0

I'm trying to design an SSH server in docker, so I can wire it up with other containers like snort and fail2ban to run before the ssh connection.

I'm trying to make it as safe as possible. It's known that we shouldn't run as root inside a container, so I made a custom user. However, leaving the keys readable by this user so it can run the sshd daemon also does not look very nice. For example, the users that are connecting to this container could try to read the keys somehow.

FROM ubuntu:24.04

# Dependencies
RUN apt-get update && apt-get install -y openssh-server sudo

# All users are sudoers
RUN echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

# Non-root user
RUN useradd -ms /bin/bash user

USER user

COPY ./sshd_config /home/user/sshd_config
COPY ./custom_authorized_keys /home/user/custom_authorized_keys

# Prints version for checking againsts vulnerabilities and generates keys
RUN sshd -V && ssh-keygen -A && sudo mkdir -p /var/run/sshd

# Permissions for key
RUN sudo chmod 600 /etc/ssh/ssh_host_* \
&& sudo chown user:user /etc/ssh/ssh_host_* 

# Prints fingerprints for adding to known_hosts on other devices
RUN /bin/bash -c "ssh-keygen -l -E md5 -f <(cat /etc/ssh/ssh_host_*_key.pub) && \
ssh-keygen -l -E sha256 -f <(cat /etc/ssh/ssh_host_*_key.pub)"

What would be the best solution?

PS: my docker on the host machine is run without root permissions, and I'd like to wire this with fail2ban and snort over compose, so I should also do some assumptions on the networking.

Here's the sshd_config:

Port 2222
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
AuthorizedKeysFile custom_authorized_keys
Improve this question
3
  • "the users that are connecting to this container could try to read the keys somehow" ... are they also connecting as the user user? Commented Aug 10, 2024 at 5:11
  • Is there no potential use case that your admin users would need to ssh into the server and stop dockerd to change its config? If this use case exists, stopping dockerd would stop sshd's container, disconnecting the admin user and not allowing any new ssh connections until dockerd+container were somehow restarted. Commented Aug 10, 2024 at 7:31
  • I’m not convinced by some of your assertions here. You seem to be trying to avoid things which would be normal on bare metal (outside a container). For example, nothing about running as root inside a container is worse than running as root outside a container. Is your goal to create an SSH container as a service in its own right rather than for admin access? Commented Aug 14, 2024 at 5:53

1 Answer 1

Reset to default
0

However, leaving the keys readable by this user so it can run the sshd daemon also does not look very nice.

Your users should not be logging in as the same user you're using to run the sshd process. Your sshd process must run as root because that's the only way it's going to be able to switch login sessions to the appropriate user id.

That is, you should configure sshd exactly as it is configured "out of the box" on most distributions:

  • sshd run as root, and your configuration lives in the standard /etc/ssh directory.
  • You create a secondary user (or multiple users) for login sessions.
  • You populate those users (either at build time or at runtime) with appropriate authorized_keys files so that people are not logging in with passwords.
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.