linuxserver / docker-openssh-server Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU General Public License v3.0
License: GNU General Public License v3.0
I see the following warning/error in container's log:
grep: unrecognized option: ---BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA25ttIxEySnnFFev/t0Qh30zaYQp9bDuvt/uJy5o4IOUUH5Fv0pJ7
KI9pWSp2IPM9WhCw3Dtiwk7Oey9JTTs8rfsWXvfVEFqG/vpDA0bXJtk+UNuwKvHgsp3o4l
KgjFgMI65rOxbo9BYa2kUPCndhyqqh4yrVXTU3TygJBZnY7KmAOT0Q9v35vw2Tut/8gCvW
W7lV/b1rPg3OA9YGY/djZ3PL78B9gi9SHVF79R67zzV8Hw+p1trQtihRd3tsEpp8zXpdFA
3ejs3mVob+GoJUCLk89rjFjQZwkmvRJv18BJ7gEdjlWsYEWWsPYiSKDiTx4VrvM1Ac3TPp
sq40oAQz0O5ZeCjp3cVVHI9WCbOkaSWI3YXsc4KwHBxvuccT26W9o5PPLSNK2n6SIeLeRb
k188KJowNoMmEPdnGGJbBnNN9usSYU/BZF+FAZIb7I1X1D5WesMYOQFj7uzvHHGBg3JB1h
tQ/kGmizj4UvjANl2hhAxhSeFEPdNOclVRUoXQ6LAAAFiIuKYbmLimG5AAAAB3NzaC1yc2
EAAAGBANubbSMRMkp5xRXr/7dEId9M2mEKfWw7r7f7icuaOCDlFB+Rb9KSeyiPaVkqdiDz
PVoQsNw7YsJOznsvSU07PK37Fl731RBahv76QwNG1ybZPlDbsCrx4LKd6OJSoIxYDCOuaz
sW6PQWGtpFDwp3YcqqoeMq1V01N08oCQWZ2OypgDk9EPb9+b8Nk7rf/IAr1lu5Vf29az4N
zgPWBmP3Y2dzy+/AfYIvUh1Re/Ueu881fB8Pqdba0LYoUXd7bBKafM16XRQN3o7N5laG/h
qCVAi5PPa4xY0GcJJr0Sb9fASe4BHY5VrGBFlrD2Ikig4k8eFa7zNQHN0z6bKuNKAEM9Du
WXgo6d3FVRyPVgmzpGkliN2F7HOCsBwcb7nHE9ulvaOTzy0jStp+kiHi3kW5NfPCiaMDaD
JhD3ZxhiWwZzTfbrEmFPwWRfhQGSG+yNV9Q+VnrDGDkBY+7s7xxxgYNyQdYbUP5Bpos4+F
L4wDZdoYQMYUnhRD3TTnJVUVKF0OiwAAAAMBAAEAAAGAfEHzfLYMOKux4neIV1ALwmef4O
yojwcuo/GFxFhcjfBQdJQ8K2+KlCahOzyVXouDGWT8TYCknsEsf/L/jN2Jtf+uZsngGsK+
Q6OjK0V4E5k0c1f61DHMLATBct3Bzec75yyXq/WIliOzyfDtU8S85omp0/m2hGjKBNXoVO
z6Gt7FmJ1+7eJC3+F0x3ZZTsR/I6M4jrwQ5Cm3eeAt+X5PFogkymGmInVYBxLGCqn7JoFi
28hnFxT0pz0k63BAdD5IdqFbV5mpTniwkSxiTfIJhxvtZHI6oz5zCv8Xj7pbpYssjnDhwS
4ErpOodY3cC92VIHHdIKCEAKdYu+vxx7aBhCVvHt1b5xDz2xzRTF0SIp3qrpp5or4YVO4s
QFdDP0pPxdE0qOfo7PH8LFpHBcCqGGRcAD7zRrrkAkIO7FfgGKZRV6v0LPThm7LV0bp5LH
8rNwKgjJoaVqy57ajV5MCdgEUNubBP/cVGKWSHtGEhruUCtCRFV43aI7tMTChIb9PxAAAA
wQDM9+GfZqW+wNQYHd+Vwl+faQPaCCSzyT0gTC9io5PiQ8fnMZaQhSXi91I6F2Ir7ybpex
1R5ld7SLbl4pknjJjWDu93Xm5oe5Rpoz9SYnmyOjMbdj+dRmLjXVfv19PzjvgxMVQyXXnh
710rVsTTGDi1kbX20PSUDzcMjrppLFlBvDiyIROVgUvyFGZdDCmRbEUaF5h7YaLMRroBN0
Ll3C2Du+0fT67c7YSGpujt4ZzXbRugS7X8HXmEoyj9G245cY0AAADBAP3TgUXgpyQAe1Km
rykd9fzkMBz1E91z9L3L1X48tQypPHZT7eO7+YQ6oymrqyG8KVh2aR6VAwMaUPJO6C6NVG
fusUQKj4zNdTpDYEk7hkj6j/DvMxWuwRb/QE3w+XD4J6snmbvBGSodPf8ltC+hcvr1DI2h
FqX+hnY9gzO2ur9TJVwDGT9QJUMPSHE3GV7Bpc34HwE/EWEVnEWcjSR8Q7pqyNldfu3KjK
KLaWn1cud4Z1MIaSvyWkZP+g1r6PNxXwAAAMEA3XzmCzKb3Sr0dA2uvDtZhfmNljVObeI3
8bdCGRpj+Kv9l4hx2hgLNxuUmTCNHhOV+PIEMWIi+HBhIIx946l7RosEwF6Cfg6KJ4WE/m
frGKR+pMh71UMoSQrJLNLOXNUbzZX8dax24oyl5ltUo9cP22rxki5dfmy0u/Qae9lOdLPw
3qJNCrxx6w6S8JDje5c1uK2B9GwoGnGnhHCb9U3QXS84pOxcNnsxTds2Ab1iIyNkzENpXM
Yy00UVt37pHdZVAAAAC21pdGFyQGdhZ2VhAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
BusyBox v1.36.1 (2023-07-06 12:28:44 UTC) multi-call binary.
Usage: grep [-HhnlLoqvsrRiwFE] [-m N] [-A|B|C N] { PATTERN | -e PATTERN... | -f FILE... } [FILE]...
Search for PATTERN in FILEs (or stdin)
-H Add 'filename:' prefix
-h Do not add 'filename:' prefix
-n Add 'line_no:' prefix
-l Show only names of files that match
-L Show only names of files that don't match
-c Show only count of matching lines
-o Show only the matching part of line
-q Quiet. Return 0 if PATTERN is found, 1 otherwise
-v Select non-matching lines
-s Suppress open and read errors
-r Recurse
-R Recurse and dereference symlinks
-i Ignore case
-w Match whole words only
-x Match whole lines only
-F PATTERN is a literal (not regexp)
-E PATTERN is an extended regexp
-m N Match up to N times per file
-A N Print N lines of trailing context
-B N Print N lines of leading context
-C N Same as '-A N -B N'
-e PTRN Pattern to match
-f FILE Read pattern from file
The container does work as expected later on, there is just this warning/error in logs.
There should not be any such error/warning in logs.
ssh-keygen -f test/.ssh/backup_rsa -N ""
docker run -d --name openssh -e PUID=1000 -e PGID=1000 -e SUDO_ACCESS=true -e USER_NAME=user -e PUBLIC_KEY_DIR=/ssh -p 22:2222 -v "$(pwd)/test/.ssh:/ssh" linuxserver/openssh-server:9.3_p1-r3-ls121
docker logs openssh
- OS: Ubuntu 20.04
- How docker service was installed: `apt-get install docker.io`
x86-64
`docker run -d --name openssh -e PUID=1000 -e PGID=1000 -e SUDO_ACCESS=true -e USER_NAME=user -e PUBLIC_KEY_DIR=/ssh -p 22:2222 -v "$(pwd)/test/.ssh:/ssh" linuxserver/openssh-server:9.3_p1-r3-ls121`
[migrations] started
[migrations] no migrations found
───────────────────────────────────────
██╗ ███████╗██╗ ██████╗
██║ ██╔════╝██║██╔═══██╗
██║ ███████╗██║██║ ██║
██║ ╚════██║██║██║ ██║
███████╗███████║██║╚██████╔╝
╚══════╝╚══════╝╚═╝ ╚═════╝
Brought to you by linuxserver.io
───────────────────────────────────────
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID: 1000
User GID: 1000
───────────────────────────────────────
User name is set to user
sudo is enabled without password.
ssh-keygen: generating new host keys: RSA ECDSA ED25519
sshd is listening on port 2222
User/password ssh access is disabled.
grep: unrecognized option: ---BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA25ttIxEySnnFFev/t0Qh30zaYQp9bDuvt/uJy5o4IOUUH5Fv0pJ7
KI9pWSp2IPM9WhCw3Dtiwk7Oey9JTTs8rfsWXvfVEFqG/vpDA0bXJtk+UNuwKvHgsp3o4l
KgjFgMI65rOxbo9BYa2kUPCndhyqqh4yrVXTU3TygJBZnY7KmAOT0Q9v35vw2Tut/8gCvW
W7lV/b1rPg3OA9YGY/djZ3PL78B9gi9SHVF79R67zzV8Hw+p1trQtihRd3tsEpp8zXpdFA
3ejs3mVob+GoJUCLk89rjFjQZwkmvRJv18BJ7gEdjlWsYEWWsPYiSKDiTx4VrvM1Ac3TPp
sq40oAQz0O5ZeCjp3cVVHI9WCbOkaSWI3YXsc4KwHBxvuccT26W9o5PPLSNK2n6SIeLeRb
k188KJowNoMmEPdnGGJbBnNN9usSYU/BZF+FAZIb7I1X1D5WesMYOQFj7uzvHHGBg3JB1h
tQ/kGmizj4UvjANl2hhAxhSeFEPdNOclVRUoXQ6LAAAFiIuKYbmLimG5AAAAB3NzaC1yc2
EAAAGBANubbSMRMkp5xRXr/7dEId9M2mEKfWw7r7f7icuaOCDlFB+Rb9KSeyiPaVkqdiDz
PVoQsNw7YsJOznsvSU07PK37Fl731RBahv76QwNG1ybZPlDbsCrx4LKd6OJSoIxYDCOuaz
sW6PQWGtpFDwp3YcqqoeMq1V01N08oCQWZ2OypgDk9EPb9+b8Nk7rf/IAr1lu5Vf29az4N
zgPWBmP3Y2dzy+/AfYIvUh1Re/Ueu881fB8Pqdba0LYoUXd7bBKafM16XRQN3o7N5laG/h
qCVAi5PPa4xY0GcJJr0Sb9fASe4BHY5VrGBFlrD2Ikig4k8eFa7zNQHN0z6bKuNKAEM9Du
WXgo6d3FVRyPVgmzpGkliN2F7HOCsBwcb7nHE9ulvaOTzy0jStp+kiHi3kW5NfPCiaMDaD
JhD3ZxhiWwZzTfbrEmFPwWRfhQGSG+yNV9Q+VnrDGDkBY+7s7xxxgYNyQdYbUP5Bpos4+F
L4wDZdoYQMYUnhRD3TTnJVUVKF0OiwAAAAMBAAEAAAGAfEHzfLYMOKux4neIV1ALwmef4O
yojwcuo/GFxFhcjfBQdJQ8K2+KlCahOzyVXouDGWT8TYCknsEsf/L/jN2Jtf+uZsngGsK+
Q6OjK0V4E5k0c1f61DHMLATBct3Bzec75yyXq/WIliOzyfDtU8S85omp0/m2hGjKBNXoVO
z6Gt7FmJ1+7eJC3+F0x3ZZTsR/I6M4jrwQ5Cm3eeAt+X5PFogkymGmInVYBxLGCqn7JoFi
28hnFxT0pz0k63BAdD5IdqFbV5mpTniwkSxiTfIJhxvtZHI6oz5zCv8Xj7pbpYssjnDhwS
4ErpOodY3cC92VIHHdIKCEAKdYu+vxx7aBhCVvHt1b5xDz2xzRTF0SIp3qrpp5or4YVO4s
QFdDP0pPxdE0qOfo7PH8LFpHBcCqGGRcAD7zRrrkAkIO7FfgGKZRV6v0LPThm7LV0bp5LH
8rNwKgjJoaVqy57ajV5MCdgEUNubBP/cVGKWSHtGEhruUCtCRFV43aI7tMTChIb9PxAAAA
wQDM9+GfZqW+wNQYHd+Vwl+faQPaCCSzyT0gTC9io5PiQ8fnMZaQhSXi91I6F2Ir7ybpex
1R5ld7SLbl4pknjJjWDu93Xm5oe5Rpoz9SYnmyOjMbdj+dRmLjXVfv19PzjvgxMVQyXXnh
710rVsTTGDi1kbX20PSUDzcMjrppLFlBvDiyIROVgUvyFGZdDCmRbEUaF5h7YaLMRroBN0
Ll3C2Du+0fT67c7YSGpujt4ZzXbRugS7X8HXmEoyj9G245cY0AAADBAP3TgUXgpyQAe1Km
rykd9fzkMBz1E91z9L3L1X48tQypPHZT7eO7+YQ6oymrqyG8KVh2aR6VAwMaUPJO6C6NVG
fusUQKj4zNdTpDYEk7hkj6j/DvMxWuwRb/QE3w+XD4J6snmbvBGSodPf8ltC+hcvr1DI2h
FqX+hnY9gzO2ur9TJVwDGT9QJUMPSHE3GV7Bpc34HwE/EWEVnEWcjSR8Q7pqyNldfu3KjK
KLaWn1cud4Z1MIaSvyWkZP+g1r6PNxXwAAAMEA3XzmCzKb3Sr0dA2uvDtZhfmNljVObeI3
8bdCGRpj+Kv9l4hx2hgLNxuUmTCNHhOV+PIEMWIi+HBhIIx946l7RosEwF6Cfg6KJ4WE/m
frGKR+pMh71UMoSQrJLNLOXNUbzZX8dax24oyl5ltUo9cP22rxki5dfmy0u/Qae9lOdLPw
3qJNCrxx6w6S8JDje5c1uK2B9GwoGnGnhHCb9U3QXS84pOxcNnsxTds2Ab1iIyNkzENpXM
Yy00UVt37pHdZVAAAAC21pdGFyQGdhZ2VhAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
BusyBox v1.36.1 (2023-07-06 12:28:44 UTC) multi-call binary.
Usage: grep [-HhnlLoqvsrRiwFE] [-m N] [-A|B|C N] { PATTERN | -e PATTERN... | -f FILE... } [FILE]...
Search for PATTERN in FILEs (or stdin)
-H Add 'filename:' prefix
-h Do not add 'filename:' prefix
-n Add 'line_no:' prefix
-l Show only names of files that match
-L Show only names of files that don't match
-c Show only count of matching lines
-o Show only the matching part of line
-q Quiet. Return 0 if PATTERN is found, 1 otherwise
-v Select non-matching lines
-s Suppress open and read errors
-r Recurse
-R Recurse and dereference symlinks
-i Ignore case
-w Match whole words only
-x Match whole lines only
-F PATTERN is a literal (not regexp)
-E PATTERN is an extended regexp
-m N Match up to N times per file
-A N Print N lines of trailing context
-B N Print N lines of leading context
-C N Same as '-A N -B N'
-e PTRN Pattern to match
-f FILE Read pattern from file
Public key from file '/ssh/backup_rsa' added
Public key from file '/ssh/backup_rsa.pub' added
[custom-init] No custom files found, skipping...
[ls.io-init] done.
When using, -e UMASK=0002, files transfered via sftp should have that umask applied.
umask for transfered files remains 0022
This can be fixed by changing the line
Subsystem sftp /usr/lib/ssh/sftp-server'
to
Subsystem sftp /usr/lib/ssh/sftp-server -u
https://serverfault.com/questions/70876/how-to-put-desired-umask-with-sftp
OS: unRaid 6.8.3
CPU architecture: x86_64
How docker service was installed: unRaid
Is it possible to log in as root from an SSH client into this container?
Thanks.
If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.
specified PUBLIC_KEY_FILE
should be added to /config/.ssh/authorized_keys
in the container
it won't be added since the file only exists in the host machine, or did I miss something?
docker create --name=openssh-server -e PUBLIC_KEY_FILE=path/to/host/pub/key linuxserver/openssh-server && docker start openssh-server
docker exec openssh-server cat /config/.ssh/authorized_keys
OS: OSX
CPU architecture: x86_64
How docker service was installed: Docker Desktop on Mac
as above
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 50-config: executing...
User name is set to linuxserver.io
Sudo is disabled.
User/password ssh access is disabled.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Umask is not set after passing the UMASK environmental variable to the container. I believe that this happens because we currently have this section in /etc/ssh/sshd_config
:
Subsystem sftp internal-sftp
But the sed
command used is this:
# set umask for sftp
UMASK=${UMASK:-022}
sed -i "s|/usr/lib/ssh/sftp-server$|/usr/lib/ssh/sftp-server -u ${UMASK}|g" /etc/ssh/sshd_config
Umask to be properly set.
-e UMASK=007
.linuxserver.io
.umask
command.- OS: Red Hat Enterprise Linux release 8.8 (Ootpa)
- How docker service was installed:
From repository.
x86-64
podman run --rm -e UMASK=007 -e PASSWORD_ACCESS=true -e USER_PASSWORD=test123 -d --name openssh-server -p 2222:2222 openssh-server:latest
[migrations] started
[migrations] no migrations found
usermod: no changes
───────────────────────────────────────
██╗ ███████╗██╗ ██████╗
██║ ██╔════╝██║██╔═══██╗
██║ ███████╗██║██║ ██║
██║ ╚════██║██║██║ ██║
███████╗███████║██║╚██████╔╝
╚══════╝╚══════╝╚═╝ ╚═════╝
Brought to you by linuxserver.io
───────────────────────────────────────
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID: 911
User GID: 911
───────────────────────────────────────
User name is set to linuxserver.io
sudo is disabled.
ssh-keygen: generating new host keys: RSA ECDSA ED25519
sshd is listening on port 2222
User/password ssh access is enabled.
[custom-init] No custom files found, skipping...
[ls.io-init] done.
To be able to connect with a couple of user/password even if we know it is not the best way to do it.
We run the container with the minimum of options and we add user directly into with unix command.
docker run -d \
--name=openssh-server \
--hostname=openssh-server \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/London -e SUDO_ACCESS=false \
-e PASSWORD_ACCESS=true \
-e USER_PASSWORD=password \
-e USER_NAME=linuxserver.io \
-p 2222:2222 \
--restart unless-stopped \
ghcr.io/linuxserver/openssh-server
docker exec -it openssh-server useradd -m johndoe -pchangeit
ssh -p 2222 johdnoe@localhost
johndoe@localhost's password:
Permission denied, please try again.
**OS: CentOS 7
[root@centos-s-2vcpu-4gb-fra1-01 ~]# docker version
Client: Docker Engine - Community
Version: 19.03.14
API version: 1.40
Go version: go1.13.15
Git commit: 5eb3275d40
Built: Tue Dec 1 19:20:42 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.14
API version: 1.40 (minimum version 1.12)
Go version: go1.13.15
Git commit: 5eb3275d40
Built: Tue Dec 1 19:19:17 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.3.9
GitCommit: ea765aba0d05254012b0b9e595e995c09186427f
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
ssh works.
$ cat docker-compose.yaml
---
version: "2.1"
services:
openssh-server:
image: ghcr.io/linuxserver/openssh-server
hostname: openssh-server #optional
environment:
- HISTFILE=/root/.history_make_shell
- PASSWORD_ACCESS=false #optional
- PGID=1000
- PUBLIC_KEY_DIR=/path/to/directory/containing/_only_/pubkeys #optional
- PUBLIC_KEY_FILE=/path/to/file #optional
- PUBLIC_KEY=AAAAB3NzaC1yc2EAAAADAQABAAABgQC/xsm9kvCI00mYVGIpppF37IQlV361wMfEgDdgno+q8Pz11RpmaDcZ3stvQ6CFYpypbkBOiuEo2sW0kYPmaNR91V3C20woR0vwi9DwlkZuYCt/w6kW4wJG8XjCKYu7tQ/Lrzoa28wH+mBflZAmVJu/0ua7MhMFw1AqvQlgd+uwO0LOwWDGTrE5Odds3pBc8XYji9Xjww8tzTT13EwpSLxxrU/Ee5wPWk5bv2IRs6hYS9mympd8+ysiZnxRSs0j3hXRhrru0IocSa8pEtGfCCT0cGl5z77SIEs1wOgRhu9JigkIr/RLjcudpcXm4TmuCVkBCsxz2XZ5lQx2tAKdkboSaBriaw6Bl1V0Kl9YDSoAjx5wxMy4ORhjXJ6pdvSMHnvcWKP9wO+mE+Mscl/VnmOlErKwCIIhOBs/IbqgvcQdlZ3PbtzeJQQDnr+DRs4GN6AbWk1UZecKgLLnT8Yl+hrYtD9RAcrBvHKKpp7HO/B7b9YfOmiSm6fb3VfYGq5MfM8= #optional
- PUID=1000
- SUDO_ACCESS=false #optional
- TZ=Europe/London
- USER_NAME=root #optional
#- USER_PASSWORD_FILE=/path/to/file #optional
#- USER_PASSWORD=password #optional
volumes:
- /path/to/appdata/config:/config
- ~/.history_make_shell:/root/.history_make_shell
- $PWD/ssh_server/keys:/root/.ssh:ro
- /tmp/tmp.DJpiNS9kqv:/tmp
ports:
- 2222:2222
restart: unless-stopped
$ docker exec -it 0e804ca039c7 /bin/bash
# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /tmp/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/id_rsa
Your public key has been saved in /tmp/id_rsa.pub
The key fingerprint is:
SHA256:lCLV4YJP3z+Q8RnBtvH4SLmiXbtT5I1JOnRFKOls8Qw
docker-compose.yaml
PUBLIC_KEY
env var.$ ssh -i /tmp/tmp.DJpiNS9kqv/id_rsa -p 2222 [email protected]
[email protected]: Permission denied (publickey,keyboard-interactive).
I want to use long username with uppercase characters for container and I got an error now.
useradd with --badnames option works fine.
I don't found where you create user, if you help me, I can try to create a pull request.
If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.
set a UID and GID of 0 to a user and have access to files owned by 0
the server says the password is wrong
Permission denied (publickey,password,keyboard-interactive).
OS: Debian 10
CPU architecture: x86_64
How docker service was installed: official docker-ce repository for debian
docker-compose up -d
sftp:
image: linuxserver/openssh-server:latest
environment:
- PUID=0
- PGID=0
- TZ=Europe/London
- PASSWORD_ACCESS=true
- USER_PASSWORD=pass
- USER_NAME=notroot
volumes:
- './files:/files'
ports:
- "2222:2222"
restart: unless-stopped
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...
-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/
Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid: 0
User gid: 0
-------------------------------------
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 50-config: executing...
User name is set to notroot
Sudo is disabled.
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
User/password ssh access is enabled.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
After creating a new openssh-server container, I couldn't connect to the SSH server with neither the key nor password. The ssh client responded with an error: kex_exchange_identification: read: Connection reset by peer
Opening terminal for the container, I couldn't see sshd running and there was also no service listening on the port 2222. Checking the sshd log file, there were multiple errors for each individual host key file:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Finished by:
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
sshd: no hostkeys available -- exiting.
Indeed, by checking the permissions for host key files in /etc/ssh
(or /config/ssh_host_keys
), they've been all set to 0777.
By using chmod 0600 ssh_host*
for changing the recommended permissions to 0600 (rw by owner) and restarting the container, everything worked as it should.
I don't know if the host keys are generated with those permissions outright, or if it's the combination of my environment (Synology NAS) where I run the container and PUID/PGID of the user I'm setting it to (strictly limited access user), but this was the result for me on the clean run from the latest image (sha256:098b5b04ceb2c43ced28a89ac27bfc073a5c806b96e07a64cbe744584994486e
)
The container should start with the host keys permissions correctly set to 0600.
- OS: Synology NAS running DSM 7.2.1-69057
- How docker service was installed: DSM Package Center
x86-64
services:
openssh-server:
image: lscr.io/linuxserver/openssh-server:latest
container_name: borg_openssh-server
hostname: openssh-server #optional
environment:
- PUID=<user>
- PGID=<group>
- TZ=Europe/London
- PUBLIC_KEY=<key>
# - PUBLIC_KEY_FILE=/path/to/file #optional
# - PUBLIC_KEY_DIR=/path/to/directory/containing/_only_/pubkeys #optional
# - PUBLIC_KEY_URL=https://github.com/username.keys #optional
- SUDO_ACCESS=true #optional
- PASSWORD_ACCESS=true #optional
- USER_PASSWORD=<password> #optional
# - USER_PASSWORD_FILE=/path/to/file #optional
- USER_NAME=<user> #optional
- LOG_STDOUT= #optional
volumes:
- <path>:/config
ports:
- <port>:2222
restart: unless-stopped
See above
If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.
it should accept the public key given under the variable
the private key is later refused, which means that the public key could not be set...
OS:
CPU architecture: pi4
**How docker service was installed: hypriotOS
I want the SSH server to have host keys that do not change when it restarts. This is especially important since I'm running it in a swarm, so it can get moved to a different node any time, which changes the host keys. Hence, I mount SSH keys like so:
# docker-compose.yml
# ...
configs:
- source: hostkey
target: /config/ssh_host_keys/ssh_host_ecdsa_key
mode: 0600
uid: "1000"
gid: "1000"
- source: hostkeypub
target: /config/ssh_host_keys/ssh_host_ecdsa_key.pub
mode: 0644
uid: "1000"
gid: "1000"
- source: hostkey_ed25519
target: /config/ssh_host_keys/ssh_host_ed25519_key
mode: 0600
uid: "1000"
gid: "1000"
- source: hostkeypub_ed25519
target: /config/ssh_host_keys/ssh_host_ed25519_key.pub
mode: 0644
uid: "1000"
gid: "1000"
- source: hostkey_rsa
target: /config/ssh_host_keys/ssh_host_rsa_key
mode: 0600
uid: "1000"
gid: "1000"
- source: hostkeypub_rsa
target: /config/ssh_host_keys/ssh_host_rsa_key.pub
mode: 0644
uid: "1000"
gid: "1000"
Unfortunately, when I do this, the openssh server tells me sshd: no hostkeys available -- exiting.
Interestingly, when I omit either of the three key pairs, it works. Then, however, the third pair gets regenerated and causes hostkey checks to fail.
OS: Ubuntu
CPU architecture: x86_64
How docker service was installed: Official repo
docker swarm deploy
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 50-config: executing...
User name is set to cdn
Sudo is disabled.
ssh-keygen: generating new host keys: DSA
User/password ssh access is disabled.
Public key from env variable added
chown: changing ownership of '/config/ssh_host_keys/ssh_host_rsa_key.pub': Read-only file system
chown: changing ownership of '/config/ssh_host_keys/ssh_host_ed25519_key.pub': Read-only file system
chown: changing ownership of '/config/ssh_host_keys/ssh_host_ecdsa_key.pub': Read-only file system
chown: changing ownership of '/config/ssh_host_keys/ssh_host_ed25519_key': Read-only file system
chown: changing ownership of '/config/ssh_host_keys/ssh_host_rsa_key': Read-only file system
chown: changing ownership of '/config/ssh_host_keys/ssh_host_ecdsa_key': Read-only file system
[cont-init.d] 50-config: exited 0.
[cont-init.d] 90-custom-folders: executing...
[cont-init.d] 90-custom-folders: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
It is possible to scp files into the openssh server.
This would allow for quickly spinning up a one-off "dropbox" that uses scp, to move large files over the internet.
scp is in openssh-client package.
Trying to scp file to openssh server results in bash: scp: command not found
error
I think it is a good idea to add
PASSWORD_ACCESS_SUDO_ALL=true
to the config and use it like
if [ "$SUDO_ACCESS" == "true" ]; then
if [ -n "$USER_PASSWORD" ] || [ -n "$USER_PASSWORD_FILE" -a -f "$USER_PASSWORD_FILE" ]; then
if [ "$PASSWORD_ACCESS_SUDO_ALL" == "true" ]; then
echo "${USER_NAME} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
echo "Sudo is enabled without password."
else
echo "${USER_NAME} ALL=(ALL) ALL" >> /etc/sudoers
echo "Sudo is enabled with password."
fi
else
echo "${USER_NAME} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
echo "Sudo is enabled without password."
fi
else
I can create a PR for it if it is approved.
You can have NOPASSWD: ALL
only with keys
I want to use this container as a temporary bastion host on AWS. I want to deploy it on AWS ECS Fargate where it is not possible to map container ports.
Could you add an option (env variable) to override the default SSH port, so one can connect on a different port? e.g. SSH_PORT=2223
According to the README:
Setting SUDO_ACCESS to true by itself will allow passwordless sudo. USER_PASSWORD and USER_PASSWORD_FILE allow setting an optional sudo password.
I set USER_NAME=test, SUDO_ACCESS=true and USER_PASSWORD=test007. The expected behavior is "Sudo is enabled with password." in the docker logs and the actual /etc/sudoers:
test ALL=(ALL) ALL
"Sudo is enabled without password." in the docker logs and the actual /etc/sudoers config:
test ALL=(ALL) NOPASSWD: ALL
docker run -d --name openssh-server -p 2222:2222 -e USER_NAME=test -e USER_PASSWORD=test007 -e PASSWORD_ACCESS=true -e SUDO_ACCESS=true linuxserver/openssh-server:latest
docker logs openssh-server
docker exec -it openssh-server bash
tail -1 /etc/sudoers
sed -n 14,24p /etc/s6-overlay/s6-rc.d/init-openssh-server-config/run
[[ -n "$USER_PASSWORD" ]] || [[ -n "$USER_PASSWORD_FILE" ]] && [[ -f "$USER_PASSWORD_FILE" ]]; echo $?
[[ -n "$USER_PASSWORD" || (-n "$USER_PASSWORD_FILE" && -f "$USER_PASSWORD_FILE") ]]; echo $?
OS: Archlinux
CPU architecture: x86_64
How docker service was installed: from archlinux official repo
docker run -d --name openssh-server -p 2222:2222 -e USER_NAME=test -e USER_PASSWORD=test007 -e PASSWORD_ACCESS=true -e SUDO_ACCESS=true linuxserver/openssh-server:latest
[custom-init] No custom services found, skipping...
[migrations] started
[migrations] no migrations found
usermod: no changes
-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/
Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid: 911
User gid: 911
-------------------------------------
User name is set to test
Sudo is enabled without password.
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
User/password ssh access is enabled.
[custom-init] No custom files found, skipping...
[ls.io-init] done.
Related to #52. I will submit a pr in a while
/config/.ssh/authorized_keys file get created, but stays empty
See public keys from PUBLIC_KEY_DIR in /config/.ssh/authorized_keys
add path to PUBLIC_KEY_DIR, run docker compose up
- OS: debian 12.4
- How docker service was installed: official way from docker https://docs.docker.com/engine/install/debian/
root@kosh:/srv/docker/lgsm-vh# ls -la
total 16
drwxr-xr-x 3 root root 4096 Jan 4 20:26 .
drwxr-xr-x 8 root root 4096 Jan 3 19:07 ..
-rw-r--r-- 1 root root 653 Jan 4 20:24 compose.yml
drwxr-xr-x 2 root root 4096 Jan 4 19:53 public_keys
root@kosh:/srv/docker/lgsm-vh# ls -la *
-rw-r--r-- 1 root root 653 Jan 4 20:24 compose.yml
public_keys:
total 12
drwxr-xr-x 2 root root 4096 Jan 4 19:53 .
drwxr-xr-x 3 root root 4096 Jan 4 20:26 ..
-rw-r--r-- 1 root root 396 Jan 4 19:53 michael_plauze.pub
### CPU architecture
x86-64
### Docker creation
```bash
version: "1.0"
volumes:
vh-data:
labels:
- "com.docker.compose.volume.user=username:username"
services:
vh-openssh:
image: linuxserver/openssh-server
restart: unless-stopped
volumes:
- vh-data:/config
environment:
- PUBLIC_KEY_DIR=/srv/docker/lgsm-vh/public_keys
- USER_NAME=username
- LOG_STDOUT=true
- TZ=Europe/Berlin
- PUID=1000
- PGID=1000
ports:
- 12345:2222
Attaching to lgsm-vh-vh-openssh-1
lgsm-vh-vh-openssh-1 | [migrations] started
lgsm-vh-vh-openssh-1 | [migrations] no migrations found
lgsm-vh-vh-openssh-1 | ───────────────────────────────────────
lgsm-vh-vh-openssh-1 |
lgsm-vh-vh-openssh-1 | ██╗ ███████╗██╗ ██████╗
lgsm-vh-vh-openssh-1 | ██║ ██╔════╝██║██╔═══██╗
lgsm-vh-vh-openssh-1 | ██║ ███████╗██║██║ ██║
lgsm-vh-vh-openssh-1 | ██║ ╚════██║██║██║ ██║
lgsm-vh-vh-openssh-1 | ███████╗███████║██║╚██████╔╝
lgsm-vh-vh-openssh-1 | ╚══════╝╚══════╝╚═╝ ╚═════╝
lgsm-vh-vh-openssh-1 |
lgsm-vh-vh-openssh-1 | Brought to you by linuxserver.io
lgsm-vh-vh-openssh-1 | ───────────────────────────────────────
lgsm-vh-vh-openssh-1 |
lgsm-vh-vh-openssh-1 | To support LSIO projects visit:
lgsm-vh-vh-openssh-1 | https://www.linuxserver.io/donate/
lgsm-vh-vh-openssh-1 |
lgsm-vh-vh-openssh-1 | ───────────────────────────────────────
lgsm-vh-vh-openssh-1 | GID/UID
lgsm-vh-vh-openssh-1 | ───────────────────────────────────────
lgsm-vh-vh-openssh-1 |
lgsm-vh-vh-openssh-1 | User UID: 1000
lgsm-vh-vh-openssh-1 | User GID: 1000
lgsm-vh-vh-openssh-1 | ───────────────────────────────────────
lgsm-vh-vh-openssh-1 |
lgsm-vh-vh-openssh-1 | User name is set to username
lgsm-vh-vh-openssh-1 | sudo is disabled.
lgsm-vh-vh-openssh-1 | sshd is listening on port 2222
lgsm-vh-vh-openssh-1 | User/password ssh access is disabled.
lgsm-vh-vh-openssh-1 | [custom-init] No custom files found, skipping...
lgsm-vh-vh-openssh-1 | Server listening on 0.0.0.0 port 2222.
lgsm-vh-vh-openssh-1 | Server listening on :: port 2222.
lgsm-vh-vh-openssh-1 | [ls.io-init] done.
lgsm-vh-vh-openssh-1 | kex_exchange_identification: Connection closed by remote host
lgsm-vh-vh-openssh-1 | Connection closed by 127.0.0.1 port 54422
lgsm-vh-vh-openssh-1 | Connection closed by authenticating user linuxgsm 1.2.3.4 port 45734 [preauth]
lgsm-vh-vh-openssh-1 | Connection closed by authenticating user linuxgsm 1.2.3.4 port 38044 [preauth]
To have a way to set up environment variables for the remote SSH user.
As far as can see, env variables which are set for the docker container are not available to the remote user connecting to the container via SSH. This is totally valid from security perspective.
At the same time, I'd like to provide my SSH user with some environment preset. Specifically, some API keys for a software which the user is running inside the container being connected via SSH.
No response
If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.
Feature request: Fail2ban or alternatives might be helpful in preventing brute-force attack attempts.
It would be nice to allow port forwarding in order to use the -R (reverse) option, for example in order to setup a reverse SSH tunnel through a dedicated and isolated docker container instead of through your main system.
Currently, commands like:
ssh -R 192.168.1.1:2223:localhost:22 -p 2222 [email protected]
(where the docker-openssh-server is running on 192.168.1.1)
return the following error:
Warning: remote port forwarding failed for listen port 2223
I have not found alternative options so far.
Option to disable (change?) user shell
I need some option to disable user login as I run isolated container to only upload files from ShareX.
I tried this hint, but this script executes before user created in the container.
#!/usr/bin/with-contenv bash
echo Disable shell
chsh -s /bin/false user
$ docker compose logs ssh-server
openssh-server | [migrations] started
openssh-server | [migrations] no migrations found
openssh-server | Disable shell
openssh-server | chsh: user 'user' does not exist
openssh-server | usermod: no changes
openssh-server | ───────────────────────────────────────
openssh-server |
openssh-server | ██╗ ███████╗██╗ ██████╗
openssh-server | ██║ ██╔════╝██║██╔═══██╗
openssh-server | ██║ ███████╗██║██║ ██║
openssh-server | ██║ ╚════██║██║██║ ██║
openssh-server | ███████╗███████║██║╚██████╔╝
openssh-server | ╚══════╝╚══════╝╚═╝ ╚═════╝
openssh-server |
openssh-server | Brought to you by linuxserver.io
openssh-server | ───────────────────────────────────────
openssh-server |
openssh-server | To support LSIO projects visit:
openssh-server | https://www.linuxserver.io/donate/
openssh-server |
openssh-server | ───────────────────────────────────────
openssh-server | GID/UID
openssh-server | ───────────────────────────────────────
openssh-server |
openssh-server | User UID: 911
openssh-server | User GID: 911
openssh-server | ───────────────────────────────────────
openssh-server |
openssh-server | User name is set to user
openssh-server | sudo is disabled.
openssh-server | sshd is listening on port 2222
openssh-server | User/password ssh access is enabled.
openssh-server | [custom-init] No custom files found, skipping...
openssh-server | [ls.io-init] done.
No response
In the "Application Setup" section, there is incorrect formatting for the markdown inline code sections. An apostrophe (') is used instead of a backtick (`) around PUBLIC_KEY_DIR
(affected lines)
This error is visible in the GitHub repo and in the description of the container in container registries (e.g. Docker Hub).
See title
I Currently use a self made docker container based on ubuntu 20.04 and google authenticator pam module for my ssh access.
This docker container would be a perfect replacement if it had support for google authenticator pam module for ssh and importing of the auth secret from a file or command line. Not sure if it could be done via a plugin.
Pam module github: https://github.com/google/google-authenticator-libpam
No additional auth prompts(MFA)
None tried as of now, suggestions welcome for 2FA/MFA alternatives that do not require a centralized server.
I use the openssh-server image with tag: linuxserver/openssh-server@sha256:011f24c3b157113155db3c1b0e76ff2baf9b74fb5bb6541afdbb753ad35 which would be expected work well
but I found the container logs with I am not sure whether it's a bug or should I ignore it? the point is around this:
│ error: Ignoring openssh because it is writable by group or others. │
│ error: stat of /var/log/messages failed: No such file or directory │
the full log is:
Public key from file added │
│ chown: changing ownership of '/config/ssh_host_keys/sshd_config': Read-only file system │
│ [cont-init.d] 50-config: exited 0. │
│ [cont-init.d] 99-custom-files: executing... │
│ [custom-init] no custom files found exiting... │
│ [cont-init.d] 99-custom-files: exited 0. │
│ [cont-init.d] done. │
│ [services.d] starting services │
│ [services.d] done. │
│ error: Ignoring openssh because it is writable by group or others. │
│ error: stat of /var/log/messages failed: No such file or directory │
│ error: Ignoring openssh because it is writable by group or others. │
│ error: stat of /var/log/messages failed: No such file or directory │
│ error: Ignoring openssh because it is writable by group or others. │
│ error: stat of /var/log/messages failed: No such file or directory │
│ error: Ignoring openssh because it is writable by group or others. │
│ error: stat of /var/log/messages failed: No such file or directory │
│ error: Ignoring openssh because it is writable by group or others. │
│ error: stat of /var/log/messages failed: No such file or directory │
│ error: Ignoring openssh because it is writable by group or others. │
│ error: stat of /var/log/messages failed: No such file or directory
OS: official docker images
CPU architecture: x86_64
How docker service was installed:
it's running in kubernetes cluster with containerd engine.
the deployment yaml is:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2020-08-28T03:12:47Z"
generateName: ssh-tunnel-d67468d89-
labels:
app: openeuler-ssh-tunnel
component: ssh-tunnel
pod-template-hash: d67468d89
name: ssh-tunnel-d67468d89-7rmcg
namespace: ssh-tunnel
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: ssh-tunnel-d67468d89
uid: bf25022e-8f6d-11ea-852c-fa163ed7ba7e
resourceVersion: "79345303"
selfLink: /api/v1/namespaces/ssh-tunnel/pods/ssh-tunnel-d67468d89-7rmcg
uid: 5959168d-e8dc-11ea-852c-fa163ed7ba7e
spec:
containers:
- env:
- name: TZ
value: Asia/Shanghai
- name: SUDO_ACCESS
value: "true"
- name: USER_NAME
value: root
- name: PUBLIC_KEY_FILE
value: /var/sshd/public_keys
image: linuxserver/openssh-server
imagePullPolicy: IfNotPresent
name: sshd-server
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/sshd/public_keys
name: ssh-secrets
subPath: public_keys
- mountPath: /config/ssh_host_keys/sshd_config
name: ssh-config
subPath: sshd_config
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-p5hm2
readOnly: true
After upgrading from 8.8_p1-r1-ls84 to 8.8_p1-r1-ls85, image started printing errors to logs, ssh server is not working properly
Could be caused by linuxserver/docker-baseimage-alpine#93
lb84 log:
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 01-migrations: executing...
[migrations] started
[migrations] no migrations found
[cont-init.d] 01-migrations: exited 0.
[cont-init.d] 02-tamper-check: executing...
[cont-init.d] 02-tamper-check: exited 0.
[cont-init.d] 10-adduser: executing...
-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/
Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid: 1000
User gid: 1000
-------------------------------------
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 50-config: executing...
User name is set to user
Sudo is enabled without password.
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
User/password ssh access is enabled.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 90-custom-folders: executing...
[cont-init.d] 90-custom-folders: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service 00-legacy: starting
s6-rc: info: service 00-legacy successfully started
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/01-envfile
cont-init: info: /etc/cont-init.d/01-envfile exited 0
cont-init: info: running /etc/cont-init.d/01-migrations
[migrations] started
[migrations] no migrations found
cont-init: info: /etc/cont-init.d/01-migrations exited 0
cont-init: info: running /etc/cont-init.d/02-tamper-check
cont-init: info: /etc/cont-init.d/02-tamper-check exited 0
cont-init: info: running /etc/cont-init.d/10-adduser
-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/
Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid: 1000
User gid: 1000
-------------------------------------
cont-init: info: /etc/cont-init.d/10-adduser exited 0
cont-init: info: running /etc/cont-init.d/50-config
User name is set to user
Sudo is enabled without password.
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
User/password ssh access is enabled.
cont-init: info: /etc/cont-init.d/50-config exited 0
cont-init: info: running /etc/cont-init.d/90-custom-folders
cont-init: info: /etc/cont-init.d/90-custom-folders exited 0
cont-init: info: running /etc/cont-init.d/99-custom-files
[custom-init] no custom files found exiting...
cont-init: info: /etc/cont-init.d/99-custom-files exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun openssh-server (no readiness notification)
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-rc: info: service legacy-services successfully started
s6-rc: info: service 99-ci-service-check: starting
[ls.io-init] done.
s6-rc: info: service 99-ci-service-check successfully started
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
It looks like sshd.pam
process became a zombie:
1 0.0 0.0 208 68 ? Ss 16:22 0:00 /package/admin/s6/command/s6-svscan -d4 -- /run/service
root 15 0.0 0.0 212 60 ? S 16:22 0:00 s6-supervise s6-linux-init-shutdownd
root 17 0.0 0.0 204 4 ? Ss 16:22 0:00 /package/admin/s6-linux-init/command/s6-linux-init-shutdownd -c /run/s6/basedir -g 3000 -C -B
root 26 0.0 0.0 212 68 ? S 16:22 0:00 s6-supervise s6rc-oneshot-runner
root 27 0.0 0.0 212 64 ? S 16:22 0:00 s6-supervise s6rc-fdholder
root 34 0.0 0.0 188 4 ? Ss 16:22 0:00 /package/admin/s6/command/s6-ipcserverd -1 -- /package/admin/s6/command/s6-ipcserver-access -v0 -E -l0 -i da
root 133 0.0 0.0 212 60 ? S 16:22 0:00 s6-supervise openssh-server/log
root 135 0.0 0.0 212 68 ? S 16:22 0:00 s6-supervise openssh-server
user 137 0.0 0.0 4564 3592 ? Ss 16:22 0:00 sshd.pam: /usr/sbin/sshd.pam -D -e -p 2222 [listener] 2 of 10-100 startups
user 149 0.0 0.0 4592 3840 ? Ss 16:23 0:00 sshd.pam: user [priv]
user 151 0.0 0.0 4524 2480 ? R 16:23 0:00 sshd.pam: user@pts/0
user 152 0.0 0.0 2592 2316 pts/0 Ss 16:23 0:00 -bash
user 2853 0.0 0.0 4584 3768 ? Ss 16:27 0:00 sshd.pam: user [priv]
user 2854 0.0 0.0 0 0 ? Z 16:27 0:00 [sshd.pam] <defunct>
user 2862 0.0 0.0 4584 3800 ? Ss 16:28 0:00 sshd.pam: user [priv]
user 2863 0.0 0.0 0 0 ? Z 16:28 0:00 [sshd.pam] <defunct>
docker run --rm --name testserver -p 2222:2222 --hostname testserver -e PUID=1000 -e PGID=1000 -e SUDO_ACCESS=true -e PASSWORD_ACCESS=true -e USER_PASSWORD=password -e USER_NAME=user linuxserver/openssh-server:8.8_p1-r1-ls85
, and see error in logsset -e; while true; do sshpass -p password ssh localhost -p 2222 -l user date; done
OS: Manjaro, Linux kernel 5.17.15-1
CPU architecture: x86_64
How docker service was installed: from distro repo
See above
It used to be possible to use an SSH server running in a container from this image as a proxy jump server as in ssh -J <jump-host> target-host
or using a ProxyJump
directive in an ./ssh/config
.
That seems to be disabled now (getting 'channel 0: open failed: administratively prohibited'). Apparently, the default value for the PermitTunnel
directive in /etc/ssh/sshd_config
has changed from yes
to no
.
Starting a container using this image, I can run ssh -J <container host> <target host reachable from container>
and ssh into the target host through the container.
(alternative to configure ProxyJump
in ~/.ssh/config
)
When connecting as above, I get 'channel 0: open failed: administratively prohibited'
Start server:
[me@my-desk]$ docker run \
--rm \
-e USER_PASSWORD=a \
-e PASSWORD_ACCESS=true \
-p 2222:2222 \
ghcr.io/linuxserver/openssh-server
[me@my-desk]$ ssh -J linuxserver.io@localhost:2222 [email protected]
linuxserver.io@localhost's password:
channel 0: open failed: administratively prohibited: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
I'm not sure: should this be enabled by default? Should this be another configuration option of this image? Or should users just modify their images or mount custom configs if they need this?
Personally, I do need this functionality.
I try to enable logging. As described, I have enabled logging in sshd_config
SyslogFacility AUTH
LogLevel INFO
and try to follow the logfiles with:
sudo docker-compose logs --follow openssh
I expect the information when someone logs into the server to be shown on the console
No information after startup in logfiles
See above
OS: Ubuntu 20.04
CPU architecture: x86_64/arm32/arm64 I686
How docker service was installed: apt-get install docker-compose
Hi, can you add option for "AllowTcpForwarding yes" with true or false.
thank you
I think it would be a great addition to (optionally) start this container ready to serve SSH with generated keys.
Useful in testing where keys and their lifetime doesn't really matter.
Maybe new environment variable that, if set, generates ssh keys via keygen.sh and stores them by default in ~/.ssh/id_rsa
?
I was trying to use this container to tunnel localhost port to my server running this container
docker run \
--name=openssh-server \
-e PUID=0 \
-e PGID=0 \
-e TZ=India/Kolkata \
-e SUDO_ACCESS=false \
-e PASSWORD_ACCESS=true \
-e USER_PASSWORD=thoiba \
-e USER_NAME=tunnel \
-p 2222:2222 \
-p 100:1500 \
--restart unless-stopped \
linuxserver/openssh-server
and on my local machine
ssh-keygen -f "/home/pi/.ssh/known_hosts" -R [<myserver>]:2222
ssh -f -N -T -R 1500:localhost:80 tunnel@<myserver> -p 2222
then I got the following
The authenticity of host '[<myserver>]:2222 ([<server_ip>]:2222)' can't be established.
ECDSA key fingerprint is SHA256:qcexTtyZlb1+hxUAgjPf5rgTDeeH5uFfs3WSLfHADSU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[free_node.logicbee.dev]:2222' (ECDSA) to the list of known hosts.
Warning: the ECDSA host key for '[<myserver>]:2222' differs from the key for the IP address '[<server_ip>]:2222'
Offending key for IP in /home/pi/.ssh/known_hosts:3
Are you sure you want to continue connecting (yes/no)? yes
tunnel@free_node.logicbee.dev's password:
Permission denied, please try again.
tunnel@free_node.logicbee.dev's password:
Permission denied, please try again.
tunnel@free_node.logicbee.dev's password:
Permission denied (publickey,password,keyboard-interactive).
please help me out
Possibility to have the server run as a non-root user within the container.
I need to run this in a k8s cluster and we have security policies that by default don't allow pods to run as root. Since this binds to a port that doesn't need to run as root anyway (2222), it should be possible to just run sshd without any permissions at all.
No response
If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.
I expect it makes me start an interactive SSH session with the specified username, after asking for a password.
It says:
Permission denied (publickey,keyboard-interactive)
docker start openssh-server
ssh -l andrea -p 2222 localhost
OS: MacOS
CPU architecture: x86_64
How docker service was installed:
brew cask install docker
docker create --name=openssh-server \
-e PUID=501 -e PGID=20 \
-e TZ=Europe/London \
-e USER_PASSWORD=andrea \
-e USER_NAME=andrea \
-p 2222:2222 \
--restart unless-stopped
openssh-server:
image: linuxserver/openssh-server
container_name: openssh-server
hostname: openssh-server
environment:
- PUID=1000
- PGID=1000
- TZ=Asia/Shanghai
- SUDO_ACCESS=false
- PASSWORD_ACCESS=true
- USER_PASSWORD=test
- USER_NAME=test
volumes:
- ./sshd/sshd_config:/etc/ssh/sshd_config:rw
I wanna chan fellow at /etc/ssh/sshd_config to open Forwarding settings;
#AllowAgentForwarding yes
AllowAgentForwarding yes
# Feel free to re-enable these if your use case requires them.
AllowTcpForwarding yes
#AllowTcpForwarding no
GatewayPorts yes
#GatewayPorts no
X11Forwarding yes
#X11Forwarding no
[cont-init.d] 50-config: executing...
User name is set to lds
Sudo is disabled.
sed: can't move '/etc/ssh/sshd_configkKOoLI' to '/etc/ssh/sshd_config': Resource busy
rm: cannot remove '/etc/ssh/sshd_config': Resource busy
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
sed: can't move '/etc/ssh/sshd_configoHFmgH' to '/etc/ssh/sshd_config': Resource busy
sed: can't move '/etc/ssh/sshd_configLOHJpF' to '/etc/ssh/sshd_config': Resource busy
User/password ssh access is enabled.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
Modifying sshd_config with a custom-cont-init.d script to set ChrootDirectory leads to an Connection to *************** closed by remote host.
error when trying to SSH/SFTP.
openssh log reads:
server lacks privileges to chroot to ChrootDirectory
I should be able to change the default directory I land on when SSHing/SFTPing.
sed -i 's|#ChrootDirectory none|ChrootDirectory [directory]|' /etc/ssh/sshd_config
)- OS: Debian 12
- How docker service was installed: official process
x86-64
...
services:
openssh-server:
image: lscr.io/linuxserver/openssh-server:latest
container_name: openssh-server
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- SUDO_ACCESS=false #optional
- PASSWORD_ACCESS=true #optional
- USER_PASSWORD=[password] #optional
- USER_NAME=[user] #optional
volumes:
- ./configs/openssh/custom-cont-init.d:/custom-cont-init.d:ro
- [named volume]:[directory]
ports:
- 2222:2222
restart: always
User name is set to [user]
sudo is enabled with password.
ssh-keygen: generating new host keys: RSA ECDSA ED25519
sshd is listening on port 2222
User/password ssh access is enabled.
[custom-init] Files found, executing
[custom-init] update_sshd_config.sh: executing...
··· Modification de sshd_config ···
[custom-init] update_sshd_config.sh: exited 0
[ls.io-init] done.
If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.
sftp connection should work
sftp connection doesn't work
Connect via SFTP to the server
Also see created sshd_config:
Subsystem sftp /usr/lib/ssh/sftp-server
Fix:
Add "openssh-sftp-server" as Alpine Package
ACI container should start and run
ACI container fails on start with "s6-overlay-suexec: fatal: can only run as pid 1" message.
OS:
CPU architecture: x86_64/arm32/arm64
How docker service was installed:
Ability to set the user's home directory.
I'd like to use this Docker image to launch SSH microservices in our Docker Swarm and it would be nice if there was a way to set the user's home directory via e.g. an environment variable.
The home directory is preset to /config
and cannot be changed via a dynamic configuration. (At least I could not figure it out)
Tried setting HOME
in a Docker YAML file but it has no effect. I also tried setting working_dir
but it seems to have no effect either.
I would like to use this container for CI related to a SSH middleware.
However, it is difficult to use because SSH fingerprint is not constant and changed every after container is recreated.
We have to pass a unique SSH fingerprint to CI scripts.
I would like an option like SERVER_FINGERPRINT
. This can pass the fingerprint key from the host. It is not changed after a container is recreated.
$ docker run -e USER_NAME=user -e PUBLIC_KEY="$(cat ~/.ssh/id_rsa.pub)" -e SERVER_FINGERPRINT=path/to/key -p 127.0.0.2:2222:2222 --name=ssh -d ghcr.io/linuxserver/openssh-server
(container UUID)
$ ssh [email protected] -p 2222 -i ~/.ssh/id_ed25519 echo OK
OK
$ docker rm -f ssh
ssh
$ docker run -e USER_NAME=user -e PUBLIC_KEY="$(cat ~/.ssh/id_rsa.pub)" -e SERVER_FINGERPRINT=path/to/key -p 127.0.0.2:2222:2222 --name=ssh -d ghcr.io/linuxserver/openssh-server
(container UUID)
$ ssh [email protected] -p 2222 -i ~/.ssh/id_ed25519 echo OK
OK
In fact, there is no such option, and when I recreate the container and try to connect to it, we get an error that the key fingerprint is different.
$ docker run -e USER_NAME=user -e PUBLIC_KEY="$(cat ~/.ssh/id_rsa.pub)" -p 127.0.0.2:2222:2222 --name=ssh -d ghcr.io/linuxserver/openssh-server
(container UUID)
$ ssh [email protected] -p 2222 -i ~/.ssh/id_ed25519 echo OK
The authenticity of host '[127.0.0.2]:2222 ([127.0.0.2]:2222)' can't be established.
ECDSA key fingerprint is SHA256:(Key fingerprint)
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[127.0.0.2]:2222' (ECDSA) to the list of known hosts.
OK
$ docker rm -f ssh
ssh
$ docker run -e USER_NAME=user -e PUBLIC_KEY="$(cat ~/.ssh/id_rsa.pub)" -p 127.0.0.2:2222:2222 --name=ssh -d ghcr.io/linuxserver/openssh-server
(container UUID)
$ ssh [email protected] -p 2222 -i ~/.ssh/id_ed25519 echo OK
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:(Different finger print)
Please contact your system administrator.
Add correct host key in (home directory)/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in (home directory)/.ssh/known_hosts:(line #)
ECDSA host key for [127.0.0.2]:2222 has changed and you have requested strict checking.
Host key verification failed.
as stated in the documentation i have run the commande bellow :
mac@MacBook-Pro-de-mac ~/mgpuDocker/docker-openssh-server master docker build \
--no-cache \
--pull \
-t ghcr.io/linuxserver/openssh-server:latest .
the result is bellow
[+] Building 0.6s (3/3) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.03kB 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 107B 0.0s
=> ERROR [internal] load metadata for ghcr.io/linuxserver/baseimage-alpine:3.13 0.4s
[internal] load metadata for ghcr.io/linuxserver/baseimage-alpine:3.13:
failed to solve with frontend dockerfile.v0: failed to create LLB definition: rpc error: code = Unknown desc = error getting credentials - err: exit status 1, out: No stored credential for ghcr.io
Everything is perfect, just needs a HEALTHCHECK in the dockerfile to report when the ssh server is up and running.
The container runs and State via docker inspect
is "Running" before the SSH server actually initiates. This means there's no way to accurately tell when the container is truly ready to serve ssh connections.
Add a HEALTHCHECK in the docker file.
I think it should not be possible for the ssh user to access and/or remove the openssh logs.
The user is able to access and remove the openssh logs.
rm -rf logs
% pwd
/srv/upload-ssh
% cat docker-compose.yml
---
version: "2.1"
services:
openssh-server:
image: lscr.io/linuxserver/openssh-server
container_name: openssh-server
hostname: upload-ssh
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Vienna
- SUDO_ACCESS=false
- PASSWORD_ACCESS=true
- USER_PASSWORD=[SNIP]
- USER_NAME=upload
volumes:
- /srv/upload-ssh/config:/config
ports:
- 2222:2222
% sudo docker-compose up
I am trying to run the openssh-server as a sidecar in a kubernetes pod using the shareProcessNamespace feature of kubernetes to share pid namespace between 2 containers. On doing this, the openssh-server crashes with the below log line:
s6-overlay-suexec: fatal: can only run as pid 1
I would like to have the ability to run the openssh-server without it requiring to run as pid 1
No response
NA
- OS:
- How docker service was installed:
x86-64
NA
s6-overlay-suexec: fatal: can only run as pid 1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.