While it is possible to use password-based authorization to push to Dokku, it is preferable to use key-based authentication for security.
Users in dokku are managed via the
~/dokku/.ssh/authorized_keys file. While you can manually edit this file, it is highly recommended that you follow the below steps to manage users on a dokku server.
Dokku uses the
sshcommand utility to manage ssh keys for the dokku user. The following is the usage output for sshcommand.
sshcommand create <user> <command> # creates a user forced to run command when SSH connects sshcommand acl-add <user> <ssh-key-name> # adds named SSH key to user from STDIN sshcommand acl-remove <user> <ssh-key-name> # removes SSH key by name sshcommand help # displays the usage help message
In dokku's case, the
<user> section is always
dokku, as this is the system user that the dokku binary performs all it's actions. Keys are given unique names, which can be used in conjunction with the user-auth plugin trigger to handle command authorization.
You can add your public key to the dokku user's
~/dokku/.ssh/authorized_keys file with the following command:
# from your local machine # replace dokku.me with your domain name or the host's IP # replace root with your server's root user # USER is the username you use to refer to this particular key cat ~/.ssh/id_rsa.pub | ssh firstname.lastname@example.org "sudo sshcommand acl-add dokku USER"
At it's base, the
sshcommand must be run under a user with sudo access, as it sets keys for the dokku user.
For instance, if you stored your public key at
~/.ssh/id_rsa.pub-open and are deploying to EC2 where the default root-enabled user is
ubuntu, you can run the following command to add your key under the
cat ~/.ssh/id_rsa.pub-open | ssh email@example.com "sudo sshcommand acl-add dokku superuser"
If you are using the vagrant installation, you can also use the
make vagrant-acl-add target to add your public key to dokku (it will use your host username as the
cat ~/.ssh/id_rsa.pub | make vagrant-acl-add