Introduced in 0.7.0
When pushing to Dokku, ssh key based authorization is the preferred authentication method, for ease of use and increased security.
Users in Dokku are managed via the
~/dokku/.ssh/authorized_keys file. It is highly recommended that you follow the steps below to manage users on a Dokku server.
Users of older versions of Dokku may use the
sshcommand binary to manage keys instead of the
ssh-keys plugin. Please refer to the Dokku documentation for your version for more details.
Listing SSH Keys
You can use the
ssh-keys:list command to show all configured ssh keys. Any key added via the
dokku-installer will be associated with the
admin key name.
The output contains the following information:
- SSH Key Fingerprint.
- A comma separated list of ssh options under the
Adding SSH Keys
You can add your public key to Dokku with the
ssh-keys:add command. The output will be the fingerprint of the ssh key:
KEY_NAME is the username prefer to use to refer to this particular key. Including the word
admin in the name will grant the user privileges to add additional keys remotely.
KEY_NAME is a unique name which is used to identify public keys. Attempting to re-use a key name will result in an error. The ssh (git) user is always
dokku, as this is the system user that the
dokku binary uses to perform all it's actions.
Admin users and root can also add keys remotely:
If you are using an ssh user other than
dokku, then you'll also need to specify the
Finally, if you are using the vagrant installation, you can also use the
make vagrant-acl-add target to add your public key to Dokku (it will use your host username as the
Removing SSH Keys
As key names are unique, they can be used to remove a public ssh key.
Scoping commands to specific users
Keys are given unique names, which can be used in conjunction with the user-auth plugin trigger to handle command authorization. Please see the documentation on that trigger for more information.
Granting other Unix user accounts Dokku access
Any Unix user account which belongs to the 'sudo' Unix group can run Dokku. However, you may want to give them Dokku access but not full sudo privileges.
To allow other Unix user accounts to be able to run Dokku commands, without giving them full sudo access, modify your sudoers configuration.
visudo /etc/sudoers.d/dokku-users, or
visudo /etc/sudoers to add the following line: