Simple SSH container. Great for secure connections into clusters.
Introduction
serversideup/docker-ssh is a hardened SSH server container based on Debian. It works great if you need to create a secure tunnel into your cluster.
Features
- 🐧 Debian-based - Get a lightweight experience, while still having Bash
- 📂
rsyncincluded - Easily back up or sync data from your Docker volumes over SSH - 🤝 Key-based auth via ENV - Grant access with the
AUTHORIZED_KEYSenvironment variable - ⛔️ Block IPs via ENV - Block access with the
ALLOWED_IPSenvironment variable - 🔒 Unprivileged user - All SSH connections are made as an unprivileged user
- 🔑 Set your own PUID and PGID - Have the PUID and PGID match your host user
- 🔐 Hardened SSH - Prevent bot attacks and ensure quality security
- 📦 DockerHub and GitHub Container Registry - Choose where you'd like to pull your image from
- 🤖 Multi-architecture - Every image ships with x86_64 and arm64 architectures
Usage
This is a list of the docker images this repository creates:| Image | Image Size | Description | | --------- | -------------------- | ----------- | | serversideup/docker-ssh | | A hardened SSH server based on Debian Bookworm. |
Usage instructions
All variables are documented here:🔀 Variable Name|📚 Description|#️⃣ Default Value :-----:|:-----:|:-----: ALLOWED_IPS| Content of allowed IP addresses (see below)| AllowUsers tunnel (allow the tunnel user from any IP) | AUTHORIZED_KEYS|🚨 Required to be set by you. Content of your authorized keys file (see below)| | DEBUG|Display a bunch of helpful content for debugging.|false PGID|Group ID the SSH user should run as.|9999 PUID|User ID the SSH user should run as.|9999 SSH_GROUP|Group name used for our SSH user.|tunnelgroup SSHHOSTKEYDIR|Location of where the SSH host keys should be stored.|/etc/ssh/sshhost_keys/ SSH_PORT|Listening port for SSH server (on container only. You'll still need to publish this port).|2222 SSH_USER|Username for the SSH user that other users will connect into as.|tunnel
1. Set your AUTHORIZEDKEYS environment variable or provide a /authorizedkeys file
You can provide multiple keys by loading the contents of a file into an environment variable.
AUTHORIZEDKEYS="$(cat .ssh/mymanysshpublickeysinonefile.txt)"
Or you can provide the authorizedkeys file via a volume. Ensure the volume references matches the path of /authorizedkeys. The image will automatically take the file from /authorized_keys and configure it for use with your selected user.
ℹ️ NOTE: If both a file and variable are provided, the image will respect the value of the variable over the file.
2. Set your ALLOWED_IPS environment variable
Set this in the same context of AllowUsersThis example shows a few scenarios you can do:
ALLOWED_IPS="AllowUsers @192.168.1.0/24 @172.16.0.1 @10.0..1"
3. Forward your external port to 2222 on the container
You can see I'm forwarding 12345 to 2222.
docker run --rm --name=ssh --network=web -p 12345:2222 localhost/ssh
This means I would connect with:
ssh -p 12345 tunnel@myserver.test
Working example with MariaDB + SSH + Docker Swarm
Here's a perfect example how you can use it with MariaDB. This allows you to use Sequel Pro or TablePlus to connect securely into your database server 🥳Example using ALLOWED_IPS variable:
services:
mariadb:
image: mariadb:10.11
networks:
- database
environment:
MARIADBROOTPASSWORD: "myrootpassword"
ssh:
image: serversideup/docker-ssh
ports:
- target: 2222
published: 2222
mode: host
# Set the Authorized Keys of who can connect
environment:
AUTHORIZED_KEYS: >
"# Start Keys
ssh-ed25519 1234567890abcdefghijklmnoqrstuvwxyz user-a
ssh-ed25519 abcdefghijklmnoqrstuvwxyz1234567890 user-b
# End Keys"
# Lock down the access to certain IP addresses
ALLOWED_IPS: "AllowUsers tunnel@1.2.3.4"
networks:
- database
networks: database:
Example using $SSHUSERHOME/.ssh/authorized_keys file:
services:
mariadb:
image: mariadb:10.11
networks:
- database
environment:
MARIADBROOTPASSWORD: "myrootpassword"
ssh: image: serversideup/docker-ssh ports: - target: 2222 published: 2222 mode: host # Set the Authorized Keys of who can connect environment: # Lock down the access to certain IP addresses ALLOWED_IPS: "AllowUsers tunnel@1.2.3.4" configs: - source: sshauthorizedkeys # Mount the file to "/authorized_keys". The image will handle everything else target: /authorized_keys mode: 0600 networks: - database
Define the config to be used
configs:
sshauthorizedkeys:
file: ./authorized_keys
networks: database:
Working example: Backing up a Docker volume with rsync
Because rsync is included in the image, you can mount any Docker volume into the SSH container and pull the data down to your local machine (or push it back up) over a secure SSH tunnel.
1. Mount the volume you want to back up
Attach the volume to a path the SSH user can read. In this example we mount theapp_data volume to /data inside the container as read-only:
services:
ssh:
image: serversideup/docker-ssh
ports:
- target: 2222
published: 2222
mode: host
environment:
AUTHORIZED_KEYS: >
"ssh-ed25519 1234567890abcdefghijklmnoqrstuvwxyz user-a"
ALLOWED_IPS: "AllowUsers tunnel@1.2.3.4"
volumes:
- app_data:/data:ro
volumes: app_data: external: true
2. Pull the data down with rsync
From your local machine, use rsync over SSH to copy the contents of the volume to a local directory:
rsync -avz -e "ssh -p 12345" tunnel@myserver.test:/data/ ./app_data-backup/
ℹ️ NOTE: Drop the :ro flag on the volume mount if you also need to push data back into the volume.
Resources
- DockerHub to browse the images.
- Discord for friendly support from the community and the team.
- GitHub for source code, bug reports, and project management.
- Get Professional Help - Get video + screen-sharing help directly from the core contributors.
Contributing
As an open-source project, we strive for transparency and collaboration in our development process. We greatly appreciate any contributions members of our community can provide. Whether you're fixing bugs, proposing features, improving documentation, or spreading awareness - your involvement strengthens the project. Please review our code of conduct to understand how we work together respectfully.- Bug Report: If you're experiencing an issue while using these images, please create an issue.
- Feature Request: Make this project better by submitting a feature request.
- Documentation: Improve our documentation by submitting a documentation change.
- Community Support: Help others on GitHub Discussions or Discord.
- Security Report: Report critical security issues via our responsible disclosure policy.
Our Sponsors
All of our software is free an open to the world. None of this can be brought to you without the financial backing of our sponsors.Black Level Sponsors
Bronze Sponsors
No bronze sponsors yet. Become a sponsor →Individual Supporters
About Us
We're Dan and Jay - a two person team with a passion for open source products. We created Server Side Up to help share what we learn.|
Find us at:
- 📖 Blog - Get the latest guides and free courses on all things web/mobile development.
- 🙋 Community - Get friendly help from our community members.
- 🤵♂️ Get Professional Help - Get video + screen-sharing support from the core contributors.
- 💻 GitHub - Check out our other open source projects.
- 📫 Newsletter - Skip the algorithms and get quality content right to your inbox.
- 🐥 Twitter - You can also follow Dan and Jay.
- ❤️ Sponsor Us - Please consider sponsoring us so we can create more helpful resources.
Our products
If you appreciate this project, be sure to check out our other projects.📚 Books
- The Ultimate Guide to Building APIs & SPAs: Build web & mobile apps from the same codebase.
- Building Multi-Platform Browser Extensions: Ship extensions to all browsers from the same codebase.
🛠️ Software-as-a-Service
- Bugflow: Get visual bug reports directly in GitHub, GitLab, and more.
- SelfHost Pro: Connect Stripe or Lemonsqueezy to a private docker registry for self-hosted apps.
🌍 Open Source
- AmplitudeJS: Open-source HTML5 & JavaScript Web Audio Library.
- Spin: Laravel Sail alternative for running Docker from development → production.
- Financial Freedom: Open source alternative to Mint, YNAB, & Monarch Money.



