量中
mv docker-credential-pass /usr/local/bin/

# 查看 Docker Credentail 的版本
[root@node103 /]# docker-credential-pass version
0.6.3
[root@node103 /]#

8.修改 Docker 配置

# 清空 .docker/config.json 文件內(nèi)容，然后將下面配置寫入 config.json 文件中，注意 credsStore 是各輔助安裝包名字的尾綴  
[root@node103 /]# cat /root/.docker/config.json 
{
    "credsStore": "pass"
}
[root@node103 /]#

9.初始化 docker password store

[root@node103 /]# pass insert docker-credential-helpers/docker-pass-initialized-check
# 密碼本保存文件目錄
mkdir: created directory ‘/root/.password-store/docker-credential-helpers'
# 密碼本訪問密碼
Enter password for docker-credential-helpers/docker-pass-initialized-check: 
Retype password for docker-credential-helpers/docker-pass-initialized-check: 
# 密碼本中保存的密碼信息，驗(yàn)證初始化結(jié)果
[root@node103 /]# docker-credential-pass list
{}
[root@node103 /]# 

# 也可以通過 show 來查看剛剛創(chuàng)建密碼本的密碼（執(zhí)行的過程中無需輸入密碼）
[root@node103 /]# pass show docker-credential-helpers/docker-pass-initialized-check
123456
[root@node103 /]#

10.再次執(zhí)行 docker login 登錄鏡像倉庫，同時(shí)查看 $HOME/.docker/config.json 文件內(nèi)容

# 登錄之前查看 config.json 文件中的內(nèi)容
[root@node103 /]# cat /root/.docker/config.json 
{
    "credsStore": "pass"
}

# 采用用戶名密碼登錄鏡像倉庫
[root@node103 /]# docker login 192.169.5.207:8004
Username: admin
Password: 

# 登錄成功也沒有警告提示了
Login Succeeded

# 再次查看 config.json 文件內(nèi)容，發(fā)現(xiàn)用戶名密碼也沒有保存在該文件中，而是保存到了加密文件中去了
[root@node103 /]# cat /root/.docker/config.json 
{
	"auths": {
		"192.169.5.207:8004": {}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.12 (linux)"
	},
	"credsStore": "pass"
}

# 重啟 Docker  以免下次登錄出現(xiàn)以下情況
[root@node103 /]# docker login 192.169.5.207:8004
Authenticating with existing credentials...
Login did not succeed, error: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
Username (admin): ^C
[root@node103 /]# systemctl restart docker
[root@node103 /]# docker login 192.169.5.207:8004
Authenticating with existing credentials...
Login Succeeded
[root@node103 /]#

11.驗(yàn)證以上登錄鏡像倉庫的用戶名密碼是否保存在 pass 中

由于需要使用 tree 命令，這里需要安裝

yum install tree -y

查看密碼本中的密碼原文

[root@node103 /]# docker-credential-pass list
{"192.169.5.207:8004":"admin"}
[root@node103 /]# pass
Password Store
├── admin
└── docker-credential-helpers
    ├── docker-pass-initialized-check
    └── MTkyLjE2OS41LjIwNzo4MDA0
        └── admin
[root@node103 /]# pass show docker-credential-helpers/MTkyLjE2OS41LjIwNzo4MDA0/admin
這里將顯示設(shè)置的密碼明文
[root@node103 /]#

12.保存密碼文件路徑

[root@node103 MTkyLjE2OS41LjIwNzo4MDA0]# cd /root/.password-store/docker-credential-helpers/MTkyLjE2OS41LjIwNzo4MDA0
[root@node103 MTkyLjE2OS41LjIwNzo4MDA0]# ll
total 4
-rw------- 1 root root 591 Aug 29 14:36 admin.gpg
[root@node103 MTkyLjE2OS41LjIwNzo4MDA0]#