serversideup/docker-ssh

Sponsored OSS

By Server Side Up

•Updated 3 days ago

Simple SSH container. Great for secure connections into clusters.

Image
1

50K+

serversideup/docker-ssh repository overview

Docker Images Logo

Build Status License Support us Discourse users Discord

⁠Introduction

serversideup/docker-ssh is a hardened SSH server container based on Debian. It works great if you need to create a secure tunnel into your cluster.

⁠Features

  • 🐧 Debian-based - Get a lightweight experience, while still having Bash
  • šŸ“‚ rsync included - Easily back up or sync data from your Docker volumes over SSH
  • šŸ¤ Key-based auth via ENV - Grant access with the AUTHORIZED_KEYS environment variable
  • ā›”ļø Block IPs via ENV - Block access with the ALLOWED_IPS environment variable
  • šŸ”’ Unprivileged user - All SSH connections are made as an unprivileged user
  • šŸ”‘ Set your own PUID and PGID - Have the PUID and PGID match your host user
  • šŸ” Hardened SSH - Prevent bot attacks and ensure quality security
  • šŸ“¦ DockerHub and GitHub Container Registry - Choose where you'd like to pull your image from
  • šŸ¤– Multi-architecture - Every image ships with x86_64 and arm64 architectures

⁠Usage

This is a list of the docker images this repository creates:

ImageImage SizeDescription
serversideup/docker-sshDockerHub serversideup/docker-sshA hardened SSH server based on Debian Bookworm.

⁠Usage instructions

All variables are documented here:

šŸ”€ Variable NamešŸ“š Description#ļøāƒ£ Default Value
ALLOWED_IPSContent of allowed IP addresses (see below)AllowUsers tunnel (allow the tunnel user from any IP)
AUTHORIZED_KEYS🚨 Required to be set by you. Content of your authorized keys file (see below)
DEBUGDisplay a bunch of helpful content for debugging.false
PGIDGroup ID the SSH user should run as.9999
PUIDUser ID the SSH user should run as.9999
SSH_GROUPGroup name used for our SSH user.tunnelgroup
SSH_HOST_KEY_DIRLocation of where the SSH host keys should be stored./etc/ssh/ssh_host_keys/
SSH_PORTListening port for SSH server (on container only. You'll still need to publish this port).2222
SSH_USERUsername for the SSH user that other users will connect into as.tunnel
⁠1. Set your AUTHORIZED_KEYS environment variable or provide a /authorized_keys file

You can provide multiple keys by loading the contents of a file into an environment variable.

AUTHORIZED_KEYS="$(cat .ssh/my_many_ssh_public_keys_in_one_file.txt)"

Or you can provide the authorized_keys file via a volume. Ensure the volume references matches the path of /authorized_keys. The image will automatically take the file from /authorized_keys and configure it for use with your selected user.

ā„¹ļø NOTE: If both a file and variable are provided, the image will respect the value of the variable over the file.

⁠2. Set your ALLOWED_IPS environment variable

Set this in the same context of AllowUsers⁠This example shows a few scenarios you can do:

ALLOWED_IPS="AllowUsers *@192.168.1.0/24 *@172.16.0.1 *@10.0.*.1"
⁠3. Forward your external port to 2222 on the container

You can see I'm forwarding 12345 to 2222.

docker run --rm --name=ssh --network=web -p 12345:2222 localhost/ssh

This means I would connect with:

ssh -p 12345 [email protected]

⁠Working example with MariaDB + SSH + Docker Swarm

Here's a perfect example how you can use it with MariaDB. This allows you to use Sequel Pro or TablePlus to connect securely into your database server 🄳

⁠Example using ALLOWED_IPS variable:
services:
  mariadb:
    image: mariadb:10.11
    networks:
      - database
    environment:
        MARIADB_ROOT_PASSWORD: "myrootpassword"
  ssh:
    image: serversideup/docker-ssh
    ports:
      - target: 2222
        published: 2222
        mode: host
    # Set the Authorized Keys of who can connect
    environment:
      AUTHORIZED_KEYS: >
        "# Start Keys
         ssh-ed25519 1234567890abcdefghijklmnoqrstuvwxyz user-a
         ssh-ed25519 abcdefghijklmnoqrstuvwxyz1234567890 user-b
         # End Keys"
      # Lock down the access to certain IP addresses
      ALLOWED_IPS: "AllowUsers [email protected]"
    networks:
        - database

networks:
  database:
⁠Example using $SSH_USER_HOME/.ssh/authorized_keys file:
services:
  mariadb:
    image: mariadb:10.11
    networks:
      - database
    environment:
        MARIADB_ROOT_PASSWORD: "myrootpassword"

  ssh:
    image: serversideup/docker-ssh
    ports:
      - target: 2222
        published: 2222
        mode: host
    # Set the Authorized Keys of who can connect
    environment:
      # Lock down the access to certain IP addresses
      ALLOWED_IPS: "AllowUsers [email protected]"
    configs:
      - source: ssh_authorized_keys
        # Mount the file to "/authorized_keys". The image will handle everything else
        target: /authorized_keys
        mode: 0600
    networks:
        - database

# Define the config to be used
configs:
  ssh_authorized_keys:
    file: ./authorized_keys

networks:
  database:

⁠Working example: Backing up a Docker volume with rsync

Because rsync is included in the image, you can mount any Docker volume into the SSH container and pull the data down to your local machine (or push it back up) over a secure SSH tunnel.

⁠1. Mount the volume you want to back up

Attach the volume to a path the SSH user can read. In this example we mount the app_data volume to /data inside the container as read-only:

services:
  ssh:
    image: serversideup/docker-ssh
    ports:
      - target: 2222
        published: 2222
        mode: host
    environment:
      AUTHORIZED_KEYS: >
        "ssh-ed25519 1234567890abcdefghijklmnoqrstuvwxyz user-a"
      ALLOWED_IPS: "AllowUsers [email protected]"
    volumes:
      - app_data:/data:ro

volumes:
  app_data:
    external: true
⁠2. Pull the data down with rsync

From your local machine, use rsync over SSH to copy the contents of the volume to a local directory:

rsync -avz -e "ssh -p 12345" [email protected]:/data/ ./app_data-backup/

ā„¹ļø NOTE: Drop the :ro flag on the volume mount if you also need to push data back into the volume.

⁠Resources

⁠Contributing

As an open-source project, we strive for transparency and collaboration in our development process. We greatly appreciate any contributions members of our community can provide. Whether you're fixing bugs, proposing features, improving documentation, or spreading awareness - your involvement strengthens the project. Please review our code of conduct⁠ to understand how we work together respectfully.

Need help getting started? Join our Discord community and we'll help you out!

⁠Our Sponsors

All of our software is free an open to the world. None of this can be brought to you without the financial backing of our sponsors.

Sponsors

⁠Black Level Sponsors

Sevalla

⁠Bronze Sponsors
No bronze sponsors yet. Become a sponsor →⁠
⁠Individual Supporters
aagjalpankajĀ Ā 

⁠About Us

We're Dan⁠ and Jay⁠ - a two person team with a passion for open source products. We created Server Side Up⁠ to help share what we learn.

Dan Pastori
Jay Rogers


⁠Find us at:

⁠Our products

If you appreciate this project, be sure to check out our other projects.

ā šŸ“š Books
ā šŸ› ļø Software-as-a-Service
  • Bugflow⁠: Get visual bug reports directly in GitHub, GitLab, and more.
  • SelfHost Pro⁠: Connect Stripe or Lemonsqueezy to a private docker registry for self-hosted apps.
ā šŸŒ Open Source

Tag summary

Content type

Image

Digest

sha256:588e37f76…

Size

48.1 MB

Last updated

3 days ago

docker pull serversideup/docker-ssh

This week's pulls

Pulls:

932

Last week