{"id":13558574,"url":"https://github.com/panubo/docker-sshd","last_synced_at":"2026-01-22T06:34:36.679Z","repository":{"id":34366218,"uuid":"38290826","full_name":"panubo/docker-sshd","owner":"panubo","description":"Minimal Alpine Linux Docker image with sshd exposed and rsync installed","archived":false,"fork":false,"pushed_at":"2024-07-09T00:46:19.000Z","size":95,"stargazers_count":460,"open_issues_count":5,"forks_count":216,"subscribers_count":16,"default_branch":"main","last_synced_at":"2025-04-03T13:39:08.323Z","etag":null,"topics":["docker-image","rsync","sftp","ssh","ssh-server","sshd"],"latest_commit_sha":null,"homepage":"https://quay.io/repository/panubo/sshd","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/panubo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-06-30T06:01:48.000Z","updated_at":"2025-03-30T15:59:18.000Z","dependencies_parsed_at":"2024-01-11T05:10:49.461Z","dependency_job_id":"8307e03c-faca-4708-9bbc-fc97668e15d9","html_url":"https://github.com/panubo/docker-sshd","commit_stats":null,"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"purl":"pkg:github/panubo/docker-sshd","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panubo%2Fdocker-sshd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panubo%2Fdocker-sshd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panubo%2Fdocker-sshd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panubo%2Fdocker-sshd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/panubo","download_url":"https://codeload.github.com/panubo/docker-sshd/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panubo%2Fdocker-sshd/sbom","scorecard":{"id":719594,"data":{"date":"2025-08-11","repo":{"name":"github.com/panubo/docker-sshd","commit":"e28e7d1ad7e37e4363f9dd19bbdcb8d65498f903"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.9,"checks":[{"name":"Code-Review","score":1,"reason":"Found 3/28 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: topLevel 'contents' permission set to 'read': .github/workflows/build-push-sshd.yml:28","Warn: no topLevel permission defined: .github/workflows/github-release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-push-sshd.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/panubo/docker-sshd/build-push-sshd.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-push-sshd.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/panubo/docker-sshd/build-push-sshd.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-push-sshd.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/panubo/docker-sshd/build-push-sshd.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-push-sshd.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/panubo/docker-sshd/build-push-sshd.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-push-sshd.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/panubo/docker-sshd/build-push-sshd.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-push-sshd.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/panubo/docker-sshd/build-push-sshd.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-push-sshd.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/panubo/docker-sshd/build-push-sshd.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-push-sshd.yml:90: update your workflow using https://app.stepsecurity.io/secureworkflow/panubo/docker-sshd/build-push-sshd.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-push-sshd.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/panubo/docker-sshd/build-push-sshd.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-push-sshd.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/panubo/docker-sshd/build-push-sshd.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/github-release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/panubo/docker-sshd/github-release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/github-release.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/panubo/docker-sshd/github-release.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating alpine:3.20 to alpine:3.20@sha256:b3119ef930faabb6b7b976780c0c7a9c1aa24d0c75e9179ac10e6bc9ac080d0d","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   9 third-party GitHubAction dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build-push-sshd.yml:31"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 8 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-22T10:53:35.695Z","repository_id":34366218,"created_at":"2025-08-22T10:53:35.695Z","updated_at":"2025-08-22T10:53:35.695Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28656960,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-22T01:17:37.254Z","status":"online","status_checked_at":"2026-01-22T02:00:07.137Z","response_time":144,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker-image","rsync","sftp","ssh","ssh-server","sshd"],"created_at":"2024-08-01T12:05:02.341Z","updated_at":"2026-01-22T06:34:36.666Z","avatar_url":"https://github.com/panubo.png","language":"Shell","funding_links":[],"categories":["Shell","others"],"sub_categories":[],"readme":"# SSHD\n\nMinimal Alpine Linux Docker image with `sshd` exposed and `rsync` installed. The image is available on quay.io `quay.io/panubo/sshd` and AWS ECR Public `public.ecr.aws/panubo/sshd`.\n\n\u003c!-- BEGIN_TOP_PANUBO --\u003e\n\u003e [!IMPORTANT]\n\u003e **Maintained by Panubo** — Cloud Native \u0026 SRE Consultants in Sydney.\n\u003e [Work with us →](https://panubo.com.au)\n\u003c!-- END_TOP_PANUBO --\u003e\n\n## Environment Options\n\nConfigure the container with the following environment variables or optionally mount a custom sshd config at `/etc/ssh/sshd_config`:\n\n### General Options\n\n- `SSH_USERS` list of user accounts and uids/gids to create. eg `SSH_USERS=www:48:48,admin:1000:1000:/bin/bash`. The fourth argument for specifying the user shell is optional. If `SSH_GROUPS` is omitted, a group is created for each user with the same name as the user.\n- `SSH_GROUPS` list of groups and gids to create. eg `SSH_GROUPS=guests:1005,other:1006`. Specifying this option disables automatic group creation of user-named groups if you also specify `SSH_USERS`.\n- `SSH_ENABLE_ROOT` if \"true\" unlock the root account. N.B restricted modes to not apply to this account.\n- `SSH_ENABLE_PASSWORD_AUTH` if \"true\" enable password authentication (disabled by default) (excluding the root user)\n- `SSH_ENABLE_ROOT_PASSWORD_AUTH` if \"true\" enable password authentication for all users including root\n- `MOTD` change the login message\n\n### SSH Options\n\n- `GATEWAY_PORTS` if \"true\" sshd will allow gateway ports\n- `TCP_FORWARDING` if \"true\" sshd will allow TCP forwarding\n- `DISABLE_SFTP` if \"true\" sshd will not accept sftp connections. Note: This does not\nprevent file access unless you define a restricted shell for each user that prevents executing\nprograms that grant file access.\n\n### Restricted Modes\n\nThe following three restricted modes, SFTP only, SCP only and Rsync only are mutually exclusive. If no mode is defined,\nthen all connection types will be accepted. Only one mode can be enabled at a time:\n\n#### SFTP Only\n\n- `SFTP_MODE` if \"true\" sshd will only accept sftp connections\n- `SFTP_CHROOT` if in sftp only mode sftp will be chrooted to this directory. Default \"/data\"\n\n#### SCP Only\n\n- `SCP_MODE` if \"true\" sshd will only accept scp connections (uses rssh)\n\n#### Rsync Only\n\n- `RSYNC_MODE` if \"true\" sshd will only accept rsync connections (uses rssh)\n\n## SSH Host Keys\n\nSSH uses host keys to identify the server. To avoid receiving a security warning the host keys should be mounted on an external volume.\n\nBy default this image will create new host keys in `/etc/ssh/keys` which should be mounted on an external volume. If you are using existing keys and they are mounted in `/etc/ssh` this image will use the default host key location making this image compatible with existing setups.\n\nIf you wish to configure SSH entirely with environment variables it is suggested that you externally mount `/etc/ssh/keys` instead of `/etc/ssh`.\n\n## Authorized Keys\n\nMount your .ssh credentials (RSA public keys) at `/root/.ssh/` in order to\naccess the container via root and set `SSH_ENABLE_ROOT=true` or mount each user's key in\n`/etc/authorized_keys/\u003cusername\u003e` and set `SSH_USERS` environment config to create the user accounts.\n\nAuthorized keys must be either owned by root (uid/gid 0), or owned by the uid/gid that corresponds to the\nuid/gid and user specified in `SSH_USERS`.\n\n## SFTP mode\n\nWhen in sftp only mode (activated by setting `SFTP_MODE=true`) the container will only accept sftp connections. All sftp actions will be chrooted to the `SFTP_CHROOT` directory which defaults to \"/data\".\n\nPlease note that all components of the pathname in the ChrootDirectory directive must be root-owned directories that are not writable by any other user or group (see `man 5 sshd_config`).\n\n## SCP or Rsync modes\n\nWhen in scp or rsync only mode (activated by setting `SCP_MODE=true` or `RSYNC_MODE=true` respectively) the container will only accept scp or rsync connections. No chroot is provided.\n\nThis is provided by using [rssh](http://www.pizzashack.org/rssh/) restricted shell.\n\n## Custom Scripts\n\nExecutable shell scripts and binaries can be mounted or copied in to `/etc/entrypoint.d`. These will be run when the container is launched but before sshd is started. These can be used to customise the behaviour of the container.\n\n## Password authentication\n\n**Password authentication is not recommended** however using `SSH_ENABLE_PASSWORD_AUTH=true` you can enable password authentication. The image doesn't provide any way to set user passwords via config but you can use the custom scripts support to run a custom script to set user passwords.\nSetting `SSH_ENABLE_ROOT_PASSWORD_AUTH=true` also enables password authentification for the root account.\n\nFor example you could add the following script to `/etc/entrypoint.d/`\n\n**setpasswd.sh**\n\n```bash\n#!/usr/bin/env bash\n\nset -e\n\necho 'user1:$6$lAkdPbeeZR7YJiE3$ohWgU3LcSVit/hEZ2VOVKvxD.67.N9h5v4ML7.4X51ZK3kABbTPHkZUPzN9jxQQWXtkLctI0FJZR8CChIwz.S/' | chpasswd --encrypted\n\n# Or if you don't pre-hash the password remove the line above and uncomment the line below.\n# echo \"user1:user1password\" | chpasswd\n```\n\nIt is strongly recommend to pre-hash passwords. Passwords that are not hashed are a security risk, other users may be able to read the `setpasswd.sh` script and see all other users passwords and keeping plain text passwords is considered bad practice.\n\nTo generate a hashed password use `mkpasswd` which is available in this image or use [https://trnubo.github.io/passwd.html](https://trnubo.github.io/passwd.html) to generate a hash in your browser. Example use of `mkpasswd` below.\n\n```\n$ docker run --rm -it --entrypoint /usr/bin/env quay.io/panubo/sshd:1.9.0 mkpasswd\nPassword:\n$6$w0ZvF/gERVgv08DI$PTq73dIcZLfMK/Kxlw7rWDvVcYvnWJuOWtxC7sXAYZL69CnItCS.QM.nTUyMzaT0aYjDBdbCH1hDiwbQE8/BY1\n```\n\nTo start sshd with the `setpasswd.sh` script\n\n```\ndocker run -ti -p 2222:22 \\\n  -v $(pwd)/keys/:/etc/ssh/keys \\\n  -e SSH_USERS=user:1000:1000 \\\n  -e SSH_ENABLE_PASSWORD_AUTH=true \\\n  -v $(pwd)/entrypoint.d/:/etc/entrypoint.d/ \\\n  quay.io/panubo/sshd:1.9.0\n```\n\nTo enable password authentication on the root account, the previous `setpasswd.sh` script must also define a password for the root user, then\nthe command will be:\n\n```\ndocker run -ti -p 2222:22 \\\n  -e SSH_ENABLE_ROOT_PASSWORD_AUTH=true \\\n  -v $(pwd)/entrypoint.d/:/etc/entrypoint.d/ \\\n  quay.io/panubo/sshd:1.9.0\n```\n\n## Usage Example\n\nThe example below will run interactively and bind to port `2222`. `/data` will be\nbind mounted to the host. And the ssh host keys will be persisted in a `keys`\ndirectory.\n\nYou can access with `ssh root@localhost -p 2222` using your private key.\n\n```\ndocker run -ti -p 2222:22 \\\n  -v ${HOME}/.ssh/id_rsa.pub:/root/.ssh/authorized_keys:ro \\\n  -v $(pwd)/keys/:/etc/ssh/keys \\\n  -v $(pwd)/data/:/data/ \\\n  -e SSH_ENABLE_ROOT=true \\\n  quay.io/panubo/sshd:1.9.0\n```\n\nCreate a `www` user with gid/uid 48. You can access with `ssh www@localhost -p 2222` using your private key.\n\n```\ndocker run -ti -p 2222:22 \\\n  -v ${HOME}/.ssh/id_rsa.pub:/etc/authorized_keys/www:ro \\\n  -v $(pwd)/keys/:/etc/ssh/keys \\\n  -v $(pwd)/data/:/data/ \\\n  -e SSH_USERS=\"www:48:48\" \\\n  quay.io/panubo/sshd:1.9.0\n```\n\n## Releases\n\nFor production usage, please use a versioned release rather than the floating 'latest' tag.\n\nSee the [releases](https://github.com/panubo/docker-sshd/releases) for tag usage\nand release notes.\n\n## Status\n\nProduction ready and stable.\n\n\u003c!-- BEGIN_BOTTOM_PANUBO --\u003e\n\u003e [!IMPORTANT]\n\u003e ## About Panubo\n\u003e\n\u003e This project is maintained by Panubo, a technology consultancy based in Sydney, Australia. We build reliable, scalable systems and help teams master the cloud-native ecosystem.\n\u003e\n\u003e We are available for hire to help with:\n\u003e\n\u003e * SRE \u0026 Operations: Improving system reliability and incident response.\n\u003e * Platform Engineering: Building internal developer platforms that scale.\n\u003e * Kubernetes: Cluster design, security auditing, and migrations.\n\u003e * DevOps: Streamlining CI/CD pipelines and developer experience.\n\u003e * [See our other services](https://panubo.com.au/services)\n\u003e\n\u003e Need a hand with your infrastructure? [Let’s have a chat](https://panubo.com.au/contact) or email us at team@panubo.com.\n\u003c!-- END_BOTTOM_PANUBO --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanubo%2Fdocker-sshd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpanubo%2Fdocker-sshd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanubo%2Fdocker-sshd/lists"}