This container image provides an SSH server such that remote clients can connect
through this server to other SSH servers. This is often necessary in high
security environments where firewalls, routing, and addressing prevent direct
access to the desired servers.
This image is not intended to be used directly. You should build upon it to
generate unique SSH host keys and add your SSH public keys to the
authorized_keys file. See
sample_usage directory for an example of how to run this
cd sample_usage cat ~/.ssh/id_rsa.pub >> authorized_keys docker-compose up
Then connect to a server through the bastion:
ssh -A -o ProxyCommand='ssh -W %h:%p -p 2200 bastion@localhost' user@backendserver
In practice localhost would be the hostname of a machine running this container and
user@backendserver would be the user and hostname of the machine you wanted to connect.
Updating SSH user config
To avoid using the long form ssh command above, you can add this option to be applied
by default in your ssh client user config. It's even possible to use wildcards for host to use the bastion as a proxy for an entire domain.
Host foo HostName foo User me ProxyCommand ssh -W %h:%p -p 2200 bastion@docker
- Only support proxying to other SSH hosts.
- Only support SSH public key authentication.
- Lock down ssh daemon.
- No shell
- No TTY
- No password authentication
- Limit users
- Stricter rules
- Single user:
- Leverage Docker security features.