shyd/docker-ssh-chroot

Base container to deploy a chroot ssh server mounting in a volume a list of user directories from host

Docker image to setup a chroot ssh

Docker image to create a container exposing a ssh service with chroot features.

Example of usage

Run a container mouting a docker host directory in the /home volume and create all users required in the container to give restrictive ssh and sftp access to their /home subdirectory

list of commands exposed

bash sh, ls, cp, mv, mkdir, touch, vi, cat, sed, date, bunzip2, bzip2, chmod, egrep, fgrep, grep, gunzip, gzip, ln, more, ping, rm, tar, uname', rsync, scp, clear, perl, vi, curl, wget, basename, pager, git, git-receive-pack, git-shell, git-upload-archive, git-upload-pack

Install

$ git clone https://github.com/shyd/docker-sshd.git ./sshd
$ git clone https://github.com/shyd/docker-ssh-chroot.git ./ssh-chroot
$ docker build -t shyd/sshd ./sshd
$ docker build -t shyd/ssh-chroot ./ssh-chroot

Run the container

Run the image as a container

$ docker run -d -p 2222:22 -v /path/host:/home --name sshd --privileged shyd/ssh-chroot

• option --privileged required to give mount permissions inside the container (see here >)

Add your first user

$ docker exec -it sshd /bin/bash
bash@sshd $ /chroot.sh adduser -u soletic -id 10001

The command creates a user soletic and an isolated chroot environment :

• /chroot/soletic : his chroot environment
• /chroot/soletic/home : mounting point of /home/soletic
• /home/soletic/.ssh/authorized_keys created
• /chroot/soletic/credentials contains the password generated

Mount a subdirectory of the user home

If the real home directory of soletic user is for example /home/soletic/volumes/www, run the image setting up the environment variable CHROOT_USER_HOME_BASEPATH :

$ sudo docker run -d -p 2222:22 -v /path/host:/home -e CHROOT_USER_HOME_BASEPATH=/volumes/www --name sshd --privileged soletic/ssh-chroot:latest

And the command creating the user will mount /home/soletic/volumes/www in /chroot/soletic/home

Remove the user

$ sudo docker exec -it sshd /bin/bash
bash@sshd $ /chroot.sh deluser -u soletic

Stop and remove container without losing users created

The file .sshusers and stored inside the home indexes all users created. If you don't want to lose the list, mount the volume /home with a host directory and often backup it.

Extend the image

If you want to add others commandes like php or mysql or ruby, you can create a new image extending this image with a plugin mechanism to setup the chroot environment.

See this repository for an example with php and mysql >

References

Documentation used to create this docker image :

• http://www.58bits.com/blog/2014/01/09/ssh-and-sftp-chroot-jail
• Creating a Chroot Jail for SSH Access
• Command to populate dev/