SSH key truncated during Base64 decoding

I encountered the following error during base64 decoding: base64: truncated base64 input. See longer output below.

My steps for testing the Docker image.

Generate the password-less SSH key: ssh-keygen -t rsa -b 4096 -N '' -C "nifi_registry_docker_test" -f id_rsa_nifi_registry_test
Add public key to Git repository access key.
Use the docker-compose.github.yml as starting point.

Use mount point binding or adjust settings for environment variables as appropriate with the following SSH variables:

environment:
  DEBUG: 1
  # ...
  # Use of $$ allows you to refer to environment variables that you don’t want processed by Compose.
  SSH_PRIVATE_KEY: "$$(base64 -w 0 < ~/.ssh/id_rsa_nifi_registry_test)"
  SSH_KNOWN_HOSTS: "$$(base64 -w 0 < ~/.ssh/known_hosts)"
  SSH_PRIVATE_KEY_PASSPHRASE:

Run docker-compose up

Output with error below (similar error for using SSH mount point):

nifi-registry_1  | SSH_KNOWN_HOSTS=$(base64 -w 0 < ~/.ssh/known_hosts)
nifi-registry_1  | SSH_PRIVATE_KEY=$(base64 -w 0 < ~/.ssh/id_rsa_nifi_registry_test)
nifi-registry_1  | _=/usr/bin/env
nifi-registry_1  | End of debug output
nifi-registry_1  | SSH_PRIVATE_KEY_FILE=$HOME/.ssh/id_rsa
nifi-registry_1  | SSH_KNOWN_HOSTS_FILE=$HOME/.ssh/known_hosts
nifi-registry_1  | mkdir -p $HOME/.ssh && chmod 700 $HOME/.ssh
nifi-registry_1  | echo -n "${SSH_PRIVATE_KEY}" | base64 -d > $SSH_PRIVATE_KEY_FILE && chmod 600 "${SSH_PRIVATE_KEY_FILE}"
nifi-registry_1  | base64: truncated base64 input
nifi-registry_1  | ssh-keygen ${SSH_PRIVATE_KEY_PASSPHRASE:+'-P' "${SSH_PRIVATE_KEY_PASSPHRASE}"} -y -f ${SSH_PRIVATE_KEY_FILE} > ${SSH_PRIVATE_KEY_FILE}.pub && chm
od 600 ${SSH_PRIVATE_KEY_FILE}.pub
nifi-registry_1  | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
nifi-registry_1  | @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
nifi-registry_1  | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
nifi-registry_1  | Permissions 0644 for '/home/nifi/.ssh/id_rsa' are too open.
nifi-registry_1  | It is required that your private key files are NOT accessible by others.
nifi-registry_1  | This private key will be ignored.
nifi-registry_1  | Load key "/home/nifi/.ssh/id_rsa": bad permissions
nifi-registry_1  | echo -n ${SSH_KNOWN_HOSTS} | base64 -d > $SSH_KNOWN_HOSTS_FILE && chmod 600 $SSH_KNOWN_HOSTS_FILE
nifi-registry_1  | base64: truncated base64 input
nifi-registry_1  | Found git remote: ssh://git@somelocation.com/flow-storage.git, cloning into: /opt/nifi-registry/flow-storage, with remote: origin and
branch: master
nifi-registry_1  | git clone -o $FLOW_PROVIDER_GIT_REMOTE_TO_PUSH -b $GIT_CHECKOUT_BRANCH $GIT_REMOTE_URL $FLOW_PROVIDER_GIT_FLOW_STORAGE_DIRECTORY
nifi-registry_1  | Cloning into '/opt/nifi-registry/nifi-flows'...
nifi-registry_1  | load pubkey "/home/nifi/.ssh/id_rsa": invalid format
nifi-registry_1  | Host key verification failed.
nifi-registry_1  | fatal: Could not read from remote repository.
nifi-registry_1  |
nifi-registry_1  | Please make sure you have the correct access rights
nifi-registry_1  | and the repository exists.

When the SSH key decoding from Base64 got truncated, it created cascading problems.

I ran a manual test in my local Cygwin environment and verified that the base64 encoding and decoding steps are working properly for my generated SSH key.

TEST_SSH_KEY=$(base64 -w 0 < ~/.ssh/id_rsa_nifi_registry_test)
cd ~/.ssh/
echo -n ${TEST_SSH_KEY} | base64 -d > test_id
diff test_id id_rsa_nifi_registry_test

The problem seems to reside with the base64 version in the Alpine base image.

Further investigation revealed that Docker Compose failed to evaluate Bash command of the following form:

      SSH_PRIVATE_KEY: "$$(base64 -w 0 < ~/.ssh/id_rsa_nifi_registry_test)"
      SSH_KNOWN_HOSTS: "$$(base64 -w 0 < ~/.ssh/known_hosts)"
# or this form, which resulted in error
      SSH_PRIVATE_KEY: "$(base64 -w 0 < ~/.ssh/id_rsa_nifi_registry_test)"
      SSH_KNOWN_HOSTS: "$(base64 -w 0 < ~/.ssh/known_hosts)"

As shown in the debug log, the environment variables contained the string of the commands rather than the evaluated values.

nifi-registry_1  | SSH_KNOWN_HOSTS=$(base64 -w 0 < ~/.ssh/known_hosts)
nifi-registry_1  | SSH_PRIVATE_KEY=$(base64 -w 0 < ~/.ssh/id_rsa_nifi_registry_test)

In order to pass SSH key data successfully via docker-compose, the evaluated value of the obfuscated key must be assigned to an environment variable before setting that variable to the environment variable to be specified in the docker-compose.yml .

export OBFUSCATED_SSH_KEY=$(base64 -w 0 < ~/.ssh/id_rsa_nifi_registry_test)
export OBFUSCATED_KNOWN_HOSTS=$(base64 -w 0 < ~/.ssh/known_hosts)

In docker-compose.yml:

    environment:
      SSH_PRIVATE_KEY: ${OBFUSCATED_SSH_KEY}
      SSH_KNOWN_HOSTS: ${OBFUSCATED_KNOWN_HOSTS}

With this setup, the container was able to startup successfully.

michalklempa / docker-nifi-registry

SSH key truncated during Base64 decoding #22