Docker login command accesses random KeyChain entries and fails

[joelika]

Duplicated from docker/for-mac#1540 Adding here to hopefully get more visibility.

Expected behavior:
Running the command
docker login -u USER -p PASS HOST:8443
should login to the specified repo.

Unexpected behavior:
Running the above command causes docker to ask to access the KeyChain for a randomly chosen entry.
If I deny the request, then the command fails with:
"error getting credentials - err: exit status 1, out: The user name or passphrase you entered is not correct."
If I allow the request, then the command fails with:
"Error saving credentials: error storing credentials - err: exit status 1, out: The specified item already exists in the keychain."

Could be related to issue #47, but I believe that has already been resolved. I also tried downloading docker-credential-osxkeychain v0.5.0 and replacing /usr/local/bin/docker-credential-osxkeychain with that release and I had the same issue.

[jeanlaurent]

@joelika This sounds really weird, we can't really reproduce your issue.
Could you do a which docker-credential-osxkeychain do check there is no other one in there ?
Alternatively, removing /usr/local/bin/docker-credential-osxkeychain and performing a reset to default in your docker for mac should do the trick, of getting rid of the one in /usr/local/bin

[joelika]

Thanks @jeanlaurent! I did perform a which docker-credential-osxkeychain to find the original location under /usr/local/bin/docker-credential-osxkeychain. I then replaced that binary with the v0.5.0 release with the same result.

After that test, I finally deleted the binary at /usr/local/bin/docker-credential-osxkeychain, and now I can use docker login to my private registries with the standard username/password prompt from Docker.

There's a number of other reports on the original issue here docker/for-mac#1540 for reference.

Happy to perform more troubleshooting or provide more details. Thanks for following up!

[jeanlaurent]

Docker For Mac only create symlinks towards the Docker.app bundle in the /usr/local/bin directory.

Could it be possible that you installed a docker-credential-osxkeychain binary in /usr/local/bin ?

I know we suggested that before the 0.5.0 version was available, as a workaround.

[joelika]

@jeanlaurent I did not, mainly because I wasn't even aware of docker-credential-osxkeychain before I had this issue 😄 . But correct, I did see the symlink when I reset docker to factory defaults:

$ which docker-credential-osxkeychain
/usr/local/bin/docker-credential-osxkeychain

$ cd /usr/local/bin/
$ ls -la | grep docker-credential-osxkeychain
lrwxr-xr-x    1 localuser  staff      91 Jun  1 09:00 docker-credential-osxkeychain -> /Users/localuser/Library/Group Containers/group.com.docker/bin/docker-credential-osxkeychain

Then if I run:

docker login my.dockerregistery.com:5002

I get the keychain prompting me to use an item that is not my registry. It's just a random entry, because if I delete this entry, it picks a new one:

and if I hit "Deny", I get:

error getting credentials - err: exit status 1, out: 'The user name or passphrase you entered is not correct.'

I tried then downloading the v0.5.0 release and overwriting the symlink in /usr/local/bin/ and I got the same issue I had above.

Finally, if I delete docker-credential-osxkeychain under /usr/local/bin/, I get the normal Docker login and it works:

$ docker login my.dockerregistery.com:5002
Username:
Password:
Login Succeeded

This is on macOS 10.12.5 and Docker 17.03.1-ce-mac12 (17661)

[liming-gd]

I came across this problem on macOS High Sierra 10.13.1 (17B48) and Docker 17.09.0-ce-mac35 (19611)。 I follow instructions from docker/for-mac#2228 and it works for me.

[Danceiny]

rm /usr/local/bin/docker-credential-osxkeychain, and everything get ok.

[lotusbaba]

deleting the /usr/local/bin/docker-credential-osxkeychain worked for me

[sinan-gul]

It did not work for me.

error getting credentials - err: exec: "docker-credential-osxkeychain": executable file not found in $PATH, out: ``

[Gustry]

deleting the /usr/local/bin/docker-credential-osxkeychain worked for me

Same problem as @bestreaction but after a restart of docker, then it works.

[n4ss]

@bestreaction

1. did you restart docker?
2. when you try a locate docker-credential-osxkeychain, what's the output?
3. the usual setup is that you get a docker-credential-osxkeychain.bin file in the /Applications/Docker.app/Contents/Resources/bin/ resource directory and this is symlink'ed at /usr/local/bin/ (and also intermediately symlink'd through /Users/XXXX/Library/Group Containers/group.com.docker/bin/ normally)

So feel free to recreate the missing symlink at /usr/local/bin if you have the proper binary somewhere on your filesystem.

[stormbeta]

Deleting /usr/local/bin/docker-credential-osxkeychain did not work.

I ran brew install docker-credential-helper which installed it correctly. No idea where the original (no longer working) binary came from.

[sntanala]

Guys, go to docker preferences and click on Restart, once restarted open new terminal and docker login, it resolved to login succeed.
If above did not work then go to docker preferences and click Reset to factory defaults.

[mrnonz]

Still have problem on Darwin Kernel Version 17.6.0

[QCCS]

not work for me;
just loop;

1
docker login registry.huilianyi.com
username:li....
password:
Error saving credentials: error storing credentials - err: exit status 1, out: The user name or passphrase you entered is not correct.

2
which docker-credential-osxkeychain
output: /usr/local/bin/docker-credential-osxkeychain
rm /usr/local/bin/docker-credential-osxkeychain

3
go to docker preferences and click Reset to factory defaults.
close terminal
open new terminal

4
back to 1

[abhatia05]

For me also stuck in loop.

[ntjn]

On Ubuntu 18.10, the binary needs to be deleted for login to work is /usr/bin/docker-credential-secretservice. This may break some functionality however.

[astaphobia]

i have logout from docker GUI and restart my docker.
and then login via GUI with username dont use email to login
[FIXED]

[narektutikian]

I found super easy solution.
Just disabled "Securely store Docker logins in macOS keychain" from Docker's GUI preferences menu.

[monstarnn]

@narek-king thank you, this solution helps me! I've disabled this option in GUI preferences and tried docker login - everything is OK.

[roberto785612]

@narek-king yes this also works for me, thanks! After the change it looks like the docker login creds then get saved (encrypted) in ~/.docker/config.json, rather than in the mac keychain.
I'm on docker desktop 2.0.0.3, engine 18.09.2 on MacOS 10.13.6

[luvletterldl]

if your docker version is 18.09.2, you just removing "credsStore": "osxkeychain" from ~/.docker/config.json instead, docker/for-mac#2295

[WeihanLi]

remove the docker-compose will solve the problem, so I'm wondering if the docker-compose caused this problem

[utelemaco]

Removing the line "credsStore" : "osxkeychain" resolved for me:

My file ~/.docker/config.json was like below:

{
  "auths" : {

  },
  "HttpHeaders" : {
    "User-Agent" : "Docker-Client/19.03.2 (darwin)"
  },
  "stackOrchestrator" : "swarm",
  "credsStore" : "osxkeychain"
}    

I removed the last line ("credsStore" : "osxkeychain") and restarted docker. Then I could login and the file become:

{
        "auths": {
                "https://index.docker.io/v1/": {}
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/19.03.2 (darwin)"
        },
        "credsStore": "osxkeychain",
        "stackOrchestrator": "swarm"
}

[TheGeniesis]

I had similar problem:

What didn't work:

• Removing file /usr/local/bin/docker-credential-osxkeychain + docker restart
• Removing content from $HOME/.docker/config.json + docker restart
• System restart
• I have tried to open Keychain Access and click the login lock -> I didn't have permission to do this actions

Working solution:

1. Open Keychain Access
2. Left click login
3. Left click the Passwords tab
4. Remove records related to docker
5. Try to login to docker again
   
   (image doesn't show docker records and details to avoid showing personal info :)