What is KeyBox?
KeyBox is an open-source web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users.
More information on sshkeybox.com or GitHub.
Following Variables are new in 2.85.03:
Following Variables were removed in 2.85:
Following Variables are new in 2.85:
How to use this image
$ docker run -d -v /my/own/datadir:/a/keydb -p 8443:8443 adito/keybox
You can replace
/my/own/datadir with your preferred path on your host.
Now you can access keybox at
The default user is
admin and the default password is
All possible environment variables with their default values are listed below.
set to true to regenerate and import SSH keys
SSH key type 'dsa', 'rsa', or 'ecdsa' for generated keys
SSH key length for generated keys. 2048 => 'rsa','dsa'; 521 => 'ecdsa'
private ssh key, leave blank to generate key pair
public ssh key, leave blank to generate key pair
default passphrase, leave blank for key without passphrase
keep audit logs for in days
The number of seconds that the client will wait before sending a null packet to the server to keep the connection alive
default timeout in minutes for websocket connection (no timeout for <=0)
enable SSH agent forwarding
enable two-factor authentication with a one-time password - 'required', 'optional', or 'disabled'
set to false to disable key management. If false, the KeyBox public key will be appended to the authorized_keys file (instead of it being overwritten completely).
set to true to generate keys when added/managed by users and enforce strong passphrases set to false to allow users to set their own public key
authorized_keys refresh interval in minutes (no refresh for <=0)
Regular expression to enforce password policy
passwordComplexityMsg=Passwords must be 8 to 20 characters\, contain one digit\, one lowercase\, one uppercase\, and one special character
Password complexity error message
HTTP header to identify client IP Address - 'X-FORWARDED-FOR'
specify a external authentication module (ex: ldap-ol, ldap-ad). Edit the jaas.conf to set connection details
H2 DB and Connection Pool settings
Path to the H2 DB file. Leave Blank to use default location which is ../WEB-INF/classes/keydb
Max connections in the connection pool
When true, objects will be validated before being returned by the connection pool
The minimum number of objects allowed in the connection pool before spawning new ones
The maximum amount of time (in milliseconds) to block before throwing an exception when the connection pool is exhausted
deprecated Environment Variables (<2.85)
set an audit log server using log4j (ex: logstash). Edit the log4j.xml to configure appender.
enable two-factor authentication
$ docker run -d -v /my/own/datadir:/a/keydb -p 8443:8443 -e oneTimePassword=disabled -e sshKeyLength=4096 adito/keybox
In this example two-factor authentication is disabled and the SSH Key Length is extended to 4096 bits.
If you use docker-compose you can get a example "docker-compose.yml" in my GitHub Repository.
Supported Docker versions
This image is officially supported on Docker version 1.9.1.
Support for older versions (down to 1.6) is provided on a best-effort basis.
If you have any problems with or questions about this image, please contact us through a GitHub issue.