{"id":23359826,"url":"https://github.com/firehed/docker-ssh-bastion","last_synced_at":"2026-02-18T13:02:00.702Z","repository":{"id":138434913,"uuid":"96636972","full_name":"Firehed/docker-ssh-bastion","owner":"Firehed","description":null,"archived":false,"fork":false,"pushed_at":"2018-12-08T17:44:26.000Z","size":5,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-23T08:53:04.045Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Firehed.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-07-08T18:30:37.000Z","updated_at":"2020-07-28T00:13:05.000Z","dependencies_parsed_at":null,"dependency_job_id":"231500e1-7a69-4da5-babc-8b9666c8c71d","html_url":"https://github.com/Firehed/docker-ssh-bastion","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Firehed/docker-ssh-bastion","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firehed%2Fdocker-ssh-bastion","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firehed%2Fdocker-ssh-bastion/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firehed%2Fdocker-ssh-bastion/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firehed%2Fdocker-ssh-bastion/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Firehed","download_url":"https://codeload.github.com/Firehed/docker-ssh-bastion/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firehed%2Fdocker-ssh-bastion/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29580638,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-18T08:38:15.585Z","status":"ssl_error","status_checked_at":"2026-02-18T08:38:14.917Z","response_time":162,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-21T11:12:04.756Z","updated_at":"2026-02-18T13:02:00.667Z","avatar_url":"https://github.com/Firehed.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SSHD\n\nThis is a docker image that does nothing but run sshd.\nIt was created for the purposes of having an SSH bastion in Kubernetes for a MySQL client, but can fulfill any purpose (but if you are using it for pod administration, there is probably something else wrong).\nAs such, this readme focuses primarily on usage within a K8S installation.\n\n## Configuration\n\n### `authorized_keys`\nThe image should start without any configuration, but it will not be very useful.\nAt the very least, you will want to add your SSH public key to `authorized_keys`.\nTo do so, mount a volume to `/root/.ssh` containing an `authorized_keys` file.\nIt is recommended to put your keys in a `ConfigMap` or `Secret` and mount that in the pod.\n\n### Host keys\nWhen the image starts, it will generate any missing host keys.\nThis allows you to get up and running with minimal setup.\nHowever, this means that any time the pod starts new keys will be generated, resulting in that scary message about keys changing.\nTo avoid this, you have three choices:\n\n1. _RECOMMENDED_: Generate host keys once and mount them into the image\n2. (not recommended) `UserKnownHostsFile /dev/null` in your `.ssh/config` or as a flag when connecting\n3. (really not recommended) Delete the relevant line from your `.ssh/known_hosts` any time this happens\n\nOption 1 is a bit more work, but a) still fairly easy and b) provides the best experience.\nTo do this, start by generating the host keys locally:\n\n    ssh-keygen -f ssh_host_ecdsa_key -N '' -t ecdsa\n    ssh-keygen -f ssh_host_ed25519_key -N '' -t ed25519\n    ssh-keygen -f ssh_host_rsa_key -N '' -t rsa\n\nThen create a `Secret` from them:\n\n    kubectl create secret generic ssh-host-keys --from-file=ssh_host_ecdsa_key --from-file=ssh_host_ed25519_key --from-file=ssh_host_rsa_key\n\nFinally, mount the secret as a volume in the pod to `/etc/ssh` (a complete example is below)\n\n### `StrictModes no`\nIn my experience, Kubernetes likes creating the files from the ConfigMaps and Secrets with wide-open permissions (on the symlink it uses to mount them, if not also the underlying file).\nSSHD, of course, does not like `0777` on files containing keys.\nThese two things directly conflict with each other, and as a result you won't be able to log in.\nAs a workaround, you can set a `STRICT_MODES` environment variable to `no`, and `StrictModes no` will be appended to the SSHD config file, preventing these checks.\n\n## A complete example\n\nThis will create a new Service with a public IP address (since it has a `LoadBalancer` type), pointing to a configured Deployment of this image. You should ensure that the Service you create is given a static IP.\n\n```yaml\napiVersion: v1\nkind: Service\nmetadata:\n  name: ssh-bastion\nspec:\n  ports:\n    - port: 22\n      name: ssh\n  selector:\n    app: ssh-bastion\n  type: LoadBalancer\n---\napiVersion: apps/v1beta1\nkind: Deployment\nmetadata:\n  name: ssh-bastion\nspec:\n  template:\n    metadata:\n      labels:\n        app: ssh-bastion\n    spec:\n      containers:\n        - image: firehed/sshd\n          name: sshd\n          ports:\n            - containerPort: 22\n              name: ssh\n          env:\n            - name: STRICT_MODES\n              value: \"no\"\n          volumeMounts:\n            - mountPath: /root/.ssh\n              name: public-keys\n            - mountPath: /etc/ssh\n              name: host-keys\n      volumes:\n        - name: public-keys\n          configMap:\n            name: ssh-public-keys\n            defaultMode: 0400\n        - name: host-keys\n          secret:\n            secretName: ssh-host-keys\n            defaultMode: 0400\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: ssh-public-keys\ndata:\n  authorized_keys: your public key (ssh-rsa 2IssTgUfjE0KKxu+kLBzxopZ6xs50zM1m8eoPsQ== keyname@example.com)\n---\napiVersion: v1\nkind: Secret\nmetadata:\n  name: ssh-host-keys\ndata:\n  ssh_host_ecdsa_key: (base64-encoded key)\n  ssh_host_ed25519_key: (base64-encoded key)\n  ssh_host_rsa_key: (base64-encoded key)\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffirehed%2Fdocker-ssh-bastion","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffirehed%2Fdocker-ssh-bastion","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffirehed%2Fdocker-ssh-bastion/lists"}