panubo/docker-sshd panubo/docker-sshd

  • Stars
    star
    447
  • Rank 97,700 (Top 2 %)
  • Language
    Shell
  • License
    MIT License
  • Created over 9 years ago
  • Updated 5 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
panubo/docker-sshd
github

panubo

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Minimal Alpine Linux Docker image with sshd exposed and rsync installed

SSHD

Minimal Alpine Linux Docker image with sshd exposed and rsync installed. The image is available on quay.io quay.io/panubo/sshd and AWS ECR Public public.ecr.aws/panubo/sshd.

Environment Options

Configure the container with the following environment variables or optionally mount a custom sshd config at /etc/ssh/sshd_config:

General Options

  • SSH_USERS list of user accounts and uids/gids to create. eg SSH_USERS=www:48:48,admin:1000:1000:/bin/bash. The fourth argument for specifying the user shell is optional. If SSH_GROUPS is omitted, a group is created for each user with the same name as the user.
  • SSH_GROUPS list of groups and gids to create. eg SSH_GROUPS=guests:1005,other:1006. Specifying this option disables automatic group creation of user-named groups if you also specify SSH_USERS.
  • SSH_ENABLE_ROOT if "true" unlock the root account. N.B restricted modes to not apply to this account.
  • SSH_ENABLE_PASSWORD_AUTH if "true" enable password authentication (disabled by default) (excluding the root user)
  • SSH_ENABLE_ROOT_PASSWORD_AUTH if "true" enable password authentication for all users including root
  • MOTD change the login message

SSH Options

  • GATEWAY_PORTS if "true" sshd will allow gateway ports
  • TCP_FORWARDING if "true" sshd will allow TCP forwarding
  • DISABLE_SFTP if "true" sshd will not accept sftp connections. Note: This does not prevent file access unless you define a restricted shell for each user that prevents executing programs that grant file access.

Restricted Modes

The following three restricted modes, SFTP only, SCP only and Rsync only are mutually exclusive. If no mode is defined, then all connection types will be accepted. Only one mode can be enabled at a time:

SFTP Only

  • SFTP_MODE if "true" sshd will only accept sftp connections
  • SFTP_CHROOT if in sftp only mode sftp will be chrooted to this directory. Default "/data"

SCP Only

  • SCP_MODE if "true" sshd will only accept scp connections (uses rssh)

Rsync Only

  • RSYNC_MODE if "true" sshd will only accept rsync connections (uses rssh)

SSH Host Keys

SSH uses host keys to identify the server. To avoid receiving a security warning the host keys should be mounted on an external volume.

By default this image will create new host keys in /etc/ssh/keys which should be mounted on an external volume. If you are using existing keys and they are mounted in /etc/ssh this image will use the default host key location making this image compatible with existing setups.

If you wish to configure SSH entirely with environment variables it is suggested that you externally mount /etc/ssh/keys instead of /etc/ssh.

Authorized Keys

Mount your .ssh credentials (RSA public keys) at /root/.ssh/ in order to access the container via root and set SSH_ENABLE_ROOT=true or mount each user's key in /etc/authorized_keys/<username> and set SSH_USERS environment config to create the user accounts.

Authorized keys must be either owned by root (uid/gid 0), or owned by the uid/gid that corresponds to the uid/gid and user specified in SSH_USERS.

SFTP mode

When in sftp only mode (activated by setting SFTP_MODE=true) the container will only accept sftp connections. All sftp actions will be chrooted to the SFTP_CHROOT directory which defaults to "/data".

Please note that all components of the pathname in the ChrootDirectory directive must be root-owned directories that are not writable by any other user or group (see man 5 sshd_config).

SCP or Rsync modes

When in scp or rsync only mode (activated by setting SCP_MODE=true or RSYNC_MODE=true respectively) the container will only accept scp or rsync connections. No chroot is provided.

This is provided by using rssh restricted shell.

Custom Scripts

Executable shell scripts and binaries can be mounted or copied in to /etc/entrypoint.d. These will be run when the container is launched but before sshd is started. These can be used to customise the behaviour of the container.

Password authentication

Password authentication is not recommended however using SSH_ENABLE_PASSWORD_AUTH=true you can enable password authentication. The image doesn't provide any way to set user passwords via config but you can use the custom scripts support to run a custom script to set user passwords. Setting SSH_ENABLE_ROOT_PASSWORD_AUTH=true also enables password authentification for the root account.

For example you could add the following script to /etc/entrypoint.d/

setpasswd.sh

#!/usr/bin/env bash

set -e

echo 'user1:$6$lAkdPbeeZR7YJiE3$ohWgU3LcSVit/hEZ2VOVKvxD.67.N9h5v4ML7.4X51ZK3kABbTPHkZUPzN9jxQQWXtkLctI0FJZR8CChIwz.S/' | chpasswd --encrypted

# Or if you don't pre-hash the password remove the line above and uncomment the line below.
# echo "user1:user1password" | chpasswd

It is strongly recommend to pre-hash passwords. Passwords that are not hashed are a security risk, other users may be able to read the setpasswd.sh script and see all other users passwords and keeping plain text passwords is considered bad practice.

To generate a hashed password use mkpasswd which is available in this image or use https://trnubo.github.io/passwd.html to generate a hash in your browser. Example use of mkpasswd below.

$ docker run --rm -it --entrypoint /usr/bin/env quay.io/panubo/sshd:1.6.0 mkpasswd
Password:
$6$w0ZvF/gERVgv08DI$PTq73dIcZLfMK/Kxlw7rWDvVcYvnWJuOWtxC7sXAYZL69CnItCS.QM.nTUyMzaT0aYjDBdbCH1hDiwbQE8/BY1

To start sshd with the setpasswd.sh script

docker run -ti -p 2222:22 \
  -v $(pwd)/keys/:/etc/ssh/keys \
  -e SSH_USERS=user:1000:1000 \
  -e SSH_ENABLE_PASSWORD_AUTH=true \
  -v $(pwd)/entrypoint.d/:/etc/entrypoint.d/ \
  quay.io/panubo/sshd:1.6.0

To enable password authentication on the root account, the previous setpasswd.sh script must also define a password for the root user, then the command will be:

docker run -ti -p 2222:22 \
  -e SSH_ENABLE_ROOT_PASSWORD_AUTH=true \
  -v $(pwd)/entrypoint.d/:/etc/entrypoint.d/ \
  quay.io/panubo/sshd:1.6.0

Usage Example

The example below will run interactively and bind to port 2222. /data will be bind mounted to the host. And the ssh host keys will be persisted in a keys directory.

You can access with ssh root@localhost -p 2222 using your private key.

docker run -ti -p 2222:22 \
  -v ${HOME}/.ssh/id_rsa.pub:/root/.ssh/authorized_keys:ro \
  -v $(pwd)/keys/:/etc/ssh/keys \
  -v $(pwd)/data/:/data/ \
  -e SSH_ENABLE_ROOT=true \
  quay.io/panubo/sshd:1.6.0

Create a www user with gid/uid 48. You can access with ssh www@localhost -p 2222 using your private key.

docker run -ti -p 2222:22 \
  -v ${HOME}/.ssh/id_rsa.pub:/etc/authorized_keys/www:ro \
  -v $(pwd)/keys/:/etc/ssh/keys \
  -v $(pwd)/data/:/data/ \
  -e SSH_USERS="www:48:48" \
  quay.io/panubo/sshd:1.6.0

Releases

For production usage, please use a versioned release rather than the floating 'latest' tag.

See the releases for tag usage and release notes.

Status

Production ready and stable.

More Repositories

1

docker-vsftpd

vsftpd Docker Image
Shell
47
star
2

docker-postfix

Postfix Docker Image with great flexibility
Shell
27
star
3

docker-mariadb-galera

Docker image for MariaDB Galera Cluster
Shell
25
star
4

docker-s3fs

S3FS Docker image
Shell
23
star
5

docker-php-apache

Highly configurable PHP-FPM and Apache Docker images
Dockerfile
6
star
6

docker-acme

Docker image for Let's Encrypt ACME client
Shell
5
star
7

docker-rundeck

Docker image for Rundeck
Shell
4
star
8

Dockerfiles

Panubo's Public Dockerfiles (deprecated)
PHP
4
star
9

docker-postgres-toolbox

PostgreSQL Toolbox for Docker
Shell
4
star
10

docker-mailserver

Fully featured mailserver in one Docker image
Shell
2
star
11

docker-cron

Cron in a Docker container
Dockerfile
2
star
12

bash-container

Common container Bash functions
Shell
2
star
13

docker-rsync-backup

Minimal Alpine Linux Docker image with rsync backup capability
Shell
2
star
14

fleet-deploy

(deprecated) Fleet unit deployment tool
Python
2
star
15

mtls-example

mTLS example
Makefile
2
star
16

docker-rsync-ssl-backup

Minimal Alpine Linux Docker image with rsync (over SSL) backup capability
Shell
2
star
17

docker-s3-backup

S3 Backup image
Shell
1
star
18

docker-cve

Toolset to check local images for CVE's and other common issues (deprecated)
Shell
1
star
19

docker-sensu-aio

Docker image for all in one Sensu server.
Dockerfile
1
star
20

curltab

Generate a crontab from a curltab (a crontab like format)
Go
1
star
21

docker-s3ql

Docker image for S3QL
Shell
1
star
22

docker-gsutil

Docker Gsutil
Dockerfile
1
star
23

docker-ffmpeg-worker

Example container. beanstalkd + cmdstalk + ffmpeg.
Shell
1
star
24

docker-monit

Docker Monit image
Shell
1
star
25

docker-webhook

Minimal Alpine Linux Docker image with adnanh/webhook installed
Dockerfile
1
star
26

docker-apache-mvh

Apache Mass Virtual Host
Shell
1
star
27

docker-mariadb-toolbox

MariaDB Toolbox for Docker
Shell
1
star
28

fleet-deploy-atomic

(deprecated) Atomic Handler for Panubo Fleet Deploy
Python
1
star
29

strider-deploy

(deprecated) Strider-CD custom script for deployments with Fleet
Shell
1
star