Getting SFTP to work with restic docker (unraid) - how to give it the SSH private key for authentication?

Hello.

I’m trying to get restic to work on unraid os via docker. I’m installing it from the “community” apps section of unraid, basically just a simple UI for docker containers (docker run command below). However, I’m not sure how to give it the private ssh key needed for authentication for the sftp repository.

This is what I get in the logs when trying to start the container on my unraid server:

subprocess ssh: Host key verification failed.
Fatal: unable to open repository at sftp:backup-user@192.168.2.5:/home/backup-user/external/: unable to start the sftp session, error: error receiving version packet from server: server unexpectedly closed connection: unexpected EOF

This is from systemctl status ssh on the target (repository) server at 192.168.2.5:

Dec 27 23:26:02 pi5 sshd[16321]: Connection closed by 192.168.2.3 port 60204 [preauth]

This is the command to run the restic docker container:

docker run
  -d
  --name='restic'
  --net='bridge'
  -e TZ="Europe/Athens"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="mediaserver"
  -e HOST_CONTAINERNAME="restic"
  -e 'RESTIC_REPOSITORY'='sftp:backup-user@192.168.2.5:/home/backup-user/external'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.icon='https://raw.githubusercontent.com/nwithan8/unraid_templates/master/images/restic-icon.png'
  -v '/mnt/user/Vault/DONTDELETE/restic-password/pass':'/pass':'ro'
  -v '/mnt/user/11/':'/data':'ro'
  -v '/mnt/user/appdata/restic/ssh/':'/root/.ssh':'ro'
  --hostname unraid 'restic/restic:latest'
  --password-file /pass backup /data

As you can see I’m trying to pass the host directory /mnt/user/appdata/restic/ssh/ to the container’s /root/.ssh. It contains the public and private ssh keys that I need to authenticate to the repository machine at 192.168.2.5.

Running sftp backup-user@192.168.2.5:/home/backup-user/external from the terminal inside unraid using the same private key works fine (so the public key is set correctly in the authorized_keys of 192.168.2.5):

# sftp backup-user@192.168.2.5:/home/backup-user/external
Connected to 192.168.2.5.
Changing to: /home/backup-user/external
sftp>

How can I correctly pass the ssh keys to the restic docker container so it can successfully connect via sftp to my target repository?

Thank you.

What is the contents of /root/.ssh/ inside the container when it runs (you can set its entrypoint to sleep infinityto be able to exec into it to investigate?

1 Like

This is the content of /root/.ssh inside of the container:

~/.ssh # ls -al
total 8
drwxr-xr-x    1 root     root            32 Dec 28 01:29 .
drwx------    1 root     root            32 Dec 28 01:29 ..
-r--------    1 root     root          3381 Dec 27 21:52 id_rsa
-rw-r--r--    1 root     root           741 Dec 27 21:52 id_rsa.pub
~/.ssh # cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
[...]

id_rsa and id_rsa.pub are properly mounted and running sftp backup-user@192.168.2.5:/home/backup-user/external is successful:

~/.ssh # sftp backup-user@192.168.2.5:/home/backup-user/external
The authenticity of host '192.168.2.5 (192.168.2.5)' can't be established.
ED25519 key fingerprint is SHA256:VzHkblegVDWg9xQC0qm+y3X5L7tzdpZuThdeI8AeFE8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.5' (ED25519) to the list of known hosts.
Connected to 192.168.2.5.
Changing to: /home/backup-user/external
sftp>

Seeing this I thought that maybe it’s failing because it can’t respond to the prompt so I created a known_hosts file (with the contents that were generated when I connected to the target machine) in the same directory that is mounted to /root/.ssh, and it looks like it’s connecting now:

Dec 28 01:53:06 pi5 sshd[16788]: Accepted publickey for backup-user from 192.168.2.3 port 53396 ssh2: RSA SHA256:67c…
Dec 28 01:53:06 pi5 sshd[16788]: pam_unix(sshd:session): session opened for user backup-user(uid=1001) by (uid=0)

Thank you for the help, your entrypoint tip was just what I needed! :slight_smile:

Very cool, well done figuring that out!

1 Like