ssh-add does not work properly

[schklom]

Behaviour

Steps to reproduce this issue

1. Have an actionstart contain ssh-add (to ban on the router)
2. Have actionban contain ssh
3. Permission denied due to read_passphrase: can't open /dev/tty: No such device or address

Expected behaviour

The identity should be properly added, and ssh should read the passphrase.

Actual behaviour

ssh does not read the passphrase.

Configuration

• Docker version (type docker --version) : Docker version 20.10.12, build e91ed57
• Docker compose version if applicable (type docker-compose --version) : docker-compose version 1.29.2
• Platform (Debian 9, Ubuntu 18.04, ...) : Debian 11
• System info (type uname -a) : Linux <REDACTED> 5.10.0-10-arm64 #1 SMP Debian 5.10.84-1 (2021-12-08) aarch64 GNU/Linux
• Include all necessary configuration files : docker-compose.yml, .env, ...

Relevant docker-compose.yml

services
  fail2ban:
    image: crazymax/fail2ban
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - ${DOCKERCONFIG}/fail2ban/data:/data
      - ${DOCKERCONFIG}/fail2ban/extra/pfsense_rpi:/extra/pfsense_rpi
      - ${DOCKERCONFIG}/fail2ban/extra/known_hosts:/root/.ssh/known_hosts
      - /var/log/docker:/var/log/docker
    environment:
      TZ: ${TZ}

/data/action.d/pfsense

####### Run the ssh command once with /root/known_hosts empty, otherwise it fails!

[Definition]
actionstart = echo -e '#!/bin/sh\necho PASSPHRASE' > /tmp/echo_passphrase
              chmod 700 /tmp/echo_passphrase
              export SSH_ASKPASS_REQUIRE="force"
              export SSH_ASKPASS="/tmp/echo_passphrase"
              ssh-agent /bin/sh -c 'ssh-add /extra/pfsense_rpi'
              rm /tmp/echo_passphrase

actionstop = ssh-agent /bin/sh -c 'ssh-add -D'

actionban = ssh -v -p 10022 -i /extra/pfsense_rpi root@pfsense.home easyrule block wan <ip>

actionunban = ssh -v -p 10022 -i /extra/pfsense_rpi root@pfsense.home easyrule unblock wan <ip>

[Init]
protocol = tcp
actiontype =

I am trying to use ssh-add because deciphering the private key everytime is pretty time-consuming.

Note that this action works and correctly bans <ip> on the PFSense router.

####### Run the ssh command once with /root/known_hosts empty, otherwise it fails!

[Definition]
actionban = echo -e '#!bin/sh\necho PASSPHRASE' > /tmp/echo_passphrase
            chmod 700 /tmp/echo_passphrase
            export SSH_ASKPASS_REQUIRE="force"
            export SSH_ASKPASS="/tmp/echo_passphrase"
            ssh -p 10022 -i /extra/pfsense_rpi root@pfsense.home easyrule block wan <ip>
            rm /tmp/echo_passphrase

actionunban = echo -e '#!bin/sh\necho PASSPHRASE' > /tmp/echo_passphrase
              chmod 700 /tmp/echo_passphrase
              export SSH_ASKPASS_REQUIRE="force"
              export SSH_ASKPASS="/tmp/echo_passphrase"
              ssh -p 10022 -i /extra/pfsense_rpi root@pfsense.home easyrule unblock wan <ip>
              rm /tmp/echo_passphrase

[Init]
protocol = tcp
actiontype =

but in my opinion takes too long.

Docker info

Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 37
  Running: 36
  Paused: 0
  Stopped: 1
 Images: 34
 Server Version: 20.10.12
 Storage Driver: fuse-overlayfs
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
 runc version: v1.0.2-0-g52b36a2d
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  rootless
  cgroupns
 Kernel Version: 5.10.0-10-arm64
 Operating System: Debian GNU/Linux 11 (bullseye)
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 7.627GiB
 Name: <REDACTED>
 ID: JEXP:SIXA:6AG6:CMB3:C6XY:MCMO:YITL:WT7V:NYBP:3PIB:3LPR:IDF6
 Docker Root Dir: /media/schklom/data-hdd/docker_data_root
 Debug Mode: false
 Username: schklom
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine
 Default Address Pools:
   Base: 192.168.0.0/16, Size: 24

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Logs

$ docker exec fail2ban fail2ban-client set nextcloud banip 1.2.3.4
1

$ docker exec fail2ban fail2ban-client unban 1.2.3.4
1

$ docker logs fail2ban
<Truncated for readability>

Server ready
2022-01-14 21:50:42,572 fail2ban.actions        [1]: NOTICE  [nextcloud] Ban 1.2.3.4
2022-01-14 21:50:47,831 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- exec: ssh -v -p 10022 -i /extra/pfsense_rpi root@pfsense.home easyrule block wan 1.2.3.4
2022-01-14 21:50:47,832 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021'
2022-01-14 21:50:47,832 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: Reading configuration data /etc/ssh/ssh_config'
2022-01-14 21:50:47,832 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling'
2022-01-14 21:50:47,832 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: Connecting to pfsense.home [172.16.10.20] port 51456.'
2022-01-14 21:50:47,833 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: Connection established.'
2022-01-14 21:50:47,833 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: identity file /extra/pfsense_rpi type 3'
2022-01-14 21:50:47,833 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: identity file /extra/pfsense_rpi-cert type -1'
2022-01-14 21:50:47,833 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: Local version string SSH-2.0-OpenSSH_8.8'
2022-01-14 21:50:47,834 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9'
2022-01-14 21:50:47,834 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: compat_banner: match: OpenSSH_7.9 pat OpenSSH* compat 0x04000000'
2022-01-14 21:50:47,834 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: "debug1: Authenticating to pfsense.home:51456 as 'root'"
2022-01-14 21:50:47,834 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory'
2022-01-14 21:50:47,835 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory'
2022-01-14 21:50:47,835 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory'
2022-01-14 21:50:47,835 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_KEXINIT sent'
2022-01-14 21:50:47,835 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_KEXINIT received'
2022-01-14 21:50:47,836 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: kex: algorithm: curve25519-sha256@libssh.org'
2022-01-14 21:50:47,836 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: kex: host key algorithm: ssh-ed25519'
2022-01-14 21:50:47,836 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none'
2022-01-14 21:50:47,836 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none'
2022-01-14 21:50:47,837 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: expecting SSH2_MSG_KEX_ECDH_REPLY'
2022-01-14 21:50:47,837 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_KEX_ECDH_REPLY received'
2022-01-14 21:50:47,837 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: Server host key: ssh-ed25519 SHA256:3fVz8OIdJZd1n+h3iwIxIMs1hoGojihUNtITrAfJYCs'
2022-01-14 21:50:47,837 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory'
2022-01-14 21:50:47,838 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory'
2022-01-14 21:50:47,838 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory'
2022-01-14 21:50:47,838 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: "debug1: Host '[pfsense.home]:51456' is known and matches the ED25519 host key."
2022-01-14 21:50:47,838 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: Found key in /root/.ssh/known_hosts:1'
2022-01-14 21:50:47,839 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: rekey out after 134217728 blocks'
2022-01-14 21:50:47,839 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_NEWKEYS sent'
2022-01-14 21:50:47,839 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: expecting SSH2_MSG_NEWKEYS'
2022-01-14 21:50:47,839 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_NEWKEYS received'
2022-01-14 21:50:47,840 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: rekey in after 134217728 blocks'
2022-01-14 21:50:47,840 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: Will attempt key: /extra/pfsense_rpi ED25519 SHA256:O4398B+EizS6QRks+qYCO56QIUjnUF+pVvOYevT1kjs explicit'
2022-01-14 21:50:47,840 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_EXT_INFO received'
2022-01-14 21:50:47,840 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>'
2022-01-14 21:50:47,841 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_SERVICE_ACCEPT received'
2022-01-14 21:50:47,841 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: Authentications that can continue: publickey'
2022-01-14 21:50:47,841 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: Next authentication method: publickey'
2022-01-14 21:50:47,842 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: Offering public key: /extra/pfsense_rpi ED25519 SHA256:O4398B+EizS6QRks+qYCO56QIUjnUF+pVvOYevT1kjs explicit'
2022-01-14 21:50:47,842 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: Server accepts key: /extra/pfsense_rpi ED25519 SHA256:O4398B+EizS6QRks+qYCO56QIUjnUF+pVvOYevT1kjs explicit'
2022-01-14 21:50:47,843 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: "debug1: read_passphrase: can't open /dev/tty: No such device or address"
2022-01-14 21:50:47,843 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'debug1: No more authentication methods to try.'
2022-01-14 21:50:47,843 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- stderr: 'root@pfsense.home: Permission denied (publickey).'
2022-01-14 21:50:47,844 fail2ban.utils          [1]: ERROR   ffff8fcfcf60 -- killed with signal 127 (return code: 255)
2022-01-14 21:50:47,845 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'nextcloud' action 'pfsense' info 'ActionInfo({'ip': '1.2.3.4', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0xffff9051b1f0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0xffff9051b8b0>})': Error banning 1.2.3.4
2022-01-14 21:51:08,795 fail2ban.actions        [1]: NOTICE  [nextcloud] Unban 1.2.3.4

Do you have an idea how to make ssh read the passphrase?

Thank you for making and maintaining this container, it is really well done 👍