linuxserver / docker-openssh-server Goto Github PK

View Code? Open in Web Editor NEW

487.0 17.0 171.0 285 KB

License: GNU General Public License v3.0

Dockerfile 56.50% Shell 43.50%

docker-openssh-server's Introduction

The LinuxServer.io team brings you another container release featuring:

regular and timely application updates
easy user mappings (PGID, PUID)
custom base image with s6 overlay
weekly base OS updates with common layers across the entire LinuxServer.io ecosystem to minimise space usage, down time and bandwidth
regular security updates

Find us at:

Blog - all the things you can do with our containers including How-To guides, opinions and much more!
Discord - realtime support / chat with the community and the team.
Discourse - post on our community forum.
Fleet - an online web interface which displays all of our maintained images.
GitHub - view the source for all of our repositories.
Open Collective - please consider helping us by either donating or contributing to our budget

linuxserver/openssh-server

Openssh-server is a sandboxed environment that allows ssh access without giving keys to the entire server. Giving ssh access via private key often means giving full access to the server. This container creates a limited and sandboxed environment that others can ssh into. The users only have access to the folders mapped and the processes running inside this container.

Supported Architectures

We utilise the docker manifest for multi-platform awareness. More information is available from docker here and our announcement here.

Simply pulling lscr.io/linuxserver/openssh-server:latest should retrieve the correct image for your arch, but you can also pull specific arch images via tags.

The architectures supported by this image are:

Architecture	Available	Tag
x86-64	✅	amd64-<version tag>
arm64	✅	arm64v8-<version tag>
armhf	❌

Application Setup

If PUBLIC_KEY or PUBLIC_KEY_FILE, or PUBLIC_KEY_DIR variables are set, the specified keys will automatically be added to authorized_keys. If not, the keys can manually be added to /config/.ssh/authorized_keys and the container should be restarted. Removing PUBLIC_KEY or PUBLIC_KEY_FILE variables from docker run environment variables will not remove the keys from authorized_keys. PUBLIC_KEY_FILE and PUBLIC_KEY_DIR can be used with docker secrets.

We provide the ability to set and allow password based access via the PASSWORD_ACCESS and USER_PASSWORD variables, though we as an organization discourage using password auth for public facing ssh endpoints.

Connect to server via ssh -i /path/to/private/key -p PORT USER_NAME@SERVERIP

Setting SUDO_ACCESS to true by itself will allow passwordless sudo. USER_PASSWORD and USER_PASSWORD_FILE allow setting an optional sudo password.

The users only have access to the folders mapped and the processes running inside this container. Add any volume mappings you like for the users to have access to. To install packages or services for users to access, use the LinuxServer container customization methods described in this blog article.

Sample use case is when a server admin would like to have automated incoming backups from a remote server to the local server, but they might not want all the other admins of the remote server to have full access to the local server. This container can be set up with a mounted folder for incoming backups, and rsync installed via LinuxServer container customization described above, so that the incoming backups can proceed, but remote server and its admins' access would be limited to the backup folder.

It is also possible to run multiple copies of this container with different ports mapped, different folders mounted and access to different private keys for compartmentalized access.

TIPS

You can volume map your own text file to /etc/motd to override the message displayed upon connection. You can optionally set the docker argument hostname

Key Generation

This container has a helper script to generate an ssh private/public key. In order to generate a key please run:

docker run --rm -it --entrypoint /keygen.sh linuxserver/openssh-server

Then simply follow the prompts. The keys generated by this script are only displayed on your console output, so make sure to save them somewhere after generation.

Usage

To help you get started creating a container from this image you can either use docker-compose or the docker cli.

docker-compose (recommended, click here for more info)

---
services:
  openssh-server:
    image: lscr.io/linuxserver/openssh-server:latest
    container_name: openssh-server
    hostname: openssh-server #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - PUBLIC_KEY=yourpublickey #optional
      - PUBLIC_KEY_FILE=/path/to/file #optional
      - PUBLIC_KEY_DIR=/path/to/directory/containing/_only_/pubkeys #optional
      - PUBLIC_KEY_URL=https://github.com/username.keys #optional
      - SUDO_ACCESS=false #optional
      - PASSWORD_ACCESS=false #optional
      - USER_PASSWORD=password #optional
      - USER_PASSWORD_FILE=/path/to/file #optional
      - USER_NAME=linuxserver.io #optional
      - LOG_STDOUT= #optional
    volumes:
      - /path/to/openssh-server/config:/config
    ports:
      - 2222:2222
    restart: unless-stopped

docker cli (click here for more info)

docker run -d \
  --name=openssh-server \
  --hostname=openssh-server `#optional` \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Etc/UTC \
  -e PUBLIC_KEY=yourpublickey `#optional` \
  -e PUBLIC_KEY_FILE=/path/to/file `#optional` \
  -e PUBLIC_KEY_DIR=/path/to/directory/containing/_only_/pubkeys `#optional` \
  -e PUBLIC_KEY_URL=https://github.com/username.keys `#optional` \
  -e SUDO_ACCESS=false `#optional` \
  -e PASSWORD_ACCESS=false `#optional` \
  -e USER_PASSWORD=password `#optional` \
  -e USER_PASSWORD_FILE=/path/to/file `#optional` \
  -e USER_NAME=linuxserver.io `#optional` \
  -e LOG_STDOUT= `#optional` \
  -p 2222:2222 \
  -v /path/to/openssh-server/config:/config \
  --restart unless-stopped \
  lscr.io/linuxserver/openssh-server:latest

Parameters

Containers are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate <external>:<internal> respectively. For example, -p 8080:80 would expose port 80 from inside the container to be accessible from the host's IP on port 8080 outside the container.

Parameter	Function
`--hostname=`	Optionally the hostname can be defined.
`-p 2222`	ssh port
`-e PUID=1000`	for UserID - see below for explanation
`-e PGID=1000`	for GroupID - see below for explanation
`-e TZ=Etc/UTC`	specify a timezone to use, see this list.
`-e PUBLIC_KEY=yourpublickey`	Optional ssh public key, which will automatically be added to authorized_keys.
`-e PUBLIC_KEY_FILE=/path/to/file`	Optionally specify a file containing the public key (works with docker secrets).
`-e PUBLIC_KEY_DIR=/path/to/directory/containing/_only_/pubkeys`	Optionally specify a directory containing the public keys (works with docker secrets).
`-e PUBLIC_KEY_URL=https://github.com/username.keys`	Optionally specify a URL containing the public key.
`-e SUDO_ACCESS=false`	Set to `true` to allow `linuxserver.io`, the ssh user, sudo access. Without `USER_PASSWORD` set, this will allow passwordless sudo access.
`-e PASSWORD_ACCESS=false`	Set to `true` to allow user/password ssh access. You will want to set `USER_PASSWORD` or `USER_PASSWORD_FILE` as well.
`-e USER_PASSWORD=password`	Optionally set a sudo password for `linuxserver.io`, the ssh user. If this or `USER_PASSWORD_FILE` are not set but `SUDO_ACCESS` is set to true, the user will have passwordless sudo access.
`-e USER_PASSWORD_FILE=/path/to/file`	Optionally specify a file that contains the password. This setting supersedes the `USER_PASSWORD` option (works with docker secrets).
`-e USER_NAME=linuxserver.io`	Optionally specify a user name (Default:`linuxserver.io`)
`-e LOG_STDOUT=`	Set to `true` to log to stdout instead of file.
`-v /config`	Contains all relevant configuration files.

Environment variables from files (Docker secrets)

You can set any environment variable from a file by using a special prepend FILE__.

As an example:

-e FILE__MYVAR=/run/secrets/mysecretvariable

Will set the environment variable MYVAR based on the contents of the /run/secrets/mysecretvariable file.

Umask for running applications

For all of our images we provide the ability to override the default umask settings for services started within the containers using the optional -e UMASK=022 setting. Keep in mind umask is not chmod it subtracts from permissions based on it's value it does not add. Please read up here before asking for support.

User / Group Identifiers

When using volumes (-v flags), permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user PUID and group PGID.

Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.

In this instance PUID=1000 and PGID=1000, to find yours use id your_user as below:

id your_user

Example output:

uid=1000(your_user) gid=1000(your_user) groups=1000(your_user)

Docker Mods

We publish various Docker Mods to enable additional functionality within the containers. The list of Mods available for this image (if any) as well as universal mods that can be applied to any one of our images can be accessed via the dynamic badges above.

Support Info

Shell access whilst the container is running:
```
docker exec -it openssh-server /bin/bash
```
To monitor the logs of the container in realtime:
```
docker logs -f openssh-server
```

Container version number:

docker inspect -f '{{ index .Config.Labels "build_version" }}' openssh-server

Image version number:

docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/openssh-server:latest

Updating Info

Most of our images are static, versioned, and require an image update and container recreation to update the app inside. With some exceptions (noted in the relevant readme.md), we do not recommend or support updating apps inside the container. Please consult the Application Setup section above to see if it is recommended for the image.

Below are the instructions for updating containers:

Via Docker Compose

Update images:

All images:
```
docker-compose pull
```
Single image:
```
docker-compose pull openssh-server
```

Update containers:

All containers:
```
docker-compose up -d
```
Single container:
```
docker-compose up -d openssh-server
```

You can also remove the old dangling images:
```
docker image prune
```

Via Docker Run

Update the image:

docker pull lscr.io/linuxserver/openssh-server:latest

Stop the running container:
```
docker stop openssh-server
```
Delete the container:
```
docker rm openssh-server
```
Recreate a new container with the same docker run parameters as instructed above (if mapped correctly to a host folder, your /config folder and settings will be preserved)
You can also remove the old dangling images:
```
docker image prune
```

Image Update Notifications - Diun (Docker Image Update Notifier)

tip: We recommend Diun for update notifications. Other tools that automatically update containers unattended are not recommended or supported.

Building locally

If you want to make local modifications to these images for development purposes or just to customize the logic:

git clone https://github.com/linuxserver/docker-openssh-server.git
cd docker-openssh-server
docker build \
  --no-cache \
  --pull \
  -t lscr.io/linuxserver/openssh-server:latest .

The ARM variants can be built on x86_64 hardware using multiarch/qemu-user-static

docker run --rm --privileged multiarch/qemu-user-static:register --reset

Once registered you can define the dockerfile to use with -f Dockerfile.aarch64.

Versions

31.05.24: - Rebase to Alpine 3.20.
04.05.24: - Display the SSH host public keys every time the container starts.
09.03.24: - Rebase to Alpine 3.19.
12.06.23: - Rebase to Alpine 3.18, deprecate armhf. As announced here
05.03.23: - Rebase to Alpine 3.17.
18.10.22: - Fix wrong behavior of password/passwordless sudo
11.10.22: - Rebase to Alpine 3.16, migrate to s6v3.
15.09.22: - add netcat-openbsd with support for proxies.
18.07.22: - Fix service perms to comply with upgrade to s6 v3.
16.04.22: - Rebase to alpine 3.15.
16.11.21: - Add PUBLIC_KEY_URL option
28.06.21: - Rebasing to alpine 3.14. Add support for PAM.
10.02.21: - Rebasing to alpine 3.13. Add openssh-client for scp.
21.10.20: - Implement s6-log for openssh, which adds local timestamps to logs and can be used with a log parser like fail2ban.
20.10.20: - Set umask for sftp.
01.06.20: - Rebasing to alpine 3.12.
18.01.20: - Add key generation script.
13.01.20: - Add openssh-sftp-server.
19.12.19: - Rebasing to alpine 3.11.
17.10.19: - Initial Release.

docker-openssh-server's People

Contributors

Stargazers

Watchers

Forkers

luisriverag massimiliano76 manoframa9 justinsantoro thelamer vladimirvivien sandeepk17 agaripian lionel87 dobli sightmachine cedlerouge jszumigaj packetshepard nextpertise ddhp dustyspace wcomartin szewczykmira dangxuanvuong98 0rxa akoscomp kab1r kandarpamalipeddi sunnycapt twitsprout statikx2004 it2911 bboerst elpheria zey-ops stacruzw profiprog musab121 dfandler pascal-de-ladurantaye rp70 tczekajlo talha-01 francescodisalesgithub dexin-qi rafalgoslawski jarulsamy jacopo-j lldm an-nix muradheydarov thinking-research-instruments oxosec pgp-or-d1e vicara-hq crazy-cock kitvv hornos ecomgems ricardosalveti safe2011 pwfoo sdwerwed p3n9u1n wh-forker bellcom metril ramel ashutoshjha786 sumank792 q19316 imkitae bahadrix jrouly sharpe5 khanh-moriaty embasa ab-dragon loesterfranco atmshuvoks frankma17 devotionzhu goyeliseo1 fjkhorasani deebuck scz10 longvh-0770 kenthsieh lawrenceching jiazemin xezpeleta ngaro nidomiro 98m4rc chasebolt d4n13lbc xudesheng hussainjin codeit2009 timothy-cloudopsguy tomaszkrzyzanowski anirbansaha1986 bloodworkxgaming issacnetwon

docker-openssh-server's Issues

Running in Azure Container Instance is broken due to init use

Expected Behavior

ACI container should start and run

Current Behavior

ACI container fails on start with "s6-overlay-suexec: fatal: can only run as pid 1" message.

Steps to Reproduce

Describe a JSON with a container based off linuxserver/openssh-server:latest in Azure Container Instance
Create the ACI instance with "restartPolicy":"Never" to see the log message.

Environment

OS:
CPU architecture: x86_64/arm32/arm64
How docker service was installed:

Command used to create docker container (run/create/compose/screenshot)

Docker logs

Feature Req: add fail2ban or other methods for preventing brute-force

If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.

Feature request: Fail2ban or alternatives might be helpful in preventing brute-force attack attempts.

Feature Request: Google Authenticator/TOTP Support

Desired Behavior

I Currently use a self made docker container based on ubuntu 20.04 and google authenticator pam module for my ssh access.

This docker container would be a perfect replacement if it had support for google authenticator pam module for ssh and importing of the auth secret from a file or command line. Not sure if it could be done via a plugin.

Pam module github: https://github.com/google/google-authenticator-libpam

Current Behavior

No additional auth prompts(MFA)

Alternatives Considered

None tried as of now, suggestions welcome for 2FA/MFA alternatives that do not require a centralized server.

Feature request: add scp (openssh-client package) to the container

Desired Behavior

It is possible to scp files into the openssh server.
This would allow for quickly spinning up a one-off "dropbox" that uses scp, to move large files over the internet.
scp is in openssh-client package.

Current Behavior

Trying to scp file to openssh server results in bash: scp: command not found error

Alternatives Considered

Permission denied when using custom keys

Using custom-generated ssh keys and ssh-ing into a running docker instance yields "Permission denied (publickey,keyboard-interactive)".

Expected Behavior

ssh works.

Steps to Reproduce

Started container, attached to it:

$ cat docker-compose.yaml
---
version: "2.1"
services:
  openssh-server:
    image: ghcr.io/linuxserver/openssh-server
    hostname: openssh-server #optional
    environment:
      - HISTFILE=/root/.history_make_shell
      - PASSWORD_ACCESS=false #optional
      - PGID=1000
      - PUBLIC_KEY_DIR=/path/to/directory/containing/_only_/pubkeys #optional
      - PUBLIC_KEY_FILE=/path/to/file #optional
      - PUBLIC_KEY=AAAAB3NzaC1yc2EAAAADAQABAAABgQC/xsm9kvCI00mYVGIpppF37IQlV361wMfEgDdgno+q8Pz11RpmaDcZ3stvQ6CFYpypbkBOiuEo2sW0kYPmaNR91V3C20woR0vwi9DwlkZuYCt/w6kW4wJG8XjCKYu7tQ/Lrzoa28wH+mBflZAmVJu/0ua7MhMFw1AqvQlgd+uwO0LOwWDGTrE5Odds3pBc8XYji9Xjww8tzTT13EwpSLxxrU/Ee5wPWk5bv2IRs6hYS9mympd8+ysiZnxRSs0j3hXRhrru0IocSa8pEtGfCCT0cGl5z77SIEs1wOgRhu9JigkIr/RLjcudpcXm4TmuCVkBCsxz2XZ5lQx2tAKdkboSaBriaw6Bl1V0Kl9YDSoAjx5wxMy4ORhjXJ6pdvSMHnvcWKP9wO+mE+Mscl/VnmOlErKwCIIhOBs/IbqgvcQdlZ3PbtzeJQQDnr+DRs4GN6AbWk1UZecKgLLnT8Yl+hrYtD9RAcrBvHKKpp7HO/B7b9YfOmiSm6fb3VfYGq5MfM8= #optional
      - PUID=1000
      - SUDO_ACCESS=false #optional
      - TZ=Europe/London
      - USER_NAME=root #optional
        #- USER_PASSWORD_FILE=/path/to/file #optional
        #- USER_PASSWORD=password #optional
    volumes:
      - /path/to/appdata/config:/config
      - ~/.history_make_shell:/root/.history_make_shell
      - $PWD/ssh_server/keys:/root/.ssh:ro
      - /tmp/tmp.DJpiNS9kqv:/tmp
    ports:
      - 2222:2222
    restart: unless-stopped

$ docker exec -it 0e804ca039c7 /bin/bash

Generated ssh keys in mounted volume:

# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /tmp/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /tmp/id_rsa
Your public key has been saved in /tmp/id_rsa.pub
The key fingerprint is:
SHA256:lCLV4YJP3z+Q8RnBtvH4SLmiXbtT5I1JOnRFKOls8Qw

Copied public key to the docker-compose.yaml PUBLIC_KEY env var.
Tried to ssh using them:

$ ssh -i /tmp/tmp.DJpiNS9kqv/id_rsa -p 2222 [email protected]
[email protected]: Permission denied (publickey,keyboard-interactive).

Question on openssh server container log message

Expected Behavior

I use the openssh-server image with tag: linuxserver/openssh-server@sha256:011f24c3b157113155db3c1b0e76ff2baf9b74fb5bb6541afdbb753ad35 which would be expected work well

Current Behavior

but I found the container logs with I am not sure whether it's a bug or should I ignore it? the point is around this:

│ error: Ignoring openssh because it is writable by group or others.                                                                  │
│ error: stat of /var/log/messages failed: No such file or directory                                                                  │

the full log is:

Public key from file added                                                                                                          │
│ chown: changing ownership of '/config/ssh_host_keys/sshd_config': Read-only file system                                             │
│ [cont-init.d] 50-config: exited 0.                                                                                                  │
│ [cont-init.d] 99-custom-files: executing...                                                                                         │
│ [custom-init] no custom files found exiting...                                                                                      │
│ [cont-init.d] 99-custom-files: exited 0.                                                                                            │
│ [cont-init.d] done.                                                                                                                 │
│ [services.d] starting services                                                                                                      │
│ [services.d] done.                                                                                                                  │
│ error: Ignoring openssh because it is writable by group or others.                                                                  │
│ error: stat of /var/log/messages failed: No such file or directory                                                                  │
│ error: Ignoring openssh because it is writable by group or others.                                                                  │
│ error: stat of /var/log/messages failed: No such file or directory                                                                  │
│ error: Ignoring openssh because it is writable by group or others.                                                                  │
│ error: stat of /var/log/messages failed: No such file or directory                                                                  │
│ error: Ignoring openssh because it is writable by group or others.                                                                  │
│ error: stat of /var/log/messages failed: No such file or directory                                                                  │
│ error: Ignoring openssh because it is writable by group or others.                                                                  │
│ error: stat of /var/log/messages failed: No such file or directory                                                                  │
│ error: Ignoring openssh because it is writable by group or others.                                                                  │
│ error: stat of /var/log/messages failed: No such file or directory

Steps to Reproduce

the confusing message comes after a long time of normal running.

Environment

OS: official docker images
CPU architecture: x86_64
How docker service was installed:
it's running in kubernetes cluster with containerd engine.

Command used to create docker container (run/create/compose/screenshot)

the deployment yaml is:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: "2020-08-28T03:12:47Z"
  generateName: ssh-tunnel-d67468d89-
  labels:
    app: openeuler-ssh-tunnel
    component: ssh-tunnel
    pod-template-hash: d67468d89
  name: ssh-tunnel-d67468d89-7rmcg
  namespace: ssh-tunnel
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: ReplicaSet
    name: ssh-tunnel-d67468d89
    uid: bf25022e-8f6d-11ea-852c-fa163ed7ba7e
  resourceVersion: "79345303"
  selfLink: /api/v1/namespaces/ssh-tunnel/pods/ssh-tunnel-d67468d89-7rmcg
  uid: 5959168d-e8dc-11ea-852c-fa163ed7ba7e
spec:
  containers:
  - env:
    - name: TZ
      value: Asia/Shanghai
    - name: SUDO_ACCESS
      value: "true"
    - name: USER_NAME
      value: root
    - name: PUBLIC_KEY_FILE
      value: /var/sshd/public_keys
    image: linuxserver/openssh-server
    imagePullPolicy: IfNotPresent
    name: sshd-server
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/sshd/public_keys
      name: ssh-secrets
      subPath: public_keys
    - mountPath: /config/ssh_host_keys/sshd_config
      name: ssh-config
      subPath: sshd_config
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-p5hm2
      readOnly: true

Docker logs

openssh logs should not be accessible/removable by the user

Expected Behavior

I think it should not be possible for the ssh user to access and/or remove the openssh logs.

Current Behavior

The user is able to access and remove the openssh logs.

Steps to Reproduce

Log in to openssh-server
rm -rf logs

Command used to create docker container (run/create/compose/screenshot)

% pwd                               
/srv/upload-ssh

% cat docker-compose.yml 
---
version: "2.1"
services:
  openssh-server:
    image: lscr.io/linuxserver/openssh-server
    container_name: openssh-server
    hostname: upload-ssh
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Vienna
      - SUDO_ACCESS=false
      - PASSWORD_ACCESS=true
      - USER_PASSWORD=[SNIP]
      - USER_NAME=upload
    volumes:
      - /srv/upload-ssh/config:/config
    ports:
      - 2222:2222
      
% sudo docker-compose up

Docker logs

Release 8.8_p1-r1-ls85 is broken

After upgrading from 8.8_p1-r1-ls84 to 8.8_p1-r1-ls85, image started printing errors to logs, ssh server is not working properly

Could be caused by linuxserver/docker-baseimage-alpine#93

Expected Behavior

Container starts without errors
New SSH connections are established without any issues

lb84 log:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing... 
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 01-migrations: executing... 
[migrations] started
[migrations] no migrations found
[cont-init.d] 01-migrations: exited 0.
[cont-init.d] 02-tamper-check: executing... 
[cont-init.d] 02-tamper-check: exited 0.
[cont-init.d] 10-adduser: executing... 

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \ 
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    1000
User gid:    1000
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 50-config: executing... 
User name is set to user
Sudo is enabled without password.
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519 
User/password ssh access is enabled.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 90-custom-folders: executing... 
[cont-init.d] 90-custom-folders: exited 0.
[cont-init.d] 99-custom-files: executing... 
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

Current Behavior

Container prints a lot of errors:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service 00-legacy: starting
s6-rc: info: service 00-legacy successfully started
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/01-envfile
cont-init: info: /etc/cont-init.d/01-envfile exited 0
cont-init: info: running /etc/cont-init.d/01-migrations
[migrations] started
[migrations] no migrations found
cont-init: info: /etc/cont-init.d/01-migrations exited 0
cont-init: info: running /etc/cont-init.d/02-tamper-check
cont-init: info: /etc/cont-init.d/02-tamper-check exited 0
cont-init: info: running /etc/cont-init.d/10-adduser

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \ 
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    1000
User gid:    1000
-------------------------------------

cont-init: info: /etc/cont-init.d/10-adduser exited 0
cont-init: info: running /etc/cont-init.d/50-config
User name is set to user
Sudo is enabled without password.
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519 
User/password ssh access is enabled.
cont-init: info: /etc/cont-init.d/50-config exited 0
cont-init: info: running /etc/cont-init.d/90-custom-folders
cont-init: info: /etc/cont-init.d/90-custom-folders exited 0
cont-init: info: running /etc/cont-init.d/99-custom-files
[custom-init] no custom files found exiting...
cont-init: info: /etc/cont-init.d/99-custom-files exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun openssh-server (no readiness notification)
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-rc: info: service legacy-services successfully started
s6-rc: info: service 99-ci-service-check: starting
[ls.io-init] done.
s6-rc: info: service 99-ci-service-check successfully started
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise openssh-server/log (child): fatal: unable to exec run: Permission denied
s6-supervise openssh-server/log: warning: unable to spawn ./run - waiting 10 seconds

After several minutes new SSH connections just stop opening, without any error. SSH client process hangs, and I cannot cancel it with Ctrl+C.
But opened connections are fine.

It looks like sshd.pam process became a zombie:

           1  0.0  0.0    208    68 ?        Ss   16:22   0:00 /package/admin/s6/command/s6-svscan -d4 -- /run/service
root          15  0.0  0.0    212    60 ?        S    16:22   0:00 s6-supervise s6-linux-init-shutdownd
root          17  0.0  0.0    204     4 ?        Ss   16:22   0:00 /package/admin/s6-linux-init/command/s6-linux-init-shutdownd -c /run/s6/basedir -g 3000 -C -B
root          26  0.0  0.0    212    68 ?        S    16:22   0:00 s6-supervise s6rc-oneshot-runner
root          27  0.0  0.0    212    64 ?        S    16:22   0:00 s6-supervise s6rc-fdholder
root          34  0.0  0.0    188     4 ?        Ss   16:22   0:00 /package/admin/s6/command/s6-ipcserverd -1 -- /package/admin/s6/command/s6-ipcserver-access -v0 -E -l0 -i da
root         133  0.0  0.0    212    60 ?        S    16:22   0:00 s6-supervise openssh-server/log
root         135  0.0  0.0    212    68 ?        S    16:22   0:00 s6-supervise openssh-server
user         137  0.0  0.0   4564  3592 ?        Ss   16:22   0:00 sshd.pam: /usr/sbin/sshd.pam -D -e -p 2222 [listener] 2 of 10-100 startups
user         149  0.0  0.0   4592  3840 ?        Ss   16:23   0:00 sshd.pam: user [priv]
user         151  0.0  0.0   4524  2480 ?        R    16:23   0:00 sshd.pam: user@pts/0
user         152  0.0  0.0   2592  2316 pts/0    Ss   16:23   0:00 -bash
user        2853  0.0  0.0   4584  3768 ?        Ss   16:27   0:00 sshd.pam: user [priv]
user        2854  0.0  0.0      0     0 ?        Z    16:27   0:00 [sshd.pam] <defunct>
user        2862  0.0  0.0   4584  3800 ?        Ss   16:28   0:00 sshd.pam: user [priv]
user        2863  0.0  0.0      0     0 ?        Z    16:28   0:00 [sshd.pam] <defunct>

Steps to Reproduce

Run container using docker run --rm --name testserver -p 2222:2222 --hostname testserver -e PUID=1000 -e PGID=1000 -e SUDO_ACCESS=true -e PASSWORD_ACCESS=true -e USER_PASSWORD=password -e USER_NAME=user linuxserver/openssh-server:8.8_p1-r1-ls85, and see error in logs
Try open and close connection until it hang (it usually takes about a minute): set -e; while true; do sshpass -p password ssh localhost -p 2222 -l user date; done

Environment

OS: Manjaro, Linux kernel 5.17.15-1
CPU architecture: x86_64
How docker service was installed: from distro repo

Command used to create docker container (run/create/compose/screenshot)

Docker logs

See above

SUDO ALL for password based auth

Desired Behavior

I think it is a good idea to add

PASSWORD_ACCESS_SUDO_ALL=true

to the config and use it like

if [ "$SUDO_ACCESS" == "true" ]; then
    if [ -n "$USER_PASSWORD" ] || [ -n "$USER_PASSWORD_FILE" -a -f "$USER_PASSWORD_FILE" ]; then
       if [ "$PASSWORD_ACCESS_SUDO_ALL"  == "true" ]; then
           echo "${USER_NAME} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
           echo "Sudo is enabled without password."
       else
           echo "${USER_NAME} ALL=(ALL) ALL" >> /etc/sudoers
           echo "Sudo is enabled with password."
       fi
    else
        echo "${USER_NAME} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
        echo "Sudo is enabled without password."
    fi
else

I can create a PR for it if it is approved.

Current Behavior

You can have NOPASSWD: ALL only with keys

Alternatives Considered

public_key variable not working

If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.

Expected Behavior

it should accept the public key given under the variable

Current Behavior

the private key is later refused, which means that the public key could not be set...

Steps to Reproduce

disable password login
provide public_key= ssh-rsa AAAA.....
Test with putty

Environment

OS:
CPU architecture: pi4
**How docker service was installed: hypriotOS

Command used to create docker container (run/create/compose/screenshot)

Docker logs

Providing static host keys prevents ssh server startup

Expected Behavior

I want the SSH server to have host keys that do not change when it restarts. This is especially important since I'm running it in a swarm, so it can get moved to a different node any time, which changes the host keys. Hence, I mount SSH keys like so:

# docker-compose.yml
# ...
    configs:
      - source: hostkey
        target: /config/ssh_host_keys/ssh_host_ecdsa_key
        mode: 0600
        uid: "1000"
        gid: "1000"
      - source: hostkeypub
        target: /config/ssh_host_keys/ssh_host_ecdsa_key.pub
        mode: 0644
        uid: "1000"
        gid: "1000"
      - source: hostkey_ed25519
        target: /config/ssh_host_keys/ssh_host_ed25519_key
        mode: 0600
        uid: "1000"
        gid: "1000"
      - source: hostkeypub_ed25519
        target: /config/ssh_host_keys/ssh_host_ed25519_key.pub
        mode: 0644
        uid: "1000"
        gid: "1000"
      - source: hostkey_rsa
        target: /config/ssh_host_keys/ssh_host_rsa_key
        mode: 0600
        uid: "1000"
        gid: "1000"
      - source: hostkeypub_rsa
        target: /config/ssh_host_keys/ssh_host_rsa_key.pub
        mode: 0644
        uid: "1000"
        gid: "1000"

Current Behavior

Unfortunately, when I do this, the openssh server tells me sshd: no hostkeys available -- exiting.

Interestingly, when I omit either of the three key pairs, it works. Then, however, the third pair gets regenerated and causes hostkey checks to fail.

Environment

OS: Ubuntu
CPU architecture: x86_64
How docker service was installed: Official repo

Command used to create docker container (run/create/compose/screenshot)

docker swarm deploy

Docker logs

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 50-config: executing...
User name is set to cdn
Sudo is disabled.
ssh-keygen: generating new host keys: DSA
User/password ssh access is disabled.
Public key from env variable added
chown: changing ownership of '/config/ssh_host_keys/ssh_host_rsa_key.pub': Read-only file system
chown: changing ownership of '/config/ssh_host_keys/ssh_host_ed25519_key.pub': Read-only file system
chown: changing ownership of '/config/ssh_host_keys/ssh_host_ecdsa_key.pub': Read-only file system
chown: changing ownership of '/config/ssh_host_keys/ssh_host_ed25519_key': Read-only file system
chown: changing ownership of '/config/ssh_host_keys/ssh_host_rsa_key': Read-only file system
chown: changing ownership of '/config/ssh_host_keys/ssh_host_ecdsa_key': Read-only file system
[cont-init.d] 50-config: exited 0.
[cont-init.d] 90-custom-folders: executing...
[cont-init.d] 90-custom-folders: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

solution for tunnel usage with password

I was trying to use this container to tunnel localhost port to my server running this container

docker run \
  --name=openssh-server \
  -e PUID=0 \
  -e PGID=0 \
  -e TZ=India/Kolkata \
  -e SUDO_ACCESS=false \
  -e PASSWORD_ACCESS=true \
  -e USER_PASSWORD=thoiba \
  -e USER_NAME=tunnel \
  -p 2222:2222 \
  -p 100:1500 \
  --restart unless-stopped \
  linuxserver/openssh-server

and on my local machine

ssh-keygen -f "/home/pi/.ssh/known_hosts" -R [<myserver>]:2222
ssh -f -N -T -R 1500:localhost:80 tunnel@<myserver> -p 2222

then I got the following

The authenticity of host '[<myserver>]:2222 ([<server_ip>]:2222)' can't be established.
ECDSA key fingerprint is SHA256:qcexTtyZlb1+hxUAgjPf5rgTDeeH5uFfs3WSLfHADSU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[free_node.logicbee.dev]:2222' (ECDSA) to the list of known hosts.
Warning: the ECDSA host key for '[<myserver>]:2222' differs from the key for the IP address '[<server_ip>]:2222'
Offending key for IP in /home/pi/.ssh/known_hosts:3
Are you sure you want to continue connecting (yes/no)? yes
tunnel@free_node.logicbee.dev's password: 
Permission denied, please try again.
tunnel@free_node.logicbee.dev's password: 
Permission denied, please try again.
tunnel@free_node.logicbee.dev's password: 
Permission denied (publickey,password,keyboard-interactive).

please help me out

[FEAT] Healthcheck for dockerfile

Is this a new feature request?

I have searched the existing issues

Wanted change

Everything is perfect, just needs a HEALTHCHECK in the dockerfile to report when the ssh server is up and running.

Reason for change

The container runs and State via docker inspect is "Running" before the SSH server actually initiates. This means there's no way to accurately tell when the container is truly ready to serve ssh connections.

Proposed code change

Add a HEALTHCHECK in the docker file.

No stored credential for ghcr.io

as stated in the documentation i have run the commande bellow :

mac@MacBook-Pro-de-mac  ~/mgpuDocker/docker-openssh-server   master  docker build \
  --no-cache \
  --pull \
  -t ghcr.io/linuxserver/openssh-server:latest .

the result is bellow

[+] Building 0.6s (3/3) FINISHED
 => [internal] load build definition from Dockerfile                                                                     0.0s
 => => transferring dockerfile: 1.03kB                                                                                   0.0s
 => [internal] load .dockerignore                                                                                        0.0s
 => => transferring context: 107B                                                                                        0.0s
 => ERROR [internal] load metadata for ghcr.io/linuxserver/baseimage-alpine:3.13                                         0.4s

[internal] load metadata for ghcr.io/linuxserver/baseimage-alpine:3.13:

failed to solve with frontend dockerfile.v0: failed to create LLB definition: rpc error: code = Unknown desc = error getting credentials - err: exit status 1, out: No stored credential for ghcr.io

[BUG] The UMASK environmental variable no longer works

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

Umask is not set after passing the UMASK environmental variable to the container. I believe that this happens because we currently have this section in /etc/ssh/sshd_config:

Subsystem	sftp	internal-sftp

But the sed command used is this:

# set umask for sftp
UMASK=${UMASK:-022}
sed -i "s|/usr/lib/ssh/sftp-server$|/usr/lib/ssh/sftp-server -u ${UMASK}|g" /etc/ssh/sshd_config

For reference:
https://github.com/linuxserver/docker-openssh-server/blob/2aee51f5b40c3fa274c348ed19d5bef982f2399d/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run

Expected Behavior

Umask to be properly set.

Steps To Reproduce

Run the container with -e UMASK=007.
Log in as linuxserver.io.
Run the umask command.

Environment

- OS: Red Hat Enterprise Linux release 8.8 (Ootpa)
- How docker service was installed:
From repository.

CPU architecture

x86-64

Docker creation

podman run --rm -e UMASK=007 -e PASSWORD_ACCESS=true -e USER_PASSWORD=test123 -d --name openssh-server -p 2222:2222 openssh-server:latest

Container logs

[migrations] started
[migrations] no migrations found
usermod: no changes
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    911
User GID:    911
───────────────────────────────────────

User name is set to linuxserver.io
sudo is disabled.
ssh-keygen: generating new host keys: RSA ECDSA ED25519
sshd is listening on port 2222
User/password ssh access is enabled.
[custom-init] No custom files found, skipping...
[ls.io-init] done.

[FEAT] How to disable user shell (sftp mode only)

Is this a new feature request?

I have searched the existing issues

Wanted change

Option to disable (change?) user shell

Reason for change

I need some option to disable user login as I run isolated container to only upload files from ShareX.
I tried this hint, but this script executes before user created in the container.

#!/usr/bin/with-contenv bash

echo Disable shell
chsh -s /bin/false user

$ docker compose logs ssh-server
openssh-server  | [migrations] started
openssh-server  | [migrations] no migrations found
openssh-server  | Disable shell
openssh-server  | chsh: user 'user' does not exist
openssh-server  | usermod: no changes
openssh-server  | ───────────────────────────────────────
openssh-server  |
openssh-server  |       ██╗     ███████╗██╗ ██████╗
openssh-server  |       ██║     ██╔════╝██║██╔═══██╗
openssh-server  |       ██║     ███████╗██║██║   ██║
openssh-server  |       ██║     ╚════██║██║██║   ██║
openssh-server  |       ███████╗███████║██║╚██████╔╝
openssh-server  |       ╚══════╝╚══════╝╚═╝ ╚═════╝
openssh-server  |
openssh-server  |    Brought to you by linuxserver.io
openssh-server  | ───────────────────────────────────────
openssh-server  |
openssh-server  | To support LSIO projects visit:
openssh-server  | https://www.linuxserver.io/donate/
openssh-server  |
openssh-server  | ───────────────────────────────────────
openssh-server  | GID/UID
openssh-server  | ───────────────────────────────────────
openssh-server  |
openssh-server  | User UID:    911
openssh-server  | User GID:    911
openssh-server  | ───────────────────────────────────────
openssh-server  |
openssh-server  | User name is set to user
openssh-server  | sudo is disabled.
openssh-server  | sshd is listening on port 2222
openssh-server  | User/password ssh access is enabled.
openssh-server  | [custom-init] No custom files found, skipping...
openssh-server  | [ls.io-init] done.

Proposed code change

No response

[FEAT] Environment variables for remote user

Is this a new feature request?

I have searched the existing issues

Wanted change

To have a way to set up environment variables for the remote SSH user.

Reason for change

As far as can see, env variables which are set for the docker container are not available to the remote user connecting to the container via SSH. This is totally valid from security perspective.

At the same time, I'd like to provide my SSH user with some environment preset. Specifically, some API keys for a software which the user is running inside the container being connected via SSH.

Proposed code change

No response

Feature req: Add option for badusernames

I want to use long username with uppercase characters for container and I got an error now.
useradd with --badnames option works fine.
I don't found where you create user, if you help me, I can try to create a pull request.

Wrong behavior of password/passwordless sudo

Expected Behavior

According to the README:

Setting SUDO_ACCESS to true by itself will allow passwordless sudo. USER_PASSWORD and USER_PASSWORD_FILE allow setting an optional sudo password.

I set USER_NAME=test, SUDO_ACCESS=true and USER_PASSWORD=test007. The expected behavior is "Sudo is enabled with password." in the docker logs and the actual /etc/sudoers:

test ALL=(ALL) ALL

Current Behavior

"Sudo is enabled without password." in the docker logs and the actual /etc/sudoers config:

test ALL=(ALL) NOPASSWD: ALL

Steps to Reproduce

Run the commands below line by line:

docker run -d --name openssh-server -p 2222:2222 -e USER_NAME=test -e USER_PASSWORD=test007 -e PASSWORD_ACCESS=true -e SUDO_ACCESS=true linuxserver/openssh-server:latest
docker logs openssh-server
docker exec -it openssh-server bash
tail -1 /etc/sudoers
sed -n 14,24p /etc/s6-overlay/s6-rc.d/init-openssh-server-config/run
[[ -n "$USER_PASSWORD" ]] || [[ -n "$USER_PASSWORD_FILE" ]] && [[ -f "$USER_PASSWORD_FILE" ]]; echo $?
[[ -n "$USER_PASSWORD" || (-n "$USER_PASSWORD_FILE" && -f "$USER_PASSWORD_FILE") ]]; echo $?

Environment

OS: Archlinux
CPU architecture: x86_64
How docker service was installed: from archlinux official repo

Command used to create docker container (run/create/compose/screenshot)

docker run -d --name openssh-server -p 2222:2222 -e USER_NAME=test -e USER_PASSWORD=test007 -e PASSWORD_ACCESS=true -e SUDO_ACCESS=true linuxserver/openssh-server:latest

Docker logs

[custom-init] No custom services found, skipping...
[migrations] started
[migrations] no migrations found
usermod: no changes

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \ 
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    911
User gid:    911
-------------------------------------

User name is set to test
Sudo is enabled without password.
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519 
User/password ssh access is enabled.
[custom-init] No custom files found, skipping...
[ls.io-init] done.

Related to #52. I will submit a pr in a while

Query: Is it possible to login as root from an SSH client

Is it possible to log in as root from an SSH client into this container?
Thanks.

Question about user/password activation

Expected Behavior

To be able to connect with a couple of user/password even if we know it is not the best way to do it.

Current Behavior

We run the container with the minimum of options and we add user directly into with unix command.

Steps to Reproduce

Run the container

docker run -d  \
      --name=openssh-server \
      --hostname=openssh-server  \
       -e PUID=1000  \
       -e PGID=1000   \
       -e TZ=Europe/London -e SUDO_ACCESS=false  \
       -e PASSWORD_ACCESS=true   \
       -e USER_PASSWORD=password \
       -e USER_NAME=linuxserver.io  \
       -p 2222:2222  \
       --restart unless-stopped  \
ghcr.io/linuxserver/openssh-server

Add user into container

docker exec -it openssh-server useradd -m johndoe -pchangeit

Connect via ssh into the container

ssh -p 2222 johdnoe@localhost

Never way to connect

johndoe@localhost's password:
Permission denied, please try again.

Environment

**OS: CentOS 7

[root@centos-s-2vcpu-4gb-fra1-01 ~]# docker version
Client: Docker Engine - Community
 Version:           19.03.14
 API version:       1.40
 Go version:        go1.13.15
 Git commit:        5eb3275d40
 Built:             Tue Dec  1 19:20:42 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.14
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       5eb3275d40
  Built:            Tue Dec  1 19:19:17 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.3.9
  GitCommit:        ea765aba0d05254012b0b9e595e995c09186427f
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Docker logs

[BUG] Public key files from PUBLIC_KEY_DIR does not get imported

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

/config/.ssh/authorized_keys file get created, but stays empty

Expected Behavior

See public keys from PUBLIC_KEY_DIR in /config/.ssh/authorized_keys

Steps To Reproduce

add path to PUBLIC_KEY_DIR, run docker compose up

Environment

- OS: debian 12.4
- How docker service was installed: official way from docker https://docs.docker.com/engine/install/debian/


root@kosh:/srv/docker/lgsm-vh# ls -la
total 16
drwxr-xr-x 3 root root 4096 Jan  4 20:26 .
drwxr-xr-x 8 root root 4096 Jan  3 19:07 ..
-rw-r--r-- 1 root root  653 Jan  4 20:24 compose.yml
drwxr-xr-x 2 root root 4096 Jan  4 19:53 public_keys
root@kosh:/srv/docker/lgsm-vh# ls -la *
-rw-r--r-- 1 root root  653 Jan  4 20:24 compose.yml

public_keys:
total 12
drwxr-xr-x 2 root root 4096 Jan  4 19:53 .
drwxr-xr-x 3 root root 4096 Jan  4 20:26 ..
-rw-r--r-- 1 root root  396 Jan  4 19:53 michael_plauze.pub



### CPU architecture

x86-64

### Docker creation

```bash
version: "1.0"

volumes:
  vh-data:
    labels:
      - "com.docker.compose.volume.user=username:username" 
services:
  vh-openssh:
    image: linuxserver/openssh-server
    restart: unless-stopped
    volumes:
      - vh-data:/config

    environment:
      - PUBLIC_KEY_DIR=/srv/docker/lgsm-vh/public_keys
      - USER_NAME=username
      - LOG_STDOUT=true
      - TZ=Europe/Berlin
      - PUID=1000
      - PGID=1000

    ports:
      - 12345:2222

Container logs

Attaching to lgsm-vh-vh-openssh-1
lgsm-vh-vh-openssh-1  | [migrations] started
lgsm-vh-vh-openssh-1  | [migrations] no migrations found
lgsm-vh-vh-openssh-1  | ───────────────────────────────────────
lgsm-vh-vh-openssh-1  | 
lgsm-vh-vh-openssh-1  |       ██╗     ███████╗██╗ ██████╗ 
lgsm-vh-vh-openssh-1  |       ██║     ██╔════╝██║██╔═══██╗
lgsm-vh-vh-openssh-1  |       ██║     ███████╗██║██║   ██║
lgsm-vh-vh-openssh-1  |       ██║     ╚════██║██║██║   ██║
lgsm-vh-vh-openssh-1  |       ███████╗███████║██║╚██████╔╝
lgsm-vh-vh-openssh-1  |       ╚══════╝╚══════╝╚═╝ ╚═════╝ 
lgsm-vh-vh-openssh-1  | 
lgsm-vh-vh-openssh-1  |    Brought to you by linuxserver.io
lgsm-vh-vh-openssh-1  | ───────────────────────────────────────
lgsm-vh-vh-openssh-1  | 
lgsm-vh-vh-openssh-1  | To support LSIO projects visit:
lgsm-vh-vh-openssh-1  | https://www.linuxserver.io/donate/
lgsm-vh-vh-openssh-1  | 
lgsm-vh-vh-openssh-1  | ───────────────────────────────────────
lgsm-vh-vh-openssh-1  | GID/UID
lgsm-vh-vh-openssh-1  | ───────────────────────────────────────
lgsm-vh-vh-openssh-1  | 
lgsm-vh-vh-openssh-1  | User UID:    1000
lgsm-vh-vh-openssh-1  | User GID:    1000
lgsm-vh-vh-openssh-1  | ───────────────────────────────────────
lgsm-vh-vh-openssh-1  | 
lgsm-vh-vh-openssh-1  | User name is set to username
lgsm-vh-vh-openssh-1  | sudo is disabled.
lgsm-vh-vh-openssh-1  | sshd is listening on port 2222
lgsm-vh-vh-openssh-1  | User/password ssh access is disabled.
lgsm-vh-vh-openssh-1  | [custom-init] No custom files found, skipping...
lgsm-vh-vh-openssh-1  | Server listening on 0.0.0.0 port 2222.
lgsm-vh-vh-openssh-1  | Server listening on :: port 2222.
lgsm-vh-vh-openssh-1  | [ls.io-init] done.
lgsm-vh-vh-openssh-1  | kex_exchange_identification: Connection closed by remote host
lgsm-vh-vh-openssh-1  | Connection closed by 127.0.0.1 port 54422
lgsm-vh-vh-openssh-1  | Connection closed by authenticating user linuxgsm 1.2.3.4 port 45734 [preauth]
lgsm-vh-vh-openssh-1  | Connection closed by authenticating user linuxgsm 1.2.3.4 port 38044 [preauth]

Set the user's home directory

Desired Behavior

Ability to set the user's home directory.

I'd like to use this Docker image to launch SSH microservices in our Docker Swarm and it would be nice if there was a way to set the user's home directory via e.g. an environment variable.

Current Behavior

The home directory is preset to /config and cannot be changed via a dynamic configuration. (At least I could not figure it out)

Alternatives Considered

Tried setting HOME in a Docker YAML file but it has no effect. I also tried setting working_dir but it seems to have no effect either.

sftp-server missing

If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.

Expected Behavior

sftp connection should work

Current Behavior

sftp connection doesn't work

Steps to Reproduce

Connect via SFTP to the server
Also see created sshd_config:
Subsystem sftp /usr/lib/ssh/sftp-server

Fix:
Add "openssh-sftp-server" as Alpine Package

Readme markdown formatting error

In the "Application Setup" section, there is incorrect formatting for the markdown inline code sections. An apostrophe (') is used instead of a backtick (`) around PUBLIC_KEY_DIR (affected lines)

This error is visible in the GitHub repo and in the description of the container in container registries (e.g. Docker Hub).

Ability to forward a port with the -R (reverse) option

Desired Behavior

It would be nice to allow port forwarding in order to use the -R (reverse) option, for example in order to setup a reverse SSH tunnel through a dedicated and isolated docker container instead of through your main system.

Current Behavior

Currently, commands like:

ssh -R 192.168.1.1:2223:localhost:22 -p 2222 [email protected]
(where the docker-openssh-server is running on 192.168.1.1)

return the following error:

Warning: remote port forwarding failed for listen port 2223

Alternatives Considered

I have not found alternative options so far.

Enable Logging, memory issue

Expected Behavior

I try to enable logging. As described, I have enabled logging in sshd_config
SyslogFacility AUTH
LogLevel INFO

and try to follow the logfiles with:
sudo docker-compose logs --follow openssh

I expect the information when someone logs into the server to be shown on the console

Current Behavior

No information after startup in logfiles

Steps to Reproduce

See above

Environment

OS: Ubuntu 20.04
CPU architecture: x86_64/arm32/arm64 I686
How docker service was installed: apt-get install docker-compose

Command used to create docker container (run/create/compose/screenshot)

Docker logs

[FEAT] Rootless mode

Is this a new feature request?

I have searched the existing issues

Wanted change

Possibility to have the server run as a non-root user within the container.

Reason for change

I need to run this in a k8s cluster and we have security policies that by default don't allow pods to run as root. Since this binds to a port that doesn't need to run as root anyway (2222), it should be possible to just run sshd without any permissions at all.

Proposed code change

No response

consider non-interactive key generation for testing purposes

Desired Behavior

I think it would be a great addition to (optionally) start this container ready to serve SSH with generated keys.
Useful in testing where keys and their lifetime doesn't really matter.

Maybe new environment variable that, if set, generates ssh keys via keygen.sh and stores them by default in ~/.ssh/id_rsa ?

possible add root ssh login support

Desired Behavior

possible add ssh root login support? need rsync files with owner / mode / xattr preserved.

Current Behavior

Alternatives Considered

Proxy Jumps now disabled

It used to be possible to use an SSH server running in a container from this image as a proxy jump server as in ssh -J <jump-host> target-host or using a ProxyJump directive in an ./ssh/config.

That seems to be disabled now (getting 'channel 0: open failed: administratively prohibited'). Apparently, the default value for the PermitTunnel directive in /etc/ssh/sshd_config has changed from yes to no.

Expected Behavior

Starting a container using this image, I can run ssh -J <container host> <target host reachable from container> and ssh into the target host through the container.

(alternative to configure ProxyJump in ~/.ssh/config)

Current Behavior

When connecting as above, I get 'channel 0: open failed: administratively prohibited'

Steps to Reproduce

Start server:

[me@my-desk]$ docker run \
  --rm \
  -e USER_PASSWORD=a \
  -e PASSWORD_ACCESS=true \
  -p 2222:2222 \
  ghcr.io/linuxserver/openssh-server

[me@my-desk]$ ssh -J linuxserver.io@localhost:2222 [email protected] 
linuxserver.io@localhost's password: 
channel 0: open failed: administratively prohibited: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

Discussion:

I'm not sure: should this be enabled by default? Should this be another configuration option of this image? Or should users just modify their images or mount custom configs if they need this?

Personally, I do need this functionality.

-e UMASK doesn't apply to sftp transfers

Expected Behavior

When using, -e UMASK=0002, files transfered via sftp should have that umask applied.

Current Behavior

umask for transfered files remains 0022

Steps to Reproduce

Transfer a file via sftp
Look at file permissions

This can be fixed by changing the line
Subsystem sftp /usr/lib/ssh/sftp-server'
to
Subsystem sftp /usr/lib/ssh/sftp-server -u

https://serverfault.com/questions/70876/how-to-put-desired-umask-with-sftp

Environment

OS: unRaid 6.8.3
CPU architecture: x86_64
How docker service was installed: unRaid

What's the best practice for PUBLIC_KEY_FILE

If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.

Expected Behavior

specified PUBLIC_KEY_FILE should be added to /config/.ssh/authorized_keys in the container

Current Behavior

it won't be added since the file only exists in the host machine, or did I miss something?

Steps to Reproduce

docker create --name=openssh-server -e PUBLIC_KEY_FILE=path/to/host/pub/key linuxserver/openssh-server && docker start openssh-server
docker exec openssh-server cat /config/.ssh/authorized_keys

Environment

OS: OSX
CPU architecture: x86_64
How docker service was installed: Docker Desktop on Mac

Command used to create docker container (run/create/compose/screenshot)

as above

Docker logs

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 50-config: executing... 
User name is set to linuxserver.io
Sudo is disabled.
User/password ssh access is disabled.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing... 
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

Feature Request: add an option for server key

I would like to use this container for CI related to a SSH middleware.
However, it is difficult to use because SSH fingerprint is not constant and changed every after container is recreated.
We have to pass a unique SSH fingerprint to CI scripts.

Desired Behavior

I would like an option like SERVER_FINGERPRINT. This can pass the fingerprint key from the host. It is not changed after a container is recreated.

$ docker run -e USER_NAME=user -e PUBLIC_KEY="$(cat ~/.ssh/id_rsa.pub)" -e SERVER_FINGERPRINT=path/to/key -p 127.0.0.2:2222:2222 --name=ssh -d ghcr.io/linuxserver/openssh-server
(container UUID)
$ ssh [email protected] -p 2222  -i ~/.ssh/id_ed25519 echo OK
OK
$ docker rm -f ssh
ssh
$ docker run -e USER_NAME=user -e PUBLIC_KEY="$(cat ~/.ssh/id_rsa.pub)" -e SERVER_FINGERPRINT=path/to/key -p 127.0.0.2:2222:2222 --name=ssh -d ghcr.io/linuxserver/openssh-server
(container UUID)
$ ssh [email protected] -p 2222  -i ~/.ssh/id_ed25519 echo OK
OK

Current Behavior

In fact, there is no such option, and when I recreate the container and try to connect to it, we get an error that the key fingerprint is different.

$ docker run -e USER_NAME=user -e PUBLIC_KEY="$(cat ~/.ssh/id_rsa.pub)" -p 127.0.0.2:2222:2222 --name=ssh -d ghcr.io/linuxserver/openssh-server
(container UUID)
$ ssh [email protected] -p 2222  -i ~/.ssh/id_ed25519 echo OK
The authenticity of host '[127.0.0.2]:2222 ([127.0.0.2]:2222)' can't be established.
ECDSA key fingerprint is SHA256:(Key fingerprint)
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[127.0.0.2]:2222' (ECDSA) to the list of known hosts.
OK
$ docker rm -f ssh
ssh
$ docker run -e USER_NAME=user -e PUBLIC_KEY="$(cat ~/.ssh/id_rsa.pub)" -p 127.0.0.2:2222:2222 --name=ssh -d ghcr.io/linuxserver/openssh-server
(container UUID)
$ ssh [email protected] -p 2222  -i ~/.ssh/id_ed25519 echo OK
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:(Different finger print)
Please contact your system administrator.
Add correct host key in (home directory)/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in (home directory)/.ssh/known_hosts:(line #)
ECDSA host key for [127.0.0.2]:2222 has changed and you have requested strict checking.
Host key verification failed.

Alternatives Considered

Permissions 0777 for host keys are too open - sshd terminates

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

After creating a new openssh-server container, I couldn't connect to the SSH server with neither the key nor password. The ssh client responded with an error: kex_exchange_identification: read: Connection reset by peer

Opening terminal for the container, I couldn't see sshd running and there was also no service listening on the port 2222. Checking the sshd log file, there were multiple errors for each individual host key file:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

Finished by:

It is required that your private key files are NOT accessible by others.
This private key will be ignored.
sshd: no hostkeys available -- exiting.

Indeed, by checking the permissions for host key files in /etc/ssh (or /config/ssh_host_keys), they've been all set to 0777.

By using chmod 0600 ssh_host* for changing the recommended permissions to 0600 (rw by owner) and restarting the container, everything worked as it should.

I don't know if the host keys are generated with those permissions outright, or if it's the combination of my environment (Synology NAS) where I run the container and PUID/PGID of the user I'm setting it to (strictly limited access user), but this was the result for me on the clean run from the latest image (sha256:098b5b04ceb2c43ced28a89ac27bfc073a5c806b96e07a64cbe744584994486e)

Expected Behavior

The container should start with the host keys permissions correctly set to 0600.

Steps To Reproduce

Synology NAS running DSM 7.2.1-69057
Create new project in the Container Manager
Import or create new compose.yaml file with environment variables set as desired
Try to connect

Environment

- OS: Synology NAS running DSM 7.2.1-69057
- How docker service was installed: DSM Package Center

CPU architecture

x86-64

Docker creation

services:
  openssh-server:
    image: lscr.io/linuxserver/openssh-server:latest
    container_name: borg_openssh-server
    hostname: openssh-server #optional
    environment:
      - PUID=<user>
      - PGID=<group>
      - TZ=Europe/London
      - PUBLIC_KEY=<key>
#      - PUBLIC_KEY_FILE=/path/to/file #optional
#      - PUBLIC_KEY_DIR=/path/to/directory/containing/_only_/pubkeys #optional
#      - PUBLIC_KEY_URL=https://github.com/username.keys #optional
      - SUDO_ACCESS=true #optional
      - PASSWORD_ACCESS=true #optional
      - USER_PASSWORD=<password> #optional
#      - USER_PASSWORD_FILE=/path/to/file #optional
      - USER_NAME=<user> #optional
      - LOG_STDOUT= #optional
    volumes:
      - <path>:/config
    ports:
      - <port>:2222
    restart: unless-stopped

Container logs

See above

Unable to ChrootDirectory

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

Modifying sshd_config with a custom-cont-init.d script to set ChrootDirectory leads to an Connection to *************** closed by remote host. error when trying to SSH/SFTP.

openssh log reads:
server lacks privileges to chroot to ChrootDirectory

Expected Behavior

I should be able to change the default directory I land on when SSHing/SFTPing.

Steps To Reproduce

Bind a volume in the docker-compose.yml containing a shell script that sed the sshd_config file to set ChrootDirectory
(sed -i 's|#ChrootDirectory none|ChrootDirectory [directory]|' /etc/ssh/sshd_config)
Launch the container
Try to SSH into the container

Environment

- OS: Debian 12
- How docker service was installed: official process

CPU architecture

x86-64

Docker creation

...
services:
  openssh-server:
    image: lscr.io/linuxserver/openssh-server:latest
    container_name: openssh-server
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SUDO_ACCESS=false #optional
      - PASSWORD_ACCESS=true #optional
      - USER_PASSWORD=[password] #optional
      - USER_NAME=[user] #optional
    volumes:
      - ./configs/openssh/custom-cont-init.d:/custom-cont-init.d:ro
      - [named volume]:[directory]
    ports:
      - 2222:2222
    restart: always

Container logs

User name is set to [user]
sudo is enabled with password.
ssh-keygen: generating new host keys: RSA ECDSA ED25519
sshd is listening on port 2222
User/password ssh access is enabled.
[custom-init] Files found, executing
[custom-init] update_sshd_config.sh: executing...
··· Modification de sshd_config ···
[custom-init] update_sshd_config.sh: exited 0
[ls.io-init] done.

Add option

Hi, can you add option for "AllowTcpForwarding yes" with true or false.
thank you

Feature req: modify ssh port

I want to use this container as a temporary bastion host on AWS. I want to deploy it on AWS ECS Fargate where it is not possible to map container ports.

Could you add an option (env variable) to override the default SSH port, so one can connect on a different port? e.g. SSH_PORT=2223

typo: on line 12 and 23 of root/keygen.sh : unkown instead of unknown

See title

how to set 'sshd_conf' config file

docker yaml

  openssh-server:
    image: linuxserver/openssh-server
    container_name: openssh-server
    hostname: openssh-server
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Shanghai
      - SUDO_ACCESS=false
      - PASSWORD_ACCESS=true
      - USER_PASSWORD=test
      - USER_NAME=test
    volumes:
      - ./sshd/sshd_config:/etc/ssh/sshd_config:rw

I wanna chan fellow at /etc/ssh/sshd_config to open Forwarding settings;

#AllowAgentForwarding yes
AllowAgentForwarding yes
# Feel free to re-enable these if your use case requires them.
AllowTcpForwarding yes
#AllowTcpForwarding no
GatewayPorts yes
#GatewayPorts no
X11Forwarding yes
#X11Forwarding no

Docker logs

[cont-init.d] 50-config: executing...
User name is set to lds
Sudo is disabled.
sed: can't move '/etc/ssh/sshd_configkKOoLI' to '/etc/ssh/sshd_config': Resource busy
rm: cannot remove '/etc/ssh/sshd_config': Resource busy
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
sed: can't move '/etc/ssh/sshd_configoHFmgH' to '/etc/ssh/sshd_config': Resource busy
sed: can't move '/etc/ssh/sshd_configLOHJpF' to '/etc/ssh/sshd_config': Resource busy
User/password ssh access is enabled.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.

[BUG] Unable to start server on kubernetes using shareProcessNamespace with another container

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

I am trying to run the openssh-server as a sidecar in a kubernetes pod using the shareProcessNamespace feature of kubernetes to share pid namespace between 2 containers. On doing this, the openssh-server crashes with the below log line:

s6-overlay-suexec: fatal: can only run as pid 1

I would like to have the ability to run the openssh-server without it requiring to run as pid 1

Expected Behavior

No response

Steps To Reproduce

Environment

- OS:
- How docker service was installed:

CPU architecture

x86-64

Docker creation

NA

Container logs

s6-overlay-suexec: fatal: can only run as pid 1

sftp with root access does not work

If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.

Expected Behavior

set a UID and GID of 0 to a user and have access to files owned by 0

Current Behavior

the server says the password is wrong

Steps to Reproduce

set a user with uid and gid as 0
attempt to login: ssh notroot@host -p 2222
get error Permission denied (publickey,password,keyboard-interactive).

Environment

OS: Debian 10
CPU architecture: x86_64
How docker service was installed: official docker-ce repository for debian

Command used to create docker container (run/create/compose/screenshot)

docker-compose up -d

  sftp:
    image: linuxserver/openssh-server:latest
    environment:
      - PUID=0
      - PGID=0
      - TZ=Europe/London
      - PASSWORD_ACCESS=true
      - USER_PASSWORD=pass
      - USER_NAME=notroot
    volumes:
      - './files:/files'
    ports:
      - "2222:2222"
    restart: unless-stopped

Docker logs

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    0
User gid:    0
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 50-config: executing...
User name is set to notroot
Sudo is disabled.
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
User/password ssh access is enabled.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

[BUG] grep error in logs

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

I see the following warning/error in container's log:

grep: unrecognized option: ---BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA25ttIxEySnnFFev/t0Qh30zaYQp9bDuvt/uJy5o4IOUUH5Fv0pJ7
KI9pWSp2IPM9WhCw3Dtiwk7Oey9JTTs8rfsWXvfVEFqG/vpDA0bXJtk+UNuwKvHgsp3o4l
KgjFgMI65rOxbo9BYa2kUPCndhyqqh4yrVXTU3TygJBZnY7KmAOT0Q9v35vw2Tut/8gCvW
W7lV/b1rPg3OA9YGY/djZ3PL78B9gi9SHVF79R67zzV8Hw+p1trQtihRd3tsEpp8zXpdFA
3ejs3mVob+GoJUCLk89rjFjQZwkmvRJv18BJ7gEdjlWsYEWWsPYiSKDiTx4VrvM1Ac3TPp
sq40oAQz0O5ZeCjp3cVVHI9WCbOkaSWI3YXsc4KwHBxvuccT26W9o5PPLSNK2n6SIeLeRb
k188KJowNoMmEPdnGGJbBnNN9usSYU/BZF+FAZIb7I1X1D5WesMYOQFj7uzvHHGBg3JB1h
tQ/kGmizj4UvjANl2hhAxhSeFEPdNOclVRUoXQ6LAAAFiIuKYbmLimG5AAAAB3NzaC1yc2
EAAAGBANubbSMRMkp5xRXr/7dEId9M2mEKfWw7r7f7icuaOCDlFB+Rb9KSeyiPaVkqdiDz
PVoQsNw7YsJOznsvSU07PK37Fl731RBahv76QwNG1ybZPlDbsCrx4LKd6OJSoIxYDCOuaz
sW6PQWGtpFDwp3YcqqoeMq1V01N08oCQWZ2OypgDk9EPb9+b8Nk7rf/IAr1lu5Vf29az4N
zgPWBmP3Y2dzy+/AfYIvUh1Re/Ueu881fB8Pqdba0LYoUXd7bBKafM16XRQN3o7N5laG/h
qCVAi5PPa4xY0GcJJr0Sb9fASe4BHY5VrGBFlrD2Ikig4k8eFa7zNQHN0z6bKuNKAEM9Du
WXgo6d3FVRyPVgmzpGkliN2F7HOCsBwcb7nHE9ulvaOTzy0jStp+kiHi3kW5NfPCiaMDaD
JhD3ZxhiWwZzTfbrEmFPwWRfhQGSG+yNV9Q+VnrDGDkBY+7s7xxxgYNyQdYbUP5Bpos4+F
L4wDZdoYQMYUnhRD3TTnJVUVKF0OiwAAAAMBAAEAAAGAfEHzfLYMOKux4neIV1ALwmef4O
yojwcuo/GFxFhcjfBQdJQ8K2+KlCahOzyVXouDGWT8TYCknsEsf/L/jN2Jtf+uZsngGsK+
Q6OjK0V4E5k0c1f61DHMLATBct3Bzec75yyXq/WIliOzyfDtU8S85omp0/m2hGjKBNXoVO
z6Gt7FmJ1+7eJC3+F0x3ZZTsR/I6M4jrwQ5Cm3eeAt+X5PFogkymGmInVYBxLGCqn7JoFi
28hnFxT0pz0k63BAdD5IdqFbV5mpTniwkSxiTfIJhxvtZHI6oz5zCv8Xj7pbpYssjnDhwS
4ErpOodY3cC92VIHHdIKCEAKdYu+vxx7aBhCVvHt1b5xDz2xzRTF0SIp3qrpp5or4YVO4s
QFdDP0pPxdE0qOfo7PH8LFpHBcCqGGRcAD7zRrrkAkIO7FfgGKZRV6v0LPThm7LV0bp5LH
8rNwKgjJoaVqy57ajV5MCdgEUNubBP/cVGKWSHtGEhruUCtCRFV43aI7tMTChIb9PxAAAA
wQDM9+GfZqW+wNQYHd+Vwl+faQPaCCSzyT0gTC9io5PiQ8fnMZaQhSXi91I6F2Ir7ybpex
1R5ld7SLbl4pknjJjWDu93Xm5oe5Rpoz9SYnmyOjMbdj+dRmLjXVfv19PzjvgxMVQyXXnh
710rVsTTGDi1kbX20PSUDzcMjrppLFlBvDiyIROVgUvyFGZdDCmRbEUaF5h7YaLMRroBN0
Ll3C2Du+0fT67c7YSGpujt4ZzXbRugS7X8HXmEoyj9G245cY0AAADBAP3TgUXgpyQAe1Km
rykd9fzkMBz1E91z9L3L1X48tQypPHZT7eO7+YQ6oymrqyG8KVh2aR6VAwMaUPJO6C6NVG
fusUQKj4zNdTpDYEk7hkj6j/DvMxWuwRb/QE3w+XD4J6snmbvBGSodPf8ltC+hcvr1DI2h
FqX+hnY9gzO2ur9TJVwDGT9QJUMPSHE3GV7Bpc34HwE/EWEVnEWcjSR8Q7pqyNldfu3KjK
KLaWn1cud4Z1MIaSvyWkZP+g1r6PNxXwAAAMEA3XzmCzKb3Sr0dA2uvDtZhfmNljVObeI3
8bdCGRpj+Kv9l4hx2hgLNxuUmTCNHhOV+PIEMWIi+HBhIIx946l7RosEwF6Cfg6KJ4WE/m
frGKR+pMh71UMoSQrJLNLOXNUbzZX8dax24oyl5ltUo9cP22rxki5dfmy0u/Qae9lOdLPw
3qJNCrxx6w6S8JDje5c1uK2B9GwoGnGnhHCb9U3QXS84pOxcNnsxTds2Ab1iIyNkzENpXM
Yy00UVt37pHdZVAAAAC21pdGFyQGdhZ2VhAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
BusyBox v1.36.1 (2023-07-06 12:28:44 UTC) multi-call binary.

Usage: grep [-HhnlLoqvsrRiwFE] [-m N] [-A|B|C N] { PATTERN | -e PATTERN... | -f FILE... } [FILE]...

Search for PATTERN in FILEs (or stdin)

	-H	Add 'filename:' prefix
	-h	Do not add 'filename:' prefix
	-n	Add 'line_no:' prefix
	-l	Show only names of files that match
	-L	Show only names of files that don't match
	-c	Show only count of matching lines
	-o	Show only the matching part of line
	-q	Quiet. Return 0 if PATTERN is found, 1 otherwise
	-v	Select non-matching lines
	-s	Suppress open and read errors
	-r	Recurse
	-R	Recurse and dereference symlinks
	-i	Ignore case
	-w	Match whole words only
	-x	Match whole lines only
	-F	PATTERN is a literal (not regexp)
	-E	PATTERN is an extended regexp
	-m N	Match up to N times per file
	-A N	Print N lines of trailing context
	-B N	Print N lines of leading context
	-C N	Same as '-A N -B N'
	-e PTRN	Pattern to match
	-f FILE	Read pattern from file

The container does work as expected later on, there is just this warning/error in logs.

Expected Behavior

There should not be any such error/warning in logs.

Steps To Reproduce

I create keys: ssh-keygen -f test/.ssh/backup_rsa -N ""
I run docker run -d --name openssh -e PUID=1000 -e PGID=1000 -e SUDO_ACCESS=true -e USER_NAME=user -e PUBLIC_KEY_DIR=/ssh -p 22:2222 -v "$(pwd)/test/.ssh:/ssh" linuxserver/openssh-server:9.3_p1-r3-ls121
I run docker logs openssh

Environment

- OS: Ubuntu 20.04
- How docker service was installed: `apt-get install docker.io`

CPU architecture

x86-64

Docker creation

`docker run -d --name openssh -e PUID=1000 -e PGID=1000 -e SUDO_ACCESS=true -e USER_NAME=user -e PUBLIC_KEY_DIR=/ssh -p 22:2222 -v "$(pwd)/test/.ssh:/ssh" linuxserver/openssh-server:9.3_p1-r3-ls121`

Container logs

[migrations] started
[migrations] no migrations found
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗ 
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝ 

   Brought to you by linuxserver.io
───────────────────────────────────────

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────

User name is set to user
sudo is enabled without password.
ssh-keygen: generating new host keys: RSA ECDSA ED25519 
sshd is listening on port 2222
User/password ssh access is disabled.
grep: unrecognized option: ---BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA25ttIxEySnnFFev/t0Qh30zaYQp9bDuvt/uJy5o4IOUUH5Fv0pJ7
KI9pWSp2IPM9WhCw3Dtiwk7Oey9JTTs8rfsWXvfVEFqG/vpDA0bXJtk+UNuwKvHgsp3o4l
KgjFgMI65rOxbo9BYa2kUPCndhyqqh4yrVXTU3TygJBZnY7KmAOT0Q9v35vw2Tut/8gCvW
W7lV/b1rPg3OA9YGY/djZ3PL78B9gi9SHVF79R67zzV8Hw+p1trQtihRd3tsEpp8zXpdFA
3ejs3mVob+GoJUCLk89rjFjQZwkmvRJv18BJ7gEdjlWsYEWWsPYiSKDiTx4VrvM1Ac3TPp
sq40oAQz0O5ZeCjp3cVVHI9WCbOkaSWI3YXsc4KwHBxvuccT26W9o5PPLSNK2n6SIeLeRb
k188KJowNoMmEPdnGGJbBnNN9usSYU/BZF+FAZIb7I1X1D5WesMYOQFj7uzvHHGBg3JB1h
tQ/kGmizj4UvjANl2hhAxhSeFEPdNOclVRUoXQ6LAAAFiIuKYbmLimG5AAAAB3NzaC1yc2
EAAAGBANubbSMRMkp5xRXr/7dEId9M2mEKfWw7r7f7icuaOCDlFB+Rb9KSeyiPaVkqdiDz
PVoQsNw7YsJOznsvSU07PK37Fl731RBahv76QwNG1ybZPlDbsCrx4LKd6OJSoIxYDCOuaz
sW6PQWGtpFDwp3YcqqoeMq1V01N08oCQWZ2OypgDk9EPb9+b8Nk7rf/IAr1lu5Vf29az4N
zgPWBmP3Y2dzy+/AfYIvUh1Re/Ueu881fB8Pqdba0LYoUXd7bBKafM16XRQN3o7N5laG/h
qCVAi5PPa4xY0GcJJr0Sb9fASe4BHY5VrGBFlrD2Ikig4k8eFa7zNQHN0z6bKuNKAEM9Du
WXgo6d3FVRyPVgmzpGkliN2F7HOCsBwcb7nHE9ulvaOTzy0jStp+kiHi3kW5NfPCiaMDaD
JhD3ZxhiWwZzTfbrEmFPwWRfhQGSG+yNV9Q+VnrDGDkBY+7s7xxxgYNyQdYbUP5Bpos4+F
L4wDZdoYQMYUnhRD3TTnJVUVKF0OiwAAAAMBAAEAAAGAfEHzfLYMOKux4neIV1ALwmef4O
yojwcuo/GFxFhcjfBQdJQ8K2+KlCahOzyVXouDGWT8TYCknsEsf/L/jN2Jtf+uZsngGsK+
Q6OjK0V4E5k0c1f61DHMLATBct3Bzec75yyXq/WIliOzyfDtU8S85omp0/m2hGjKBNXoVO
z6Gt7FmJ1+7eJC3+F0x3ZZTsR/I6M4jrwQ5Cm3eeAt+X5PFogkymGmInVYBxLGCqn7JoFi
28hnFxT0pz0k63BAdD5IdqFbV5mpTniwkSxiTfIJhxvtZHI6oz5zCv8Xj7pbpYssjnDhwS
4ErpOodY3cC92VIHHdIKCEAKdYu+vxx7aBhCVvHt1b5xDz2xzRTF0SIp3qrpp5or4YVO4s
QFdDP0pPxdE0qOfo7PH8LFpHBcCqGGRcAD7zRrrkAkIO7FfgGKZRV6v0LPThm7LV0bp5LH
8rNwKgjJoaVqy57ajV5MCdgEUNubBP/cVGKWSHtGEhruUCtCRFV43aI7tMTChIb9PxAAAA
wQDM9+GfZqW+wNQYHd+Vwl+faQPaCCSzyT0gTC9io5PiQ8fnMZaQhSXi91I6F2Ir7ybpex
1R5ld7SLbl4pknjJjWDu93Xm5oe5Rpoz9SYnmyOjMbdj+dRmLjXVfv19PzjvgxMVQyXXnh
710rVsTTGDi1kbX20PSUDzcMjrppLFlBvDiyIROVgUvyFGZdDCmRbEUaF5h7YaLMRroBN0
Ll3C2Du+0fT67c7YSGpujt4ZzXbRugS7X8HXmEoyj9G245cY0AAADBAP3TgUXgpyQAe1Km
rykd9fzkMBz1E91z9L3L1X48tQypPHZT7eO7+YQ6oymrqyG8KVh2aR6VAwMaUPJO6C6NVG
fusUQKj4zNdTpDYEk7hkj6j/DvMxWuwRb/QE3w+XD4J6snmbvBGSodPf8ltC+hcvr1DI2h
FqX+hnY9gzO2ur9TJVwDGT9QJUMPSHE3GV7Bpc34HwE/EWEVnEWcjSR8Q7pqyNldfu3KjK
KLaWn1cud4Z1MIaSvyWkZP+g1r6PNxXwAAAMEA3XzmCzKb3Sr0dA2uvDtZhfmNljVObeI3
8bdCGRpj+Kv9l4hx2hgLNxuUmTCNHhOV+PIEMWIi+HBhIIx946l7RosEwF6Cfg6KJ4WE/m
frGKR+pMh71UMoSQrJLNLOXNUbzZX8dax24oyl5ltUo9cP22rxki5dfmy0u/Qae9lOdLPw
3qJNCrxx6w6S8JDje5c1uK2B9GwoGnGnhHCb9U3QXS84pOxcNnsxTds2Ab1iIyNkzENpXM
Yy00UVt37pHdZVAAAAC21pdGFyQGdhZ2VhAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
BusyBox v1.36.1 (2023-07-06 12:28:44 UTC) multi-call binary.

Usage: grep [-HhnlLoqvsrRiwFE] [-m N] [-A|B|C N] { PATTERN | -e PATTERN... | -f FILE... } [FILE]...

Search for PATTERN in FILEs (or stdin)

	-H	Add 'filename:' prefix
	-h	Do not add 'filename:' prefix
	-n	Add 'line_no:' prefix
	-l	Show only names of files that match
	-L	Show only names of files that don't match
	-c	Show only count of matching lines
	-o	Show only the matching part of line
	-q	Quiet. Return 0 if PATTERN is found, 1 otherwise
	-v	Select non-matching lines
	-s	Suppress open and read errors
	-r	Recurse
	-R	Recurse and dereference symlinks
	-i	Ignore case
	-w	Match whole words only
	-x	Match whole lines only
	-F	PATTERN is a literal (not regexp)
	-E	PATTERN is an extended regexp
	-m N	Match up to N times per file
	-A N	Print N lines of trailing context
	-B N	Print N lines of leading context
	-C N	Same as '-A N -B N'
	-e PTRN	Pattern to match
	-f FILE	Read pattern from file
Public key from file '/ssh/backup_rsa' added
Public key from file '/ssh/backup_rsa.pub' added
[custom-init] No custom files found, skipping...
[ls.io-init] done.

Permission denied (publickey,keyboard-interactive)

If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.

Expected Behavior

I expect it makes me start an interactive SSH session with the specified username, after asking for a password.

Current Behavior

It says:
Permission denied (publickey,keyboard-interactive)

Steps to Reproduce

Create the docker image (see below for details)
Start the server with docker start openssh-server
Connect to the server with ssh -l andrea -p 2222 localhost

Environment

OS: MacOS
CPU architecture: x86_64
How docker service was installed:

brew cask install docker

Command used to create docker container (run/create/compose/screenshot)

docker create   --name=openssh-server   \ 
-e PUID=501   -e PGID=20  \
-e TZ=Europe/London  \
-e USER_PASSWORD=andrea  \
-e USER_NAME=andrea \
-p 2222:2222 \
--restart unless-stopped