Skip to content

matzefriedrich/containerssh-authserver

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

52 Commits
.github
.github
 
 
cmd/authserver
cmd/authserver
 
 
docker
docker
 
 
internal
internal
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.sh
build.sh
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

CI Docker Image CI Coverage Status Go Report Card License GitHub go.mod Go version GitHub Release

containerssh-authserver

containerssh-authserver is a configurable authentication server application designed to work with ContainerSSH as a webhook backend, by implementing the ContainerSSH authentication API . It allows user-specific Docker container profiles to be defined in a simple YAML configuration file, enabling per-user images, shell commands, bind-mounts and network connections.

Prerequisites

  • Go 1.26 or newer (for building from source)
  • Docker 20.10+ (or compatible), with Docker Compose (for the demo), Docker API version 1.41
  • openssl, ssh-keygen

Quick start

The repository comes with an example Docker Compose stack that needs little configuration. Run the following commands to generate the required key material; generated key files are stored in the keys directory:

docker/generate-keys.sh

Assign an SSH public key to a user

Find the public key for the johndoe demo account in keys/johndoe.pem.pub and add it to the publicKeys list of the johndoe user in the authserver configuration file in docker/services/authserver/config.yaml. Of couse, you can add more users at will.

Configure per-user containers

The johndoe demo account uses the alpine:3.21 image, without any additional bind mounts or network connections.

Understand the webhook backend configuration

The containerssh service comes with a minimal configuration file (see docker/services/containerssh/config.yaml that defines the listening port, the backend URLs for the authentication webhook, and the per-user container configuration.

Start the demo stack

Use the following command to build and run containerssh-authserver in conjunction with containerssh:

docker compose -f docker/docker-compose.yml up --build

Once started, you can connect to containerssh as johndoe using the generated private key and get a shell to a container as configured, for instance:

ssh -i docker/keys/johndoe.pem -p 2222 johndoe@localhost

SSH: Too Many Authentication Failures

If you have many keys loaded in ssh-agent, SSH may attempt to authenticate with all of them before using the key you specify with -i. ContainerSSH limits the number of authentication attempts, which can cause the connection to fail before the correct key is tried.

To prevent SSH from offering all agent keys, use the IdentitiesOnly=yes option:

ssh -o IdentitiesOnly=yes -i docker/keys/johndoe.pem -p 2222 johndoe@localhost

This tells SSH to use only the explicitly specified identity file and ignore any keys loaded in ssh-agent.

About

A configurable authentication server for containerssh.

hub.docker.com/r/mobymatze/containerssh-authserver

Topics

go ssh golang authentication containers containerssh

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 5

v0.2.7 Latest
Mar 12, 2026
+ 4 releases

Contributors

Languages