docker-credential-helpers icon indicating copy to clipboard operation
docker-credential-helpers copied to clipboard
verified publisher icon docker

Docker login command accesses random KeyChain entries and fails

Open joelika opened this issue 8 years ago • 24 comments

Duplicated from https://github.com/docker/for-mac/issues/1540 Adding here to hopefully get more visibility.

Expected behavior: Running the command docker login -u USER -p PASS HOST:8443 should login to the specified repo.

Unexpected behavior: Running the above command causes docker to ask to access the KeyChain for a randomly chosen entry. If I deny the request, then the command fails with: "error getting credentials - err: exit status 1, out: The user name or passphrase you entered is not correct." If I allow the request, then the command fails with: "Error saving credentials: error storing credentials - err: exit status 1, out: The specified item already exists in the keychain."

Could be related to issue #47, but I believe that has already been resolved. I also tried downloading docker-credential-osxkeychain v0.5.0 and replacing /usr/local/bin/docker-credential-osxkeychain with that release and I had the same issue.

joelika avatar May 26 '17 15:05 joelika

@joelika This sounds really weird, we can't really reproduce your issue. Could you do a which docker-credential-osxkeychain do check there is no other one in there ? Alternatively, removing /usr/local/bin/docker-credential-osxkeychain and performing a reset to default in your docker for mac should do the trick, of getting rid of the one in /usr/local/bin

jeanlaurent avatar May 26 '17 16:05 jeanlaurent

Thanks @jeanlaurent! I did perform a which docker-credential-osxkeychain to find the original location under /usr/local/bin/docker-credential-osxkeychain. I then replaced that binary with the v0.5.0 release with the same result.

After that test, I finally deleted the binary at /usr/local/bin/docker-credential-osxkeychain, and now I can use docker login to my private registries with the standard username/password prompt from Docker.

There's a number of other reports on the original issue here https://github.com/docker/for-mac/issues/1540 for reference.

Happy to perform more troubleshooting or provide more details. Thanks for following up!

joelika avatar May 26 '17 17:05 joelika

Docker For Mac only create symlinks towards the Docker.app bundle in the /usr/local/bin directory.

Could it be possible that you installed a docker-credential-osxkeychain binary in /usr/local/bin ?

I know we suggested that before the 0.5.0 version was available, as a workaround.

jeanlaurent avatar May 29 '17 14:05 jeanlaurent

@jeanlaurent I did not, mainly because I wasn't even aware of docker-credential-osxkeychain before I had this issue 😄 . But correct, I did see the symlink when I reset docker to factory defaults:

$ which docker-credential-osxkeychain
/usr/local/bin/docker-credential-osxkeychain

$ cd /usr/local/bin/
$ ls -la | grep docker-credential-osxkeychain
lrwxr-xr-x    1 localuser  staff      91 Jun  1 09:00 docker-credential-osxkeychain -> /Users/localuser/Library/Group Containers/group.com.docker/bin/docker-credential-osxkeychain

Then if I run:

docker login my.dockerregistery.com:5002

I get the keychain prompting me to use an item that is not my registry. It's just a random entry, because if I delete this entry, it picks a new one:

screen-shot-2017-06-01-at-9 04

and if I hit "Deny", I get:

error getting credentials - err: exit status 1, out: 'The user name or passphrase you entered is not correct.'

I tried then downloading the v0.5.0 release and overwriting the symlink in /usr/local/bin/ and I got the same issue I had above.

Finally, if I delete docker-credential-osxkeychain under /usr/local/bin/, I get the normal Docker login and it works:

$ docker login my.dockerregistery.com:5002
Username:
Password:
Login Succeeded

This is on macOS 10.12.5 and Docker 17.03.1-ce-mac12 (17661)

joelika avatar Jun 01 '17 13:06 joelika

I came across this problem on macOS High Sierra 10.13.1 (17B48) and Docker 17.09.0-ce-mac35 (19611)。 I follow instructions from docker/for-mac#2228 and it works for me.

liming-gd avatar Nov 21 '17 02:11 liming-gd

rm /usr/local/bin/docker-credential-osxkeychain, and everything get ok.

Danceiny avatar Dec 15 '17 17:12 Danceiny

deleting the /usr/local/bin/docker-credential-osxkeychain worked for me

lotusbaba avatar Feb 08 '18 19:02 lotusbaba

It did not work for me.

error getting credentials - err: exec: "docker-credential-osxkeychain": executable file not found in $PATH, out: ``

sinan-gul avatar Feb 15 '18 18:02 sinan-gul

deleting the /usr/local/bin/docker-credential-osxkeychain worked for me

Same problem as @bestreaction but after a restart of docker, then it works.

Gustry avatar Feb 19 '18 11:02 Gustry

@bestreaction

  1. did you restart docker?
  2. when you try a locate docker-credential-osxkeychain, what's the output?
  3. the usual setup is that you get a docker-credential-osxkeychain.bin file in the /Applications/Docker.app/Contents/Resources/bin/ resource directory and this is symlink'ed at /usr/local/bin/ (and also intermediately symlink'd through /Users/XXXX/Library/Group Containers/group.com.docker/bin/ normally)

So feel free to recreate the missing symlink at /usr/local/bin if you have the proper binary somewhere on your filesystem.

n4ss avatar Feb 21 '18 00:02 n4ss

Deleting /usr/local/bin/docker-credential-osxkeychain did not work.

I ran brew install docker-credential-helper which installed it correctly. No idea where the original (no longer working) binary came from.

stormbeta avatar Apr 24 '18 23:04 stormbeta

Guys, go to docker preferences and click on Restart, once restarted open new terminal and docker login, it resolved to login succeed. If above did not work then go to docker preferences and click Reset to factory defaults.

sntanala avatar May 10 '18 18:05 sntanala

Still have problem on Darwin Kernel Version 17.6.0

mrnonz avatar Jun 29 '18 04:06 mrnonz

not work for me; just loop;

1 docker login registry.huilianyi.com username:li.... password: Error saving credentials: error storing credentials - err: exit status 1, out: The user name or passphrase you entered is not correct.

2 which docker-credential-osxkeychain output: /usr/local/bin/docker-credential-osxkeychain rm /usr/local/bin/docker-credential-osxkeychain

3 go to docker preferences and click Reset to factory defaults. close terminal open new terminal

4 back to 1

QCCS avatar Aug 06 '18 17:08 QCCS

For me also stuck in loop.

abhatia05 avatar Nov 08 '18 05:11 abhatia05

On Ubuntu 18.10, the binary needs to be deleted for login to work is /usr/bin/docker-credential-secretservice. This may break some functionality however.

ntjn avatar Feb 07 '19 15:02 ntjn

i have logout from docker GUI and restart my docker. and then login via GUI with username dont use email to login [FIXED]

astaphobia avatar Feb 12 '19 10:02 astaphobia

I found super easy solution. Just disabled "Securely store Docker logins in macOS keychain" from Docker's GUI preferences menu.

narektutikian avatar Apr 10 '19 09:04 narektutikian

@narek-king thank you, this solution helps me! I've disabled this option in GUI preferences and tried docker login - everything is OK.

monstarnn avatar Apr 11 '19 17:04 monstarnn

@narek-king yes this also works for me, thanks! After the change it looks like the docker login creds then get saved (encrypted) in ~/.docker/config.json, rather than in the mac keychain. I'm on docker desktop 2.0.0.3, engine 18.09.2 on MacOS 10.13.6

roberto785612 avatar May 06 '19 21:05 roberto785612

if your docker version is 18.09.2, you just removing "credsStore": "osxkeychain" from ~/.docker/config.json instead, https://github.com/docker/for-mac/issues/2295

luvletterldl avatar May 07 '19 07:05 luvletterldl

remove the docker-compose will solve the problem, so I'm wondering if the docker-compose caused this problem

WeihanLi avatar May 07 '19 08:05 WeihanLi

Removing the line "credsStore" : "osxkeychain" resolved for me:

My file ~/.docker/config.json was like below:

{
  "auths" : {

  },
  "HttpHeaders" : {
    "User-Agent" : "Docker-Client/19.03.2 (darwin)"
  },
  "stackOrchestrator" : "swarm",
  "credsStore" : "osxkeychain"
}

I removed the last line ("credsStore" : "osxkeychain") and restarted docker. Then I could login and the file become:

{
        "auths": {
                "https://index.docker.io/v1/": {}
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/19.03.2 (darwin)"
        },
        "credsStore": "osxkeychain",
        "stackOrchestrator": "swarm"
}

utelemaco avatar Nov 02 '19 20:11 utelemaco

I had similar problem:

What didn't work:

  • Removing file /usr/local/bin/docker-credential-osxkeychain + docker restart
  • Removing content from $HOME/.docker/config.json + docker restart
  • System restart
  • I have tried to open Keychain Access and click the login lock -> I didn't have permission to do this actions

Working solution:

  1. Open Keychain Access
  2. Left click login
  3. Left click the Passwords tab
  4. Remove records related to docker
  5. Try to login to docker again image (image doesn't show docker records and details to avoid showing personal info :)

TheGeniesis avatar Jul 28 '22 08:07 TheGeniesis