I use Traefik to control access to my home network. For security I use https with multifactor authentication and for ssh this dockerimage uses public key authentication - password based authentication is disabled.
I didn't want to disable password authentication on my existing ssh services, so have created a docker container that disables inbound connection password authentication that can be used as the traefik ingress point before hopping to other computers.
This dockerfile uses Alpine Linux to run an openssh server daemon.
Two directories can optionally be exposed to the docker host system. Doing so will preserve the ssh servers host keys and the shell users ssh files. If you don't perist these directories, then you will have to trust the host id and re-add authorized keys every time the container is rebuilt.
| File or Folder | Description |
|---|---|
/etc/sshsavedhostkeys |
entrypoint.sh saves or restores this ssh server keys as needed |
/home/shelluser/.ssh |
shelluser - The jump user's .ssh folder containing the the PKI key, authorized_keys and known_hosts |
The image creates the sshd daemon's server keys in a mountable volume. This means that the container can be dropped, re-built, re-started without needing to issue and trust a new set of keys.
docker stop sshd;docker rm sshd;docker build --tag sshd sshddocker pull ghcr.io/stevegroom/sshd:latestdocker run --name sshd --detach --port 122:22 sshd:latest
-or-
docker run --name sshd --detach --port 122:22 ghcr.io/stevegroom/sshd:latestdocker run --name sshd \
--detach \
--publish 122:22 \
--volume ~/sshserver/persist/sshsavedhostkeys:/etc/sshsavedhostkeys \
--volume ~/sshserver/persist/shelluserssh:/home/shelluser/.ssh \
sshd:latest
-or-
docker run --name sshd \
--detach \
--publish 122:22 \
--volume ~/sshserver/persist/sshsavedhostkeys:/etc/sshsavedhostkeys \
--volume ~/sshserver/persist/shelluserssh:/home/shelluser/.ssh \
ghcr.io/stevegroom/sshd:latestRepeat for all the keys you need to add
docker exec -it sshd /addauthuser.sh "$(cat ~/.ssh/id_rsa.pub)"
-or-
docker exec -it sshd /addauthuser.sh "ssh-rsa AAAAB3NzaC ... your id_rsa.pub ...GVVqApPd steve@slice.lan"ssh shelluser@dockerhost -p 122ssh -J shelluser@dockerhost:122 user@privatehost -p 22docker exec -it sshd /bin/sh
vi /etc/ssh/sshd_configchmod 600 persist/authorized_keys
To make a sharable backup - omit saving the keys:
tar -czvf sshserver.tar.gz --exclude sshserver/persist/shelluserssh/* --exclude sshserver/persist/sshsavedhostkeys/* sshserver https://techblog.thcb.org/how-to-install-openssh-server-on-alpine-linux-including-docker/
Edit the sshd config file to allow port forwarding.