### 30-Second Setup: Generate Key, Start Container, Connect Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/quick-start-guide.md This sequence generates an SSH key, starts an OpenSSH server container with a persistent config volume, and then connects to it. Ensure the port mapping (2222:2222) matches your needs. ```bash # 1. Generate SSH key (on your machine) ssh-keygen -t ed25519 -f ~/.ssh/openssh-server -N "" # 2. Start container docker run -d \ --name openssh-server \ -p 2222:2222 \ -v openssh-config:/config \ -e PUBLIC_KEY="$(cat ~/.ssh/openssh-server.pub)" \ lscr.io/linuxserver/openssh-server:latest # 3. Connect ssh -i ~/.ssh/openssh-server -p 2222 linuxserver.io@localhost ``` -------------------------------- ### Example: Configuring Multiple Public Key Sources Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/environment-variables-reference.md This example demonstrates how to configure multiple public key sources using environment variables in a Docker run command. It includes an inline public key, a key from a file, and keys from a directory. ```bash docker run \ -e PUBLIC_KEY="ssh-ed25519 AAAA..." \ -e PUBLIC_KEY_FILE=/run/secrets/key1 \ -e PUBLIC_KEY_DIR=/run/secrets/keys \ ... # Results in: key1 + directory keys + inline key all added ``` -------------------------------- ### Basic SSH Server Setup with Key-Based Authentication Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/README.md This snippet demonstrates a basic Docker run command to start the OpenSSH server. It maps a host port to the container's SSH port and mounts a volume for configuration. The public key is provided directly via the PUBLIC_KEY environment variable. ```bash docker run -d \ -p 2222:2222 \ -v openssh-config:/config \ -e PUBLIC_KEY="$(cat ~/.ssh/id_ed25519.pub)" \ lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### SSH Daemon Configuration Examples Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/volumes-and-ports.md Illustrates example configuration lines for sshd_config, showing how environment variables influence settings like port and authentication. ```plaintext Port 2222 (from LISTEN_PORT) PasswordAuthentication no (from PASSWORD_ACCESS) Subsystem sftp /usr/lib/ssh/sftp-server -u 022 (from UMASK) PidFile /config/sshd.pid #Include /config/sshd/sshd_config.d/*.conf ``` -------------------------------- ### Start OpenSSH Server Container Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/docker-deployment.md Use `docker run` for a single container or `docker-compose up` for multi-container setups to start the OpenSSH server. Ensure ports and volumes are correctly mapped. ```bash # Using docker run docker run -d --name openssh-server -p 2222:2222 -v openssh-config:/config lscr.io/linuxserver/openssh-server:latest ``` ```bash # Using docker-compose docker-compose up -d ``` -------------------------------- ### Example User ID Output Source: https://github.com/linuxserver/docker-openssh-server/blob/master/README.md Example output from the 'id your_user' command, showing the uid and gid values. ```text uid=1000(your_user) gid=1000(your_user) groups=1000(your_user) ``` -------------------------------- ### Setup QEMU for Cross-Architecture Builds Source: https://github.com/linuxserver/docker-openssh-server/blob/master/README.md Initializes QEMU static binaries for building ARM variants on x86_64 hardware, or vice versa. ```bash docker run --rm --privileged lscr.io/linuxserver/qemu-static --reset ``` -------------------------------- ### Least Privilege Model Container Setup Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/security-considerations.md Launches an OpenSSH server container with minimal permissions, adhering to the least privilege principle. This setup restricts user access to mounted volumes and prevents privilege escalation or host system access. ```bash docker run -d \ --name openssh-server \ -p 2222:2222 \ -v openssh-config:/config \ -v /mnt/backups:/backups:ro \ -e PUBLIC_KEY="..." \ -e SUDO_ACCESS=false \ -e PASSWORD_ACCESS=false \ lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Password-Protected Sudo Example Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/environment-variables-reference.md Shows how to set up password-protected sudo access by providing both SUDO_ACCESS=true and a USER_PASSWORD. The sudoers file is configured for password-based sudo. ```bash docker run -e SUDO_ACCESS=true \ -e USER_PASSWORD=sudopass \ ... # In sudoers: linuxserver.io ALL=(ALL) ALL # Container behavior: ssh linuxserver.io@localhost linuxserver.io@container$ sudo apt-get update [sudo] password for linuxserver.io: # Password prompt, must enter password to execute ``` -------------------------------- ### Custom Port and User Configuration Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/docker-deployment.md This example demonstrates how to configure a custom listening port, specify a username, and fetch public keys from a URL. It also mounts a local directory for backups. ```bash docker run -d \ --name openssh-server \ -e LISTEN_PORT=2223 \ -e USER_NAME=backup \ -e PUBLIC_KEY_URL=https://github.com/myusername.keys \ -p 2223:2223 \ -v openssh-config:/config \ -v /local/backups:/backups:ro \ lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Custom MOTD Content Example Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/ssh-features.md Mount a custom MOTD file into the container at `/etc/motd` to display custom messages on login. ```bash # Mount custom MOTD docker run -v /path/to/custom/motd:/etc/motd ... # Example custom MOTD content This is the BACKUP SERVER. Unauthorized access is prohibited. All access is logged and monitored. Contact admin@example.com for access. ``` -------------------------------- ### Passwordless Sudo Example Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/environment-variables-reference.md Demonstrates how to configure passwordless sudo access by setting SUDO_ACCESS=true and not providing a USER_PASSWORD. The sudoers file is configured to allow NOPASSWD. ```bash docker run -e SUDO_ACCESS=true \ ... # No PASSWORD or PASSWORD_FILE # In sudoers: linuxserver.io ALL=(ALL) NOPASSWD: ALL # Container behavior: ssh linuxserver.io@localhost linuxserver.io@container$ sudo apt-get update # No password prompt, command executed as root ``` -------------------------------- ### No Sudo Example Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/environment-variables-reference.md Illustrates the default behavior where sudo is not enabled (SUDO_ACCESS is false or not set). The user is not in the sudoers file, resulting in an error when attempting to use sudo. ```bash docker run -e SUDO_ACCESS=false \ ... # Default # In sudoers: # (user entry removed/not added) # Container behavior: ssh linuxserver.io@localhost linuxserver.io@container$ sudo apt-get update sudo: linuxserver.io is not in the sudoers file. ``` -------------------------------- ### SSH Client Usage Example Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/ssh-features.md Connect to a server using the configured alias defined in your SSH client configuration file. This command will automatically apply the settings specified for 'backup-server'. ```bash ssh backup-server # Uses configuration from above ``` -------------------------------- ### Use Bind Mount for Manual Control Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/volumes-and-ports.md Use bind mounts when you need full control over the host filesystem. This requires manual setup of the host directory. ```bash docker run -v /path/to/config:/config ... ``` -------------------------------- ### Restricted Backup User with Key from URL Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/README.md This example sets up a restricted backup user. It maps ports, mounts a read-only volume for backups, and configures the user with a specific name. Authentication is handled by a public key fetched from a URL, and sudo privileges are explicitly disabled. ```bash docker run -d \ -p 2222:2222 \ -v openssh-config:/config \ -v /data:/backups:ro \ -e USER_NAME=backup \ -e PUBLIC_KEY_URL=https://github.com/backupuser.keys \ -e SUDO_ACCESS=false \ lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Example of sshd_config Configuration Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/environment-variables-reference.md This snippet shows the relevant configuration line in sshd_config that is affected by the PASSWORD_ACCESS variable. ```text PasswordAuthentication yes # Allows /etc/shadow-based auth ``` -------------------------------- ### Umask Explanation Example Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/environment-variables-reference.md Illustrates how the UMASK variable modifies default file and directory permissions. Umask subtracts permission bits from the default 777. ```text Umask specifies which permission bits to REMOVE from default Default: 777 (all permissions) Umask 022: Remove write for group and others Result: 755 (rw-r--r--) ``` -------------------------------- ### Troubleshoot 'Connection refused' Error Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/quick-start-guide.md Steps to resolve 'Connection refused' errors, including checking if the container is running, starting it, verifying port mappings, and testing the port. ```bash # Is container running? docker ps | grep openssh-server ``` ```bash # Start it docker start openssh-server ``` ```bash # Check port mapping docker port openssh-server ``` ```bash # Test port nc -zv localhost 2222 ``` -------------------------------- ### Resolve Container Not Running Error Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/troubleshooting-and-diagnostics.md If the container is not running, check its status and start it if necessary. ```bash docker ps -a | grep openssh-server # If in list but not running: docker start openssh-server ``` -------------------------------- ### Basic Docker Compose Setup Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/docker-deployment.md A fundamental Docker Compose file to run the OpenSSH server. It configures basic settings like image, container name, user/group IDs, timezone, and port mapping. ```yaml version: '3.9' services: openssh-server: image: lscr.io/linuxserver/openssh-server:latest container_name: openssh-server hostname: openssh-server environment: - PUID=1000 - PGID=1000 - TZ=Etc/UTC volumes: - openssh-config:/config ports: - "2222:2222" restart: unless-stopped volumes: openssh-config: ``` -------------------------------- ### Configure Docker Container Restart Policies Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/docker-deployment.md Examples of different restart policies for Docker containers. Choose the policy that best suits your application's availability needs. ```bash # Always restart --restart always ``` ```bash # Restart unless manually stopped --restart unless-stopped ``` ```bash # Restart with maximum retry count --restart on-failure:5 ``` ```bash # No auto-restart (default) --restart no ``` -------------------------------- ### Full OpenSSH Server Docker Configuration Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/docker-deployment.md This comprehensive example showcases a fully configured OpenSSH server container, including hostname, PUID/PGID, timezone, custom port, user, public key sources (directory and URL), authentication methods, logging, volume mounts, and restart policy. ```bash docker run -d \ --name openssh-server \ --hostname backup-ssh \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Etc/UTC \ -e LISTEN_PORT=2222 \ -e USER_NAME=backup_admin \ -e PUBLIC_KEY_DIR=/run/secrets/ssh_keys \ -e PUBLIC_KEY_URL=https://github.com/myteam.keys \ -e SUDO_ACCESS=true \ -e PASSWORD_ACCESS=false \ -e LOG_STDOUT=false \ -p 2222:2222 \ -v openssh-config:/config \ -v /mnt/backups:/backups \ -v /var/cache:/cache:ro \ --restart unless-stopped \ lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Full Docker Compose Example for OpenSSH Server Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/quick-start-guide.md A comprehensive Docker Compose file to configure and run the OpenSSH Server container. It includes environment variables, volumes, ports, secrets, and health checks. ```yaml version: '3.9' services: openssh-server: image: lscr.io/linuxserver/openssh-server:latest container_name: openssh-server hostname: openssh-server environment: - PUID=1000 - PGID=1000 - TZ=America/Chicago - LISTEN_PORT=2222 - USER_NAME=backup - PUBLIC_KEY_FILE=/run/secrets/ssh_pubkey - SUDO_ACCESS=false - PASSWORD_ACCESS=false - LOG_STDOUT=false volumes: - openssh-config:/config - /var/data:/data:ro - /var/uploads:/uploads:rw ports: - "2222:2222" secrets: - ssh_pubkey restart: unless-stopped # Optional: Health check healthcheck: test: ["CMD", "nc", "-z", "localhost", "2222"] interval: 30s timeout: 10s retries: 3 start_period: 40s volumes: openssh-config: driver: local secrets: ssh_pubkey: file: ./secrets/backup.pub ``` -------------------------------- ### Secure Password Authentication Setup Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/security-considerations.md If password authentication is required, use strong random passwords and manage them securely using Docker secrets. This snippet shows password generation and setting it via a file. ```bash # 1. Use strong, random passwords # Generate 32-character password openssl rand -base64 24 # 2. Set via Docker secrets (not environment variable) echo "CorrectHorseBatteryStaple42!" > /tmp/ssh_pass docker run -e USER_PASSWORD_FILE=/run/secrets/pass ... ``` -------------------------------- ### Docker CLI Setup for OpenSSH Server Source: https://github.com/linuxserver/docker-openssh-server/blob/master/README.md Alternative method for deploying the OpenSSH server container using the Docker command-line interface. This command includes essential parameters for container naming, port mapping, volume mounting, and environment variables. ```bash docker run -d \ --name=openssh-server \ --hostname=openssh-server `#optional` \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Etc/UTC \ -e PUBLIC_KEY=yourpublickey `#optional` \ -e PUBLIC_KEY_FILE=/path/to/file `#optional` \ -e PUBLIC_KEY_DIR=/path/to/directory/containing/_only_/pubkeys `#optional` \ -e PUBLIC_KEY_URL=https://github.com/username.keys `#optional` \ -e SUDO_ACCESS=false `#optional` \ -e PASSWORD_ACCESS=false `#optional` \ -e USER_PASSWORD=password `#optional` \ -e USER_PASSWORD_FILE=/path/to/file `#optional` \ -e USER_NAME=linuxserver.io `#optional` \ -e LOG_STDOUT= `#optional` \ -p 2222:2222 \ -v /path/to/openssh-server/config:/config \ --restart unless-stopped \ lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Custom SSHD Security Configuration Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/volumes-and-ports.md Provides an example of a custom security configuration file that can be placed in the sshd_config.d directory. ```bash # /config/sshd/sshd_config.d/security.conf PermitRootLogin no X11Forwarding no AllowTcpForwarding no ClientAliveInterval 300 ClientAliveCountMax 2 ``` -------------------------------- ### SSH Client Configuration Example Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/ssh-features.md Configure your SSH client to connect to a specific server using custom settings like hostname, port, user, and identity file. Ensure 'StrictHostKeyChecking' is set to 'accept-new' to automatically accept new host keys. ```sshconfig Host backup-server HostName localhost Port 2222 User linuxserver.io IdentityFile ~/.ssh/backup_key StrictHostKeyChecking accept-new IdentitiesOnly yes ``` -------------------------------- ### Create SSH Configuration Directories Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/initialization.md Creates the necessary directory structure within /config for persistent SSH server configuration and logs. This ensures a clean setup for configuration files and logs. ```bash mkdir -p /config/{.ssh,logs/openssh,sshd} ``` -------------------------------- ### Docker Compose Usage Commands Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/quick-start-guide.md Commands to manage the OpenSSH server Docker container. Includes setting up SSH keys, starting, stopping, and viewing logs. ```bash # Set your public key export SSH_PUBLIC_KEY="$(cat ~/.ssh/id_ed25519.pub)" # Start docker-compose up -d # Stop docker-compose down # View logs docker-compose logs -f ``` -------------------------------- ### No Sudo Configuration (Recommended) Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/security-considerations.md Disables sudo access for the container user, which is the recommended secure configuration. The user can only access files mounted within the container and cannot modify the system or install packages. ```bash docker run -e SUDO_ACCESS=false ... # or simply omit -e SUDO_ACCESS ``` -------------------------------- ### SSH Account Compromise Response Steps Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/security-considerations.md A step-by-step guide to responding to a compromised SSH account. This includes revoking keys, regenerating host keys, reviewing logs, and securing the account. ```bash # 1. Revoke compromised public keys docker exec openssh-server rm /config/.ssh/authorized_keys docker exec openssh-server touch /config/.ssh/authorized_keys # 2. Regenerate SSH host keys docker exec openssh-server rm -rf /config/ssh_host_keys/* docker restart openssh-server # New host keys generated # 3. Review logs for suspicious activity docker logs openssh-server | grep "Accepted" # 4. Check for unauthorized modifications docker exec openssh-server find /config -newer /config/.ssh -type f # 5. Reset password if password auth used docker exec openssh-server bash -c "echo 'user:newpass' | chpasswd" # 6. Add new authorized keys only docker exec openssh-server bash -c "echo '$(cat ~/.ssh/new_key.pub)' > /config/.ssh/authorized_keys" chmod 600 /config/.ssh/authorized_keys ``` -------------------------------- ### Use Case 3: Restricted SFTP Server Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/quick-start-guide.md This example configures a restricted SFTP server with read-only access to data and a writable uploads directory. It uses a specific public key and disables sudo access for enhanced security. ```bash # SFTP-only access (read-only data, writable uploads) docker run -d \ --name sftp-server \ -p 2222:2222 \ -v sftp-config:/config \ -v /mnt/data:/data:ro \ -v /mnt/uploads:/uploads:rw \ -e PUBLIC_KEY="ssh-ed25519 AAAA..." \ -e SUDO_ACCESS=false \ lscr.io/linuxserver/openssh-server:latest # Connect via SFTP sftp -P 2222 -i ~/.ssh/key linuxserver.io@localhost ``` -------------------------------- ### Enable SSH Debug Logging (Client) Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/troubleshooting-and-diagnostics.md Use verbose flags (-v, -vv, -vvv) with the ssh client to get detailed output during connection, useful for diagnosing client-side issues. ```bash # Verbose output on client side ssh -v -p 2222 linuxserver.io@localhost # Shows: key exchange, algorithms, authentication methods # Even more verbose ssh -vv -p 2222 linuxserver.io@localhost ssh -vvv -p 2222 linuxserver.io@localhost ``` -------------------------------- ### Use Case 1: Secure Backups with Read-Only Data Access Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/quick-start-guide.md This setup configures an SSH server to provide read-only access to a data volume for secure backups. It uses a public key URL for authentication and demonstrates how to pull backups using rsync. ```bash # Container with read-only access to data docker run -d \ --name backup-ssh \ -p 2222:2222 \ -v backup-config:/config \ -v /mnt/data:/data:ro \ -e PUBLIC_KEY_URL=https://github.com/backupuser.keys \ lscr.io/linuxserver/openssh-server:latest # On remote server, pull backups via SSH rsync -avz -e "ssh -i backup_key -p 2222" \ linuxserver.io@backup-server:/data/ \ /local/backups/ ``` -------------------------------- ### Encrypt Bind Mount with EncFS Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/security-considerations.md This approach uses EncFS on the host to encrypt a directory, which is then mounted into the container as a bind mount. The data is encrypted on disk and decrypted in memory during container runtime. Ensure the EncFS setup is correctly configured on the host. ```bash # Use EncFS or similar encfs /encrypted/.raw /mnt/decrypted docker run -d \ -v /mnt/decrypted:/config \ lscr.io/linuxserver/openssh-server:latest # Encrypted on disk, mounted during container runtime ``` -------------------------------- ### Get Container Version Number Source: https://github.com/linuxserver/docker-openssh-server/blob/master/README.md Retrieve the build version label from a running openssh-server container. ```bash docker inspect -f '{{ index .Config.Labels "build_version" }}' openssh-server ``` -------------------------------- ### Update All Docker Compose Containers Source: https://github.com/linuxserver/docker-openssh-server/blob/master/README.md Recreates and starts all services defined in your docker-compose.yml using their updated images. ```bash docker-compose up -d ``` -------------------------------- ### Get Image Version Number Source: https://github.com/linuxserver/docker-openssh-server/blob/master/README.md Retrieve the build version label directly from the openssh-server Docker image. ```bash docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Update Single Docker Compose Container Source: https://github.com/linuxserver/docker-openssh-server/blob/master/README.md Recreates and starts a specific service, 'openssh-server', using its updated image. ```bash docker-compose up -d openssh-server ``` -------------------------------- ### Access Running Container Shell Source: https://github.com/linuxserver/docker-openssh-server/blob/master/README.md Use this command to get a shell inside a running openssh-server container for debugging or inspection. ```bash docker exec -it openssh-server /bin/bash ``` -------------------------------- ### SSH Verbose Output Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/troubleshooting-and-diagnostics.md Enable verbose output for SSH client connections to get detailed debugging information about the connection process. ```bash # Verbose output ssh -v ... ``` -------------------------------- ### Configure OpenSSH Server with Bind Mounts Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/docker-deployment.md Set up a local directory as a bind mount for the OpenSSH server configuration. This involves creating the directory, setting permissions, and then mounting it into the container. ```bash # Create local directory mkdir -p /path/to/openssh-config ``` ```bash # Set permissions chmod 755 /path/to/openssh-config chown 1000:1000 /path/to/openssh-config ``` ```bash # Use in container docker run -v /path/to/openssh-config:/config ... ``` -------------------------------- ### Specify Dockerfile for Cross-Architecture Build Source: https://github.com/linuxserver/docker-openssh-server/blob/master/README.md After registering QEMU, use this flag with 'docker build' to specify a Dockerfile for a different architecture, e.g., Dockerfile.aarch64. ```bash -f Dockerfile.aarch64 ``` -------------------------------- ### Best Practice for Docker Secret Password Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/environment-variables-reference.md Demonstrates the recommended method for creating a Docker secret file with the exact password content and mounting it to the container. ```bash # Create secret with exact content echo -n "MyPassword123" > secret.txt chmod 400 secret.txt # Mount as Docker secret docker run -e USER_PASSWORD_FILE=/run/secrets/pass ... ``` -------------------------------- ### Remove OpenSSH Server Container Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/docker-deployment.md Stop and remove the OpenSSH server container. Use `docker-compose down` for compose setups, with an option to remove associated volumes. ```bash # Stop and remove container docker stop openssh-server docker rm openssh-server ``` ```bash # Remove with compose docker-compose down ``` ```bash # Keep the volume docker-compose down --volumes # Keeps volumes even if named ``` -------------------------------- ### First SSH Connection Prompt (TOFU) Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/ssh-features.md This is the prompt displayed when connecting to an SSH server for the first time. It uses the Trust On First Use (TOFU) mechanism to warn the user about an unknown host key. ```bash $ ssh linuxserver.io@localhost -p 2222 The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established. ED25519 key fingerprint is SHA256:abcdefg... This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? ``` -------------------------------- ### Use Docker Image Mirror Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/troubleshooting-and-diagnostics.md If the primary registry is inaccessible, try pulling the Docker image from an alternative mirror. ```bash docker pull linuxserver/openssh-server:latest ``` -------------------------------- ### Troubleshoot Permission Denied Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/docker-deployment.md If you face 'Permission Denied' errors, ensure the container's PUID and PGID match your host user's IDs. Verify volume permissions and use `docker exec` to adjust ownership if necessary. ```bash # Verify PUID/PGID match host user id your_user ``` ```bash # Check volume permissions docker exec openssh-server ls -la /config ``` ```bash # Fix permissions docker exec openssh-server chown 1000:1000 /config ``` -------------------------------- ### Docker Run: Default SSH Port Mapping Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/volumes-and-ports.md Starts the OpenSSH server container with the default SSH port mapping (2222 externally to 2222 internally). ```bash docker run -d -p 2222:2222 lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Docker Run: Custom External SSH Port Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/volumes-and-ports.md Starts the OpenSSH server container, mapping a custom external port (2223) to the default internal port (2222). ```bash docker run -d -p 2223:2222 lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Run OpenSSH Server Service Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/initialization.md This script configures and runs the OpenSSH server as a long-running service. It includes a readiness check and drops privileges before starting the SSH daemon. ```bash exec 2>&1 \ s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost ${LISTEN_PORT:-2222}" \ s6-setuidgid "${USER_NAME}" /usr/sbin/sshd.pam -D -e -f /config/sshd/sshd_config ${SSH_HOST_KEYS} ``` -------------------------------- ### Reset OpenSSH Server Configuration Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/troubleshooting-and-diagnostics.md Use this command to remove the existing configuration volume and recreate the container with a fresh setup. This is a destructive operation that deletes all existing configuration. ```bash # Remove volume (deletes all config) docker volume rm openssh-config # Recreate container docker run -d \ -p 2222:2222 \ -v openssh-config:/config \ -e PUBLIC_KEY="$(cat ~/.ssh/id_ed25519.pub)" \ lscr.io/linuxserver/openssh-server:latest # Result: Fresh configuration, new SSH host keys ``` -------------------------------- ### Connect to SFTP Server Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/ssh-features.md Connect to the SFTP server using the OpenSSH client. Ensure you have the correct private key and port specified. ```bash # Via OpenSSH client sftp -i ~/.ssh/id_ed25519 -P 2222 linuxserver.io@localhost ``` -------------------------------- ### Add SSH Public Keys from Directory Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/configuration.md Use PUBLIC_KEY_DIR to specify a directory containing multiple public key files. All valid public key files within this directory will be added to authorized_keys during initialization. ```bash -e PUBLIC_KEY_DIR=/run/secrets/ssh_keys/ ``` -------------------------------- ### Minimal Docker Run Configuration Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/docker-deployment.md This snippet shows the most basic way to run the OpenSSH server container. It maps a host port to the container's SSH port and sets up a persistent configuration volume. ```bash docker run -d \ --name openssh-server \ -p 2222:2222 \ -v openssh-config:/config \ lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Map Host UID/GID to Container for Volume Permissions Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/volumes-and-ports.md Ensure the container has the correct permissions to access host-mounted volumes by matching the host user's UID/GID with the container's PUID/PGID environment variables. Create and set permissions on the host directory before mounting. ```bash # Find your UID/GID id your_user # uid=1000(your_user) gid=1000(your_user) # Create config directory on host mkdir -p /path/to/config chown 1000:1000 /path/to/config chmod 750 /path/to/config # Run container with matching PUID/PGID docker run -e PUID=1000 -e PGID=1000 -v /path/to/config:/config ... ``` -------------------------------- ### Troubleshoot 'Permission denied (publickey)' Error Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/quick-start-guide.md Diagnose and fix 'Permission denied' errors by checking authorized keys, adding your public key, and ensuring correct file permissions. ```bash # Check if key is in authorized_keys docker exec openssh-server cat /config/.ssh/authorized_keys ``` ```bash # Add your key docker exec openssh-server bash -c "echo '$(cat ~/.ssh/id_ed25519.pub)' >> /config/.ssh/authorized_keys" ``` ```bash # Fix permissions docker exec openssh-server chmod 600 /config/.ssh/authorized_keys ``` -------------------------------- ### Docker Compose Configuration for OpenSSH Server Source: https://github.com/linuxserver/docker-openssh-server/blob/master/README.md Recommended method for setting up the OpenSSH server container. This configuration allows for detailed environment variable and volume mapping for customization. Ensure all mandatory parameters are provided. ```yaml --- services: openssh-server: image: lscr.io/linuxserver/openssh-server:latest container_name: openssh-server hostname: openssh-server #optional environment: - PUID=1000 - PGID=1000 - TZ=Etc/UTC - PUBLIC_KEY=yourpublickey #optional - PUBLIC_KEY_FILE=/path/to/file #optional - PUBLIC_KEY_DIR=/path/to/directory/containing/_only_/pubkeys #optional - PUBLIC_KEY_URL=https://github.com/username.keys #optional - SUDO_ACCESS=false #optional - PASSWORD_ACCESS=false #optional - USER_PASSWORD=password #optional - USER_PASSWORD_FILE=/path/to/file #optional - USER_NAME=linuxserver.io #optional - LOG_STDOUT= #optional volumes: - /path/to/openssh-server/config:/config ports: - 2222:2222 restart: unless-stopped ``` -------------------------------- ### Sourcing Environment Variables from Docker Secrets Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/environment-variables-reference.md Demonstrates how to use the FILE__ prefix to source environment variables from Docker secrets. This is particularly useful for sensitive information like public keys and user passwords. ```bash docker run -e FILE__MYVAR=/run/secrets/mysecret ... # Sets MYVAR to contents of /run/secrets/mysecret # Specifically useful for: docker run -e FILE__PUBLIC_KEY_FILE=/run/secrets/key ... docker run -e FILE__USER_PASSWORD_FILE=/run/secrets/pass ... ``` -------------------------------- ### Restore OpenSSH Server Configuration from Backup Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/troubleshooting-and-diagnostics.md This procedure outlines how to restore the OpenSSH Server configuration from a backup. Ensure a backup is created before performing restoration. Permissions may need to be fixed after restoration. ```bash # Create backup first docker cp openssh-server:/config /backup/openssh-config # Restore from backup docker cp /backup/openssh-config/. openssh-server:/config # Fix permissions if needed docker exec openssh-server chmod 700 /config/.ssh docker exec openssh-server chmod 600 /config/.ssh/authorized_keys ``` -------------------------------- ### Update OpenSSH Server Container Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/quick-start-guide.md Steps to pull the latest image, stop the old container, and start a new one using Docker Compose or manual commands. Configuration is preserved via volumes. ```bash # Pull latest image docker pull lscr.io/linuxserver/openssh-server:latest # Stop old container docker-compose down # Start new container (will use new image) docker-compose up -d # Or manually docker stop openssh-server docker rm openssh-server docker run -d ... lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Diagnose Permission Denied (Public Key) Errors Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/troubleshooting-and-diagnostics.md Verify the 'authorized_keys' file exists and contains the correct public key, and check SSH key fingerprints and sshd logs for authentication issues. ```bash # 1. Check authorized_keys exists docker exec openssh-server test -f /config/.ssh/authorized_keys && echo exists ``` ```bash # 2. View authorized_keys content docker exec openssh-server cat /config/.ssh/authorized_keys ``` ```bash # 3. Verify SSH key fingerprint ssh-keygen -l -f ~/.ssh/id_ed25519.pub ``` ```bash # 4. Check sshd logs for authentication attempt docker logs openssh-server | grep -i "invalid user\|authentication" ``` -------------------------------- ### SSH Specific Key and User Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/troubleshooting-and-diagnostics.md Specify a particular private key file and username for establishing an SSH connection. ```bash # Use specific key ssh -i ~/.ssh/specific_key ... # Specific user ssh -l username ... ``` -------------------------------- ### Docker Compose with Docker Secrets for Authentication Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/docker-deployment.md This example utilizes Docker secrets to securely provide the public SSH key and user password. It configures the server to use these secrets for authentication and grants sudo access. ```yaml version: '3.9' services: openssh-server: image: lscr.io/linuxserver/openssh-server:latest container_name: openssh-server environment: - PUID=1000 - PGID=1000 - TZ=Etc/UTC - PUBLIC_KEY_FILE=/run/secrets/ssh_pubkey - USER_PASSWORD_FILE=/run/secrets/ssh_password - SUDO_ACCESS=true - PASSWORD_ACCESS=true volumes: - openssh-config:/config ports: - "2222:2222" secrets: - ssh_pubkey - ssh_password restart: unless-stopped volumes: openssh-config: secrets: ssh_pubkey: file: ./secrets/backup.pub ssh_password: file: ./secrets/ssh_password.txt ``` -------------------------------- ### Use Named Volume for Configuration Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/volumes-and-ports.md Recommended for managing configuration data. Named volumes are easier to manage, backup, and migrate. ```bash docker run -v openssh-config:/config ... ``` -------------------------------- ### Get SSH Host Public Key Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/docker-deployment.md After running the container, use this command to retrieve the SSH host public key from the container logs. This is useful for verifying the host's identity when connecting with an SSH client. ```bash # Get the host public key (for client verification) docker logs openssh-server | grep "SSH host public" ``` -------------------------------- ### Run Multiple OpenSSH Server Instances Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/quick-start-guide.md Deploy two separate OpenSSH server instances, one for read-only backups and another for write access uploads. Each instance is mapped to a different host port and uses distinct volume configurations. ```bash # Instance 1: Backups (read-only) docker run -d \ --name openssh-backup \ -p 2222:2222 \ -v backup-config:/config \ -v /backups:/data:ro \ -e PUBLIC_KEY="..." \ lscr.io/linuxserver/openssh-server:latest # Instance 2: Uploads (write access) docker run -d \ --name openssh-upload \ -p 2223:2222 \ -v upload-config:/config \ -v /uploads:/data:rw \ -e PUBLIC_KEY="..." \ lscr.io/linuxserver/openssh-server:latest # Connect to each ssh -p 2222 linuxserver.io@localhost # Backup server ssh -p 2223 linuxserver.io@localhost # Upload server ``` -------------------------------- ### Docker Run: Custom Internal SSH Port with LISTEN_PORT Override Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/volumes-and-ports.md Starts the OpenSSH server container, mapping a custom external port (2223) to a custom internal port (2223) by overriding the LISTEN_PORT environment variable. ```bash docker run -d -p 2223:2223 -e LISTEN_PORT=2223 lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Clone and Build Docker Image Locally Source: https://github.com/linuxserver/docker-openssh-server/blob/master/README.md Clones the repository and builds the openssh-server Docker image locally. Use --no-cache and --pull for a clean build. ```bash git clone https://github.com/linuxserver/docker-openssh-server.git cd docker-openssh-server docker build \ --no-cache \ --pull \ -t lscr.io/linuxserver/openssh-server:latest . ``` -------------------------------- ### Use Kubernetes Secrets for OpenSSH Server Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/security-considerations.md This example shows how to define Kubernetes Secrets for SSH public keys and passwords, and then mount them into an OpenSSH Server pod. This method ensures secrets are managed securely within the Kubernetes environment. ```yaml apiVersion: v1 kind: Secret metadata: name: openssh-server-secrets type: Opaque stringData: ssh_pubkey: ssh-ed25519 AAAA... ssh_password: MySecurePass123 --- apiVersion: v1 kind: Pod metadata: name: openssh-server spec: containers: - name: openssh-server image: lscr.io/linuxserver/openssh-server:latest env: - name: PUBLIC_KEY_FILE value: /run/secrets/openssh-server-secrets/ssh_pubkey - name: USER_PASSWORD_FILE value: /run/secrets/openssh-server-secrets/ssh_password volumeMounts: - name: secrets mountPath: /run/secrets/openssh-server-secrets volumes: - name: secrets secret: secretName: openssh-server-secrets ``` -------------------------------- ### Host Firewall Rules for SSH Access Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/security-considerations.md Configures host firewall rules (UFW example) to control network access to the SSH server. It demonstrates allowing SSH from specific IPs or local networks while denying all other incoming traffic. ```bash # Only allow SSH from specific IP sudo ufw allow from 192.168.1.100 to any port 2222 # Allow from local network sudo ufw allow from 192.168.1.0/24 to any port 2222 # Deny all other access sudo ufw default deny incoming ``` -------------------------------- ### Enable Password Authentication Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/environment-variables-reference.md Set PASSWORD_ACCESS to `true` to enable password authentication. If enabled, USER_PASSWORD or USER_PASSWORD_FILE must be set. ```bash docker run -e PASSWORD_ACCESS=true -e USER_PASSWORD=mysecretpassword ... ``` -------------------------------- ### Run OpenSSH Server with Read-Only Filesystem Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/security-considerations.md Deploy the container with a read-only filesystem to prevent modifications to system files. Use tmpfs mounts for necessary writable system areas like /run and /var/run. ```bash docker run -d \ -p 2222:2222 \ -v openssh-config:/config \ --read-only \ --tmpfs /run \ --tmpfs /var/run \ lscr.io/linuxserver/openssh-server:latest # Filesystem is read-only except /config # Prevents modification of system files # Requires tmpfs mounts for writable system areas ``` -------------------------------- ### Add SSH Public Key via Environment Variable Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/configuration.md Use the PUBLIC_KEY environment variable to directly provide an SSH public key string. This key will be added to the authorized_keys file on container start if it doesn't already exist. ```bash -e PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ..." ``` -------------------------------- ### Troubleshoot Connection Refused Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/docker-deployment.md When encountering a 'Connection Refused' error, verify the container is running, check its port mappings, and test connectivity to the exposed port. Reviewing container logs is also crucial. ```bash # Check if container is running docker ps | grep openssh-server ``` ```bash # Check port mapping docker port openssh-server ``` ```bash # Test port connectivity nc -zv localhost 2222 ``` ```bash # Check logs docker logs openssh-server ``` -------------------------------- ### Use Case 4: Temporary Access with Ephemeral Container Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/quick-start-guide.md This setup uses an ephemeral Docker container for temporary SSH access, which automatically removes itself upon exit. A persistent volume is used for configuration, allowing settings to be retained for future runs. ```bash # Ephemeral container for one-time access docker run --rm -it \ -p 2222:2222 \ -v temp-config:/config \ -e PUBLIC_KEY="$(cat ~/.ssh/id_ed25519.pub)" \ lscr.io/linuxserver/openssh-server:latest # Container stops and removes when exited # Volume temp-config remains for next run ``` -------------------------------- ### Match Container PUID/PGID to Host User Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/troubleshooting-and-diagnostics.md Recreate the container, specifying the PUID and PGID environment variables to match your host user's UID and GID. This ensures the container processes run with the correct user permissions for volume access. ```bash # Get your user's ID id your_user # uid=1000(your_user) gid=1000(your_user) # Recreate container with matching IDs docker run -e PUID=1000 -e PGID=1000 -v /path/to/config:/config ... ``` -------------------------------- ### Team SFTP Server with Directory Key Management Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/README.md This configuration creates a team SFTP server. It maps ports, mounts a shared directory for data, and uses a directory of public keys for authentication. The UMASK is set to 0002 to control file creation permissions. ```bash docker run -d \ -p 2222:2222 \ -v sftp-config:/config \ -v /shared:/data \ -e PUBLIC_KEY_DIR=/team_keys \ -e UMASK=0002 \ lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Apply and Restart SSH Configuration Changes Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/security-considerations.md Steps to copy the SSH configuration file from a running container, modify it, copy it back, verify syntax, and restart the SSH service to apply hardened settings. ```bash # Create custom sshd_config docker cp openssh-server:/config/sshd/sshd_config /tmp/sshd_config # Edit /tmp/sshd_config with above settings # Copy back docker cp /tmp/sshd_config openssh-server:/config/sshd/sshd_config # Verify syntax docker exec openssh-server sshd -t # Restart docker restart openssh-server ``` -------------------------------- ### Docker Compose with Multiple Volume Mounts Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/docker-deployment.md This configuration demonstrates mounting multiple host directories into the container for persistent storage and data sharing. It also shows how to fetch public keys from a URL. ```yaml version: '3.9' services: openssh-server: image: lscr.io/linuxserver/openssh-server:latest container_name: openssh-server environment: - PUID=1000 - PGID=1000 - TZ=America/New_York - PUBLIC_KEY_URL=https://github.com/myteam.keys - USER_NAME=sftp_user volumes: - openssh-config:/config - /data/shared:/shared - /data/archive:/archive - /data/tmp:/tmp - ./motd.txt:/etc/motd:ro ports: - "2222:2222" restart: unless-stopped volumes: openssh-config: ``` -------------------------------- ### Set Public Keys from Directory Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/environment-variables-reference.md Use PUBLIC_KEY_DIR to specify a directory containing multiple SSH public key files. All files in the directory are processed at startup. This can be used with Docker secrets or bind mounts. ```bash # With Docker secret directory docker run -e PUBLIC_KEY_DIR=/run/secrets/ssh_keys ... # With bind mount docker run -e PUBLIC_KEY_DIR=/tmp/keys \ -v /local/keys:/tmp/keys:ro ... ``` -------------------------------- ### Troubleshoot 'Host key changed' Error Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/quick-start-guide.md Resolve 'Host key changed' warnings by removing the old host key from your known_hosts file and reconnecting. ```bash # Remove old entry from known_hosts ssh-keygen -R "[localhost]:2222" ``` ```bash # Connect again and accept new key ssh -p 2222 linuxserver.io@localhost ``` -------------------------------- ### Test sshd Configuration Syntax Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/troubleshooting-and-diagnostics.md Use this command to test the syntax of your sshd configuration file within the container. It will exit with no output on success. ```bash docker exec openssh-server sshd -t ``` -------------------------------- ### Configure SFTP Subsystem Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/ssh-features.md Configure the SFTP subsystem in the sshd_config file. The umask setting affects file permissions upon creation. ```bash # In /config/sshd/sshd_config Subsystem sftp /usr/lib/ssh/sftp-server -u 022 ``` -------------------------------- ### SSH Host Public Keys Displayed on Startup Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/ssh-features.md This output shows the public host keys generated by the SSH server. These keys are used for verifying the server's identity. ```text SSH host public key(s): ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN... root@container ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxlz7a3ZK/q9e... root@container ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDT... root@container ``` -------------------------------- ### Use Case 2: Multiple Team Members Access Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/quick-start-guide.md This configuration sets up a shared SSH server accessible by multiple team members. Public keys should be placed in a shared directory mounted into the container. ```bash # Shared SSH server with multiple keys mkdir -p /tmp/ssh_keys # Add public keys from team members to this directory docker run -d \ --name team-ssh \ -p 2222:2222 \ -v team-ssh-config:/config \ -v /tmp/ssh_keys:/tmp/keys:ro \ -e PUBLIC_KEY_DIR=/tmp/keys \ lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Connect via SSH with Public Key Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/ssh-features.md Connects to the SSH server using the generated private key for authentication. Ensure the private key path and port are correct. ```bash ssh -i ~/.ssh/id_ed25519 linuxserver.io@localhost -p 2222 ``` -------------------------------- ### Recreate Container with Memory Limit Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/troubleshooting-and-diagnostics.md Run a new instance of the OpenSSH server container with a specified memory limit to prevent excessive resource consumption. ```bash # Recreate with memory limit docker run -d \ --memory 256m \ --memory-swap 256m \ -p 2222:2222 \ -v openssh-config:/config \ lscr.io/linuxserver/openssh-server:latest ``` -------------------------------- ### Inspect Container State Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/troubleshooting-and-diagnostics.md Examine the detailed state and configuration of the openssh-server container. ```bash docker inspect openssh-server | grep -A 5 '"State"' ``` -------------------------------- ### Enable Modular SSH Configuration Source: https://github.com/linuxserver/docker-openssh-server/blob/master/_autodocs/initialization.md Enables the use of modular SSH daemon configuration files by uncommenting an include directive. This allows for custom configurations to be loaded from a specified directory. ```bash If /config/sshd/sshd_config.d directory exists: Uncomment Include directive to point to /config/sshd/sshd_config.d/*.conf ```