"Host key verification failed" when using ssh on remote Synology NAS in Docker Context

General
1

I’m totally stuck on this problem for a few days and I need you help.

Long story short : I want to connect VSCode via SSH to a Docker container on a remote host to do some devs directly on my Synology box.

So, I’m trying to connect my Synology DS3622xs+ NAS (DSM 7.2.2-72806 Update 3) running Synology package Container Manager (24.0.2-1535) from my workstation (MacBook Pro M1 with MacOS Sequoia 15.4) using Docker Context.

I’m creating Docker Context using:

sudo docker context create hpgen10plus --docker "host=ssh://Thierry@192.168.0.68"
sudo docker context use hpgen10plus
sudo docker ps

“docker ps” statement returns following error:

error during connect: Get "http://docker.example.com/v1.48/containers/json": command [ssh -o ConnectTimeout=30 -T -l Thierry -- 192.168.0.68 docker system dial-stdio] has exited with exit status 255, make sure the URL is valid, and Docker 18.09 or later is installed on the remote host: stderr=Host key verification failed.

I’ve tried “native” ssh and it works as expected:

ssh Thierry@192.168.0.68

I guess my config file for ssh on the Mac is right:

Host hpgen10plus
    Hostname 192.168.0.68
    User Thierry
    IdentityFile ~/.ssh/id_rsa.pub
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

I tried to debug SSH daemon on Synology but I see no connection attempt in file “auth.log”.

I wonder if that’s an issue specially related to Synology. It seems that ssh in Docker Contexts are working for many people.

Thanks for your help!

2

I moved your post from the “Docker Hub” category to the “General” category, as nothing in your post is related to Docker Hub.

Synology has a tradition to make things “their own”. OpenSSH is provided by dsm, and the Container Manager package that bundles Synology’s Docker Engine, differ from the vanilla implementations.

Can you issue docker cli commands as user Thierry on your NAS with prefixing them with sudo? If not, this might potentially be the problem.

3

Thanks for your answer and sorry for the wrong category.
I know this annoying Synology tradition …
So yes, I can issue Docker CLI commands without prefixing with sudo.

4

I can reproduce your problem.

I tested whether this old docker version actually supports the api v1.48. It does!

curl --silent --unix-socket /var/run/docker.sock http://v1.48/containers/json

In your case, it seems the host key can’t be verified, which doesn’t really seem to make sense, as it works with the ssh client. Though, you could try if removing the entry for your Syno in ~/.ssh/known_hosts on your mac fixes it.

If I try to use docker context, it fails as well, but in my case it complains that it can’t find the docker binary, even though the path of the symlink /usr/local/bin/docker is covered by $PATH.

Though, the same is true, if I use ssh -o ConnectTimeout=30 -T -- <nas ip> docker ps on the host. Note: I have the User set for this host in my ~/.ssh/config. It’s definitely odd.

Update: it works for me, if I create a symlink on the nas: sudo ln -s $(which docker) /usr/bin/docker, Yet another brilliant Synology oddity :slight_smile:

5

Thanks for your investigations.
I already created this symlink on the NAS but the problem remains the same : “Host key verification failed”.

UPDATE : it works!

I was using “sudo docker ps” which returned “Host key verification failed”.
I simply used “docker ps” and that works!

THANKS

1 Like
6

Sure:

Host dsm1
    HostName 192.168.x.y
    User <my nas user>
    ForwardAgent yes

For testing purposes I used the pk that uses the default filename ~/.ssh/id_rsa.

Note: I usually keep my ssh keys in keepass and use the KeeAgent plugin to expose it to ssh, as I don’t like to have any ssh keys lying around in the filesystem.