{"id":13588108,"url":"https://github.com/jnovack/autossh","last_synced_at":"2026-02-10T23:07:56.498Z","repository":{"id":38387822,"uuid":"84503619","full_name":"jnovack/autossh","owner":"jnovack","description":"Heavily customizable AutoSSH Docker container","archived":false,"fork":false,"pushed_at":"2025-05-17T00:58:45.000Z","size":305,"stargazers_count":187,"open_issues_count":11,"forks_count":84,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-05-17T01:34:15.176Z","etag":null,"topics":["autossh","docker","ssh"],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/jnovack/autossh/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jnovack.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":null,"patreon":"jnovack","open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2017-03-10T00:59:34.000Z","updated_at":"2025-05-17T00:58:48.000Z","dependencies_parsed_at":"2023-01-25T17:00:36.843Z","dependency_job_id":null,"html_url":"https://github.com/jnovack/autossh","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/jnovack/autossh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jnovack%2Fautossh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jnovack%2Fautossh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jnovack%2Fautossh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jnovack%2Fautossh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jnovack","download_url":"https://codeload.github.com/jnovack/autossh/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jnovack%2Fautossh/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29321277,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-10T20:44:44.282Z","status":"ssl_error","status_checked_at":"2026-02-10T20:44:43.393Z","response_time":65,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["autossh","docker","ssh"],"created_at":"2024-08-01T15:06:30.815Z","updated_at":"2026-02-10T23:07:56.487Z","avatar_url":"https://github.com/jnovack.png","language":"Shell","funding_links":["https://patreon.com/jnovack"],"categories":["Shell"],"sub_categories":[],"readme":"# autossh\n\n[![Docker](https://badgen.net/badge/jnovack/autossh/blue?icon=docker)](https://hub.docker.com/r/jnovack/autossh)\n[![Github](https://badgen.net/badge/jnovack/autossh/purple?icon=github)](https://github.com/jnovack/autossh)\n\nHighly customizable AutoSSH docker container.\n\n## Overview\n\n**jnovack/autossh** is a small lightweight (~15MB) image that attempts to\nprovide a secure way to establish an SSH Tunnel without including your keys in\nthe image itself or linking to the host.\n\nThere are thousands of *autossh* docker containers, why use this one? I hope\nyou find it easier to use. It is smaller, more customizable, an automated\nbuild, easy to use, and I hope you learn something. I tried to follow standards\nand established conventions where I could to make it easier to understand and\ncopy and paste lines from this project to others to grow your knowledge!\n\n## Description\n\n``autossh`` is a program to start a copy of ssh and monitor it, restarting it\nas necessary should it die or stop passing traffic.\n\nBefore we begin, I want to define some terms.\n\n- *local* - THIS docker container.\n\n- *target* - The endpoint and ultimate destination of the tunnel.\n\n- *remote* - The 'middle-man', or proxy server you are tunnelling through to\nget to your *target*.\n\n- *source* - The initial endpoint you are starting from that does not have\naccess to the *target* endpoint, but does have access to the *remote*\nendpoint.\n\nThe *local* machine is USUALLY the same as the *target* but since we are using\nDocker, we have to abstract out the *local* container from the *target*\nendpoint where we want **autossh** to land. Normally, this is where\n**autossh** is usually run from.\n\nTypically, the *target* can be on a Home LAN segment without a publicly\naddressible IP address; whereas the *remote* machine has an address that is\nreachable by both *target* and *source*. And *source* can only reach *remote*.\n\n```text\ntarget ---\u003e |firewall| \u003e--- remote ---\u003c |firewall| \u003c--- source\n10.1.1.101               203.0.113.10            192.168.1.101\n```\n\nThe *target* (running **autossh**) connects up to the *remote* server and\nkeeps a tunnel alive so that *source* can proxy through *remote* and reach\nresources on *target*.  Think of it as \"long distance port-forwarding\".\n\n### Example\n\nYou are running `docker` on *target*, your home computer.  (Note: Linux Docker\nhosts automatically create a `docker0` interface with `172.17.0.1` so the\ncontainers can route to the host and out to other networks.  A container that\nstarts up could have the IP address `172.17.0.2`, for our example.)  You have a\nVirtual Private Server (VPS) on the Internet that is accessible to all.  This\n*local* docker container will make a connection to the *remote* VPS and tunnel\n*remote* port 2222 to *target* port 22.  Any connection to *remote* port 2222\nwill actually be to the *target* server on port 22. This is known as a \"reverse\ntunnel\".\n\n```text\n      TARGET_PORT                  REMOTE_PORT    TUNNEL_PORT\n target \u003c--------------- local ------------\u003e remote \u003c--------------- source\n 10.1.1.101           172.17.0.2          203.0.113.10        192.168.1.101\n```\n\n\u003e The LOCAL (172.17.0.2) device connects to the REMOTE (203.0.113.10)\n\u003e REMOTE_PORT (:22) to create the tunnel on REMOTE (203.0.113.10) TUNNEL_PORT\n\u003e (:11111).\n\u003e\n\u003e The SOURCE (192.168.1.101) connects to the REMOTE (203.0.113.10) TUNNEL_PORT\n\u003e (:11111) to get to the TARGET (10.1.1.101) TARGET_PORT (:22).\n\nBy default, SSH server applications (such as OpenSSH, Dropbear, etc), only\npermit connections to forwarded ports from the loopback interface\n(`127.0.0.1`).\n\nThis means, you must be authenticated and connected the *remote* and use it as\na \"jump point\" (for a lack of a better term) before proceeding to connect to\nthe tunnel.\n\nIn the example above, from the *source*, you first have to open an SSH\nconnection to the *remote* (`203.0.113.10`), then you can continue to connect\nto the *target* (`10.1.1.101`) by connecting to `127.0.0.1:TUNNEL_PORT`.\nIt is a two-step process.\n\nTo make this a one-step process (connecting from *source* to *target* via\n*remote*), you must make some security changes on the *remote* (not-advised).\nPlease see the [SSH_BIND_IP](#SSH_BIND_IP) section below.\n\n#### Disclaimer\n\nBy tunneling *remote* port 2222 to *target* port 22, you may be exposing\na home server (and by extension, your home network) to the Internet at large,\ncommonly known as \"a bad thing(TM)\".  Be sure to use appropriately use firewalls,\n`fail2ban` scripts, non-root access, key-based authentication only, and other\nsecurity measures as necessary.\n\n## Setup\n\nTo start, you will need to generate an SSH key on the Docker host. This will\nensure the key for the container is separate from your normal user key in the\nevent there is ever a need to revoke one or the other.\n\n```text\n$ ssh-keygen -t rsa -b 4096 -C \"autossh\" -f autossh_id_rsa\nGenerating public/private rsa key pair.\nEnter file in which to save the key (/home/jnovack/autossh_id_rsa):\nEnter passphrase (empty for no passphrase):\nEnter same passphrase again:\nYour identification has been saved in /home/jnovack/autossh_id_rsa.\nYour public key has been saved in /home/jnovack/autossh_id_rsa.pub.\nThe key fingerprint is:\n00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff autossh\nThe key's randomart image is:\n+-----[ RSA 4096]-----+\n|     _.-'''''-._     |\n|   .'  _     _  '.   |\n|  /   (_)   (_)   \\  |\n| |  ,           ,  | |\n| |  \\`.       .`/  | |\n|  \\  '.`'\"\"'\"`.'  /  |\n|   '.  `'---'`  .'   |\n|     '-._____.-'     |\n+---------------------+\n```\n\n## Command-line Options\n\nWhat would a docker container be without customization? I have an extensive\nlist of environment variables that can be set.\n\n### Environment Variables\n\nAll the envrionment variables are prefaced with `SSH_` NOT because you are\nrequired to tunnel SSH, but for ease of grouping.  The only SSH connection\nthat is required is from the LOCAL device to the REMOTE server.  However, if\nyou are interested in tunneling other protocols securely (e.g. mysql, redis,\nmongodb) across networks with certificates, you may wish to consider my other\nproject [ambassador](https://hub.docker.com/r/jnovack/ambassador/).\n\n#### SSH_REMOTE_USER\n\nSpecify the usename on the *remote* endpoint.  (Default: `root`)\n\n#### SSH_REMOTE_HOST\n\nSpecify the address (ip preferred) of the *remote* endpoint. (Default:\n`localhost`)\n\n#### SSH_REMOTE_PORT\n\nSpecify the `ssh` port the *remote* endpoint to connect. (Default: `22`)\n\n#### SSH_TUNNEL_PORT\n\nSpecify the port number on the *remote* endpoint which will serve as the\ntunnel entrance. (Default: random \u003e 32768)  If you do not want a new port\nevery time you restart **jnovack/autossh** you may wish to explicitly set\nthis.\n\nThis option reverses if you set `SSH_MODE` (see below).\n\n#### SSH_TARGET_HOST\n\nSpecify the address (ip preferred) of the *target*.\n\n#### SSH_TARGET_PORT\n\nSpecify the port number on the *target* endpoint which will serve as the\ntunnel exit, or destination service.  Typically this is `ssh` (port: 22),\nhowever, you can tunnel other services such as redis (port: 6379),\nelasticsearch (port: 9200) or good old http (port: 80) and https (port: 443).\n\nIf you are interested in tunneling other protocols securely (e.g. mysql,\nredis, mongodb) across networks via certificates you may wish to consider\nmy other project [ambassador](https://hub.docker.com/r/jnovack/ambassador/).\n\n#### SSH_STRICT_HOST_IP_CHECK\n\nSet to `false` if you want the IP addresses of hosts to **not** be checked if\nthe `known_hosts` file is provided.  This can help avoid issues for hosts with\ndynamic IP addresses, but removes some additional protection against DNS\nspoofing attacks.  Host IP Checking is enabled by default.\n\n#### SSH_KEY_FILE\n\nIn the event you wish to store the key in Docker Secrets, you may wish to\nset this to `/run/secrets/*secret-name*`\n\n#### SSH_KNOWN_HOSTS_FILE\n\nIn the event you wish to store the `known_hosts` in Docker Secrets, you may\nwish to set this to `/run/secrets/*secret-name*`\n\n#### SSH_MODE\n\nDefines how the tunnel will be set up:\n\n- `-R` is default, remote forward mode.\n- `-L` means local forward mode.\n\n#### SSH_BIND_IP\n\nYou can define which IP address the tunnel will use to bind on *remote*\n(SSH_MODE of `-R`) or *local* (SSH_MODE of `-L`). The default\nis `127.0.0.1` only.\n\n##### SSH_MODE of `-R` (default)\n\n\u003e [!WARNING]\n\u003e This process involves changing the security on the server\nand will expose your *target* to additional networks and potentially the\nInternet.  It is not recommended to do this procedure without taking\nadditional precautions.\n\nUse of this option will NOT have an effect unless you properly configure the\n`GatewayPorts` variable in your *remote* server's configuration file.  Please\nsee your SSH server documentation for proper set up.\n\n##### SSH_MODE of `-L`\n\nYou may want to set this to `0.0.0.0` in order to bind your `SSH_TUNNEL_PORT`\nto all interfaces on *local* side.\n\n#### SSH_SERVER_ALIVE_INTERVAL\n\nSets a timeout interval in seconds after which if no data has been\nreceived from the server, ssh(1) will send a message through the encrypted channel to\nrequest a response from the server.\n\n- `0` turns the option off.\n- `10` is default for this image.\n\nAdditional details are available from [`ssh_config(5)`](https://linux.die.net/man/5/ssh_config)\n\n#### SSH_SERVER_ALIVE_COUNT_MAX\n\nSets the threshold of alive messages after which the connection is terminated and reestablished.\n\n- `3` is the default for this image.\n- `SSH_SERVER_ALIVE_INTERVAL=0` makes this variable ineffective.\n\nAdditional details are available from [`ssh_config(5)`](https://linux.die.net/man/5/ssh_config)\n\n#### SSH_OPTIONS\n\nSets additional parameters to `ssh` connection. Supports more than one parameter.\n\nExamples:\n\n- SSH_OPTIONS=\"-o StreamLocalBindUnlink=yes\" for recreate socket if it exists\n- SSH_OPTIONS=\"-o StreamLocalBindUnlink=yes -o UseRoaming=no\" for multiple parameters\n\nAdditional details are available from [`ssh_config(5)`](https://linux.die.net/man/5/ssh_config)\n\n#### Additional Environment variables\n\n- [`autossh(1)`](https://linux.die.net/man/1/autossh)\n- [`ssh_config(5)`](https://linux.die.net/man/5/ssh_config)\n\n### Mounts\n\nMounts are optional, for simple usage.  It is far superior to use\n[environment variables](#Environment_Variables) which can be stored in\nconfiguration files and transported (and backed up!) easily.\n\n#### /id_rsa\n\nMount the key you generated within the **Setup** step, or set\n`SSH_KEY_FILE`.\n\n```sh\n-v /path/to/id_rsa:/id_rsa\n```\n\n#### /known_hosts\n\nMount the `known_hosts` file if you want to enable `StrictHostKeyChecking`,\nor set `SSH_KNOWN_HOSTS_FILE`.\n\n```sh\n-v /path/to/known_hosts:/known_hosts\n```\n\n## Samples\n\n### docker-compose.yml\n\nIn the top example `ssh-to-docker-host`, a tunnel will be made from the docker\ncontainer (aptly named `autossh-ssh-to-docker-host`) to the host running the\ndocker container.\n\nTo use, `ssh` to fake internet address `203.0.113.10:2222` and you will be\nforwarded to `172.17.0.2:22` (the host running the docker container).\n\nIn the second example, `ssh-to-lan-endpoint`, a tunnel will be made to a host\non the private LAN of the docker host.  `ssh`ing to fake internet address\n`203.0.113.10:22222` will traverse through the docker container through the\ndocker host, and onto the private lan where the connection will terminate\n`192.168.123.45:22`.\n\nFinally, in the third example, `ssh-local-forward-on-1234`, a local forward to\n`198.168.123.45:22` will be created on the container, mapped to port `1234`.\nThe tunnel will be created via `203.0.113.10:22222`.\n\n```yml\nversion: '3.7'\n\nservices:\n  ssh-to-docker-host:\n    image: jnovack/autossh\n    container_name: autossh-ssh-to-docker-host\n    environment:\n      - SSH_REMOTE_USER=sshuser\n      - SSH_REMOTE_HOST=203.0.113.10\n      - SSH_REMOTE_PORT=2222\n      - SSH_TARGET_HOST=172.17.0.2\n      - SSH_TARGET_PORT=22\n    restart: always\n    volumes:\n      - /etc/autossh/id_rsa:/id_rsa\n    dns:\n      - 8.8.8.8\n      - 1.1.1.1\n\n  ssh-to-lan-endpoint:\n    image: jnovack/autossh\n    container_name: autossh-ssh-to-lan-endpoint\n    environment:\n      - SSH_REMOTE_USER=sshuser\n      - SSH_REMOTE_HOST=203.0.113.10\n      - SSH_REMOTE_PORT=22222\n      - SSH_TARGET_HOST=198.168.123.45\n      - SSH_TARGET_PORT=22\n    restart: always\n    volumes:\n      - /etc/autossh/id_rsa:/id_rsa\n    dns:\n      - 8.8.8.8\n      - 4.2.2.4\n\n  ssh-local-forward-on-1234:\n    image: jnovack/autossh\n    container_name: autossh-ssh-local-forward\n    environment:\n      - SSH_REMOTE_USER=sshuser\n      - SSH_REMOTE_HOST=203.0.113.10\n      - SSH_REMOTE_PORT=22222\n      - SSH_BIND_IP=0.0.0.0\n      - SSH_TUNNEL_PORT=1234\n      - SSH_TARGET_HOST=198.168.123.45\n      - SSH_TARGET_PORT=22\n      - SSH_MODE=-L\n    restart: always\n    volumes:\n      - /etc/autossh/id_rsa:/id_rsa\n    dns:\n      - 8.8.8.8\n      - 4.2.2.4\n\n```\n\n## Multi-Arch Images\n\nThis image has the following architectures automatically built on Docker Hub.\n\n- `amd64`\n- `armv6` (e.g. Raspberry Pi Zero)\n- `armv7` (e.g. Raspberry Pi 2 through 4)\n- `arm64v8` (e.g. Amazon EC2 A1 Instances)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjnovack%2Fautossh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjnovack%2Fautossh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjnovack%2Fautossh/lists"}