Highly customizable AutoSSH docker container
jnovack/autossh is a small lightweight (8.07MB) image that attempts to
provide a secure way to establish an SSH Tunnel without including your keys in
the image itself or linking to the host.
There's thousands of autossh docker containers, why use this one? I hope you
find it easier to use. It's smaller, more customizable, an automated build, so
it's easy to use, and I hope you learn something!
autossh is a program to start a copy of ssh and monitor it, restarting it as
necessary should it die or stop passing traffic.
Before we begin, I want to define some terms.
local - THIS docker container.
target - The endpoint and ultimate destination of the tunnel.
remote - The 'middle-man', or proxy server you are tunnelling through to
get to your target.
source - The initial endpoint you are starting from that does not have
access to the target endpoint, but does have access to the remote
The local machine is USUALLY the same as the target but since we are using
Docker, we have to abstract out the local container from the target
endpoint where we want autossh to land. Normally, this is where
autossh is usually run from.
Typically, the target can be on a Home LAN segment without a publicly
addressible IP address; whereas the remote machine has an address that is
reachable by both target and source. And source can only reach remote.
target ---> |firewall| >--- remote ---< |firewall| <--- source 10.1.1.101 [public.ip.addr] 192.168.1.101
The target (running autossh) connects up to the remote server and
keeps a tunnel alive so that source can proxy through remote and reach
resources on target. Think of it as "long distance port-forwarding".
To start, you will need to generate an SSH key on the Docker host. This will
ensure the key for the container is separate from your normal user key in the
event there is ever a need to revoke one or the other.
$ ssh-keygen -t rsa -b 4096 -C "autossh" Generating public/private rsa key pair. Enter file in which to save the key (/home/jnovack/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/jnovack/.ssh/id_rsa. Your public key has been saved in /home/jnovack/.ssh/id_rsa.pub. The key fingerprint is: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff jnovack@yourmom The key's randomart image is: +-----[ RSA 4096]-----+ | _.-'''''-._ | | .' _ _ '. | | / (_) (_) \ | | | , , | | | | \`. .`/ | | | \ '.`'""'"`.' / | | '. `'---'` .' | | '-._____.-' | +---------------------+
What would a docker container be without customization? I have an extensive
list of environment variables that can be set.
Mount the key you generated within the Setup step, or set
known_hosts file if you want to enable STRICT_KEY_CHECKING,
Specify the usename on the remote endpoint. (Default:
Specify the address (ip preferred) of the remote endpoint. (Default:
Specify the port number on the remote endpoint which will serve as the
tunnel entrance. (Default: random > 32768) If you do not want a new port
every time you restart jnovack/autossh you may wish to explicitly set
This option reverses if you set
SSH_MODE (see below). To bind a local
forward tunnel to all interfaces, use an asterisk then the port desigation
Specify the address (ip preferred) of the target.
Specify the port number on the target endpoint which will serve as the
tunnel exit, or destination service. Typically this is
ssh (port: 22),
however, you can tunnel other services such as redis (port: 6379),
elasticsearch (port: 9200) or good old http (port: 80) and https (port: 443).
In the event you wish to store the key in Docker Secrets, you may wish to
set this to
In the event you wish to store the
known_hosts in Docker Secrets, you may
wish to set this to
Defines how the tunnel will be set up:
-Ris default, remote forward mode
-Lmeans local forward mode
In the top example
ssh-to-docker-host, a tunnel will be made from the docker
container (aptly named
autossh-ssh-to-docker-host) to the host running the
ssh to fake internet address
203.0.113.10:2222 and you will be
172.17.0.1:22 (the host running the docker container).
In the lower example,
ssh-to-lan-endpoint, a tunnel will be made to a host
on the private LAN of the docker host.
sshing to fake internet address
203.0.113.10:22222 will traverse through the docker container through the
docker host, and onto the private lan where the connection will terminate
version: '2.1' services: ssh-to-docker-host: image: jnovack/autossh container_name: autossh-ssh-to-docker-host environment: - SSH_HOSTUSER=sshuser - SSH_HOSTNAME=203.0.113.10 - SSH_TUNNEL_REMOTE=2222 - SSH_TUNNEL_HOST=172.17.0.1 - SSH_TUNNEL_LOCAL=22 restart: always volumes: - /etc/autossh/id_rsa:/id_rsa dns: - 184.108.40.206 - 220.127.116.11 ssh-to-lan-endpoint: image: jnovack/autossh container_name: autossh-ssh-to-lan-endpoint environment: - SSH_HOSTUSER=sshuser - SSH_HOSTNAME=203.0.113.10 - SSH_TUNNEL_REMOTE=22222 - SSH_TUNNEL_HOST=18.104.22.168 - SSH_TUNNEL_LOCAL=22 restart: always volumes: - /etc/autossh/id_rsa:/id_rsa dns: - 22.214.171.124 - 126.96.36.199