This demonstrates how to create a certificate authority and configure SSH to accept signed SSH certificates.
FROM ubuntu:latest
RUN apt-get -y update
RUN apt-get -y install openssh-server
RUN mkdir /var/run/sshd
# Generate a Certificate Authority
RUN ssh-keygen -q -t ed25519 -f /cert_authority -N ''
RUN cp /cert_authority.pub /etc/ssh/trusted_user_ca.pub
# Sign the host keys
RUN ssh-keygen -s /cert_authority \
-I "Host key" \
-h \
/etc/ssh/ssh_host_ed25519_key.pub
RUN echo "HostCertificate /etc/ssh/ssh_host_ed25519_key.pub" >> /etc/ssh/sshd_config
RUN echo "TrustedUserCAKeys /etc/ssh/trusted_user_ca.pub" >>/etc/ssh/sshd_config
docker build -f Dockerfile -t ssh:latest .
docker run -p 2222:22 -it --name ssh -d ssh
mkdir temp
cd temp
ssh-keygen -q -t ed25519 -f ./client -N ''
Push the key into the container, use the certificate authority to sign the client certificate, and pull it back
key=$(cat client.pub)
docker exec ssh /bin/bash -c "echo '$key' > /client.pub"
docker exec ssh /bin/bash -c "ssh-keygen -s /cert_authority -I 'client key' -n root -V -5m:+1d /client.pub"
docker exec ssh cat /client-cert.pub > ./client-cert.pub
ssh-agent /bin/bash
ssh-add ./client
ssh -A -p 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@localhost 'hostname ; whoami ; uptime'
cd ..
rm -rf temp
docker stop ssh
docker rm ssh