When using a image repository in an enterprise, you usually need to enable authentication, and the authentication credentials may be a common account for users in the enterprise. However, after docker login, the username and password after base64 will be saved in .docker/config.json, so that on some servers used by many people, there will be a problem of account leakage.
Is there a solution for this?
docker provides credentials store, which means that passwords are stored in an external credentials store.
The following are currently supported.
- D-Bus Secret Service: https://github.com/docker/docker-credential-helpers/releases
- Apple macOS keychain: https://github.com/docker/docker-credential-helpers/releases
- Microsoft Windows Credential Manager: https://github.com/docker/docker-credential-helpers/releases
- pass: https://github.com/docker/docker-credential-helpers/releases
For linux servers, the only option is to pass, because D-Bus requires X11 support, and Apple and Microsoft just don’t look like they’re meant for Linux.
Here are the configuration steps.
Install gnupg2 and pass
sudo apt install gnupg2 pass
The following is the download address for version 0.6.3, which is docker-credential-pass for amd64 (not the above pass).
After downloading, unzip and copy the docker-credential-pass file to the
/usr/bin/directory and add executable permissions.
Log out of docker hub
modify the docker configuration, add
Generate GPG keypaire. remember the password set here, this password is used to save the docker password.
$ gpg2 --full-generate-key gpg2 --full-generate-key gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? ...
Once generated, you can view it as
$ gpg2 -k gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u /home/bottle/.gnupg/pubring.kbx ------------------------------- pub rsa3072 2020-06-20 [SC] 4B65C16E5349EC64D77A9EB1C1E8818FCC8126B8 uid [ultimate] silenceshell <firstname.lastname@example.org> sub rsa3072 2020-06-20 [E]
After login, check
.docker/config.json, you can see that the auths does not save username and password information.
After that, you can use that user’s identity to perform subsequent operations with docker.