{"id":18256973,"url":"https://github.com/mediacomem/docker-openssh-server","last_synced_at":"2026-04-16T04:32:03.736Z","repository":{"id":73832458,"uuid":"257960460","full_name":"MediaComem/docker-openssh-server","owner":"MediaComem","description":"Sandboxed environment allowing SSH access without giving keys to the entire server","archived":false,"fork":false,"pushed_at":"2020-04-29T14:20:36.000Z","size":31,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-08T22:32:34.203Z","etag":null,"topics":["docker","docker-compose","openssh","openssh-server","sandbox"],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/mediacomem/openssh-server","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MediaComem.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-22T16:38:54.000Z","updated_at":"2022-05-25T06:17:05.000Z","dependencies_parsed_at":null,"dependency_job_id":"9d6436ae-bcc5-47c5-a2bc-0d1c49022fa3","html_url":"https://github.com/MediaComem/docker-openssh-server","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/MediaComem/docker-openssh-server","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MediaComem%2Fdocker-openssh-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MediaComem%2Fdocker-openssh-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MediaComem%2Fdocker-openssh-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MediaComem%2Fdocker-openssh-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MediaComem","download_url":"https://codeload.github.com/MediaComem/docker-openssh-server/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MediaComem%2Fdocker-openssh-server/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31871514,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-15T15:24:51.572Z","status":"online","status_checked_at":"2026-04-16T02:00:06.042Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","docker-compose","openssh","openssh-server","sandbox"],"created_at":"2024-11-05T10:24:22.098Z","updated_at":"2026-04-16T04:32:03.708Z","avatar_url":"https://github.com/MediaComem.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Docker OpenSSH Server\n\nRuns a sandboxed environment allowing SSH access without giving keys to the\nentire server. Users only have access to the folders mapped and the processes\nrunning inside this container.\n\n\u003e Inspired by https://hub.docker.com/r/linuxserver/openssh-server\n\n\u003c!-- START doctoc generated TOC please keep comment here to allow auto update --\u003e\n\u003c!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n\n\n- [Usage](#usage)\n - [With Docker](#with-docker)\n - [With Docker Compose](#with-docker-compose)\n- [Configuration](#configuration)\n - [Accessing data from the sandbox](#accessing-data-from-the-sandbox)\n - [Persisting the OpenSSH server's host keys](#persisting-the-openssh-servers-host-keys)\n - [Using a custom SSH `authorized_keys` file](#using-a-custom-ssh-authorized_keys-file)\n - [Customizing the SSH daemon's configuration file](#customizing-the-ssh-daemons-configuration-file)\n - [Customizing the Message Of The Day (MOTD)](#customizing-the-message-of-the-day-motd)\n\n\u003c!-- END doctoc generated TOC please keep comment here to allow auto update --\u003e\n\n\n\n## Usage\n\nThe [Configuration](#configuration) section describes the various environment\nvariables you can use to configure the OpenSSH server.\n\nPlease refer to the documentation of the [OpenSSH SSH daemon configuration\nfile](https://www.freebsd.org/cgi/man.cgi?sshd_config%285%29) for more\ninformation on options related to the SSH daemon's configuration.\n\n### With Docker\n\n```bash\n# Create a named volume to persist the server's host keys (optional).\ndocker volume create openssh_host_keys\n\n# Run the container (all flags are optional).\ndocker run \\\n --name=openssh \\\n --hostname=openssh \\\n -e SSH_ALLOW_TCP_FORWARDING=yes \\\n -e SSH_PERMIT_OPEN=db:5432 \\\n -e SSH_PUBLIC_KEY=changeme \\\n -e TZ=Europe/London \\\n -e USER_NAME=openssh \\\n -e USER_UID=2222 \\\n -e USER_GID=2222 \\\n -p 2222:2222 \\\n -v openssh_host_keys:/etc/openssh/host_keys \\\n -v /custom/authorized_keys:/home/openssh/.ssh/authorized_keys:ro \\\n --restart unless-stopped \\\n mediacomem/openssh-server\n```\n\n### With Docker Compose\n\n```yml\n---\nversion: \"3.7\"\n\nservices:\n openssh-server:\n image: mediacomem/openssh-server\n container_name: openssh\n hostname: openssh\n environment:\n SSH_ALLOW_TCP_FORWARDING: yes\n SSH_PERMIT_OPEN: db:5432\n SSH_PUBLIC_KEY: changeme\n TZ: Europe/London\n USER_NAME: openssh\n USER_UID: 2222\n USER_GID: 2222\n volumes:\n # Persist the server's host keys into a named volume so they are not\n # re-generated every time the container restarts (which would cause connection\n # warnings).\n - host_keys:/etc/openssh/host_keys\n # Optionally mount a custom authorized_keys file into the container (it must be\n # owned by the UID/GID specified with $USER_UID/$USER_GID, and have permissions\n # 400 or 600).\n - /custom/authorized_keys:/home/openssh/.ssh/authorized_keys:ro\n ports:\n - 2222:2222\n restart: unless-stopped\n\nvolumes:\n # Create a named volume to persist the server's host keys.\n host_keys:\n```\n\n\n\n## Configuration\n\nThe OpenSSH server can be dynamically configured through environment variables.\nAll variables are optional.\n\nVariable | Default value | Description\n:------------------------- | :--------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------\n`MOTD` | - | Optional one-line message of the day.\n`SSH_ALLOW_TCP_FORWARDING` | `no` | `AllowTcpForwarding` SSH daemon config option.\n`SSH_HOST_KEY_NAMES` | `ssh_host_rsa_key,ssh_host_ecdsa_key,ssh_host_ed25519_key` | Comma-separated list of SSH host key files to read from the `/etc/openssh/host_keys` directory (configures a `HostKey` SSH daemon config option for each value).\n`SSH_PERMIT_OPEN` | `none` (unless `$SSH_ALLOW_TCP_FOWARDING` is set) | `PermitOpen` SSH daemon config option.\n`SSH_PUBLIC_KEY` | - | Comma-separated list of SSH public keys to grant access to.\n`TZ` | - | Container timezone.\n`USER_NAME` | `openssh` | Name of the user who can access the container.\n`USER_UID` | `2222` | UID of the user who can access the container.\n`USER_GID` | `2222` | GID of the group of the user who can access the container.\n\n### Accessing data from the sandbox\n\nYou may use the `--volume` command-line option or the `volumes` Docker Compose\noption to mount a host directory or a Docker volume that needs to be accessed in\nthe sandboxed environment. The container has access to nothing by default.\n\n### Persisting the OpenSSH server's host keys\n\nSSH host keys for the OpenSSH server will be found in the\n`/etc/openssh/host_keys` directory. The container will generate these keys on\nstartup with `ssh-keygen -A` by default.\n\nIt is recommended that you mount a Docker volume at this path so that the host\nkeys are persisted across container restarts. Otherwise the container will\nappear to change its identity after every restart, causing SSH connection\nwarnings on the client side.\n\nOptionally, you may generate host keys yourself and mount them at this path\n(either the key files themselves or the entire directory). The container will\nnot generate new keys if files are already present in the\n`/etc/openssh/host_keys` directory.\n\nIn that case, note the following caveats:\n\n* The key files must be owned by the user with the UID \u0026 GID specified through\n the `$USER_UID` \u0026 `$USER_GID` environment variables (`2222` by default).\n* The key files must only be readable by their owner (i.e. permissions must be\n `400` or `600`).\n* The `/etc/openssh/host_keys` directory must be traversable by the same user.\n* The key filenames must match those configured through the\n `$SSH_HOST_KEY_NAMES` environment variable. The OpenSSH daemon's configuration\n file will be updated to load these specific keys.\n\n### Using a custom SSH `authorized_keys` file\n\nThe OpenSSH server reads the file `/etc/openssh/authorized_keys` to know which\nSSH public keys should be granted access to. This file is populated on startup\nwith the comma-separated values in the `$SSH_PUBLIC_KEY` environment variable if\navailable.\n\nOptionally, you may mount this file from the host or from a Docker volume. You\nmay even mount it in read-only mode to prevent the user from modifying it.\n\nIn that case, note the following caveats:\n\n* The file must be owned by the user with the UID \u0026 GID specified through\n the `$USER_UID` \u0026 `$USER_GID` environment variables (`2222` by default).\n* The file must only be readable by its owner (i.e. permissions must be `400` or\n `600`).\n\n### Customizing the SSH daemon's configuration file\n\nThe SSH daemon configuration file is located at `/etc/openssh/sshd_config` and\ncannot be modified by the user who connects to the container over SSH (it is\nowned by `root` and the `openssh` user, with permissions `640`).\n\nIf you extend this project's `Dockerfile`, you may put a pre-configured version\nof this file at the correct path. However, note that it will be modified to fit\nthe configuration applied through environment variables.\n\n### Customizing the Message Of The Day (MOTD)\n\nTo quickly customize the MOTD shown to the user on connection, you may set the\n`$MOTD` environment variable. Two new lines will be added to the value for\nformatting.\n\nIf you extend this project's `Dockerfile`, you may also override the `/etc/motd`\nfile. In that case, no new lines will be added. You should add them to the file\nyourself.\n\nYou may also mount a custom version of the file using the `--volume`\ncommand-line option or the `volumes` Docker Compose option without having to\ncreate a custom `Dockerfile`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmediacomem%2Fdocker-openssh-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmediacomem%2Fdocker-openssh-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmediacomem%2Fdocker-openssh-server/lists"}