This example Dockerfile runs a dropbear SSH daemon on Alpine Linux. It creates a system user called myuser and only allows login for that specific user.
FROM alpine:3.17
WORKDIR /app
ENV SSHUSER=myuser
# The SSH user to create
RUN apk --no-cache add dropbear &&\
mkdir -p /home/$SSHUSER/.ssh &&\
adduser -s /bin/sh -D $SSHUSER --home /home/$SSHUSER &&\
chown -R $SSHUSER:$SSHUSER /home/$SSHUSER
CMD ["/bin/sh", "-c", "/usr/sbin/dropbear -RFEwgsjk -G ${SSHUSER} -p 22"]Change the username to your liking.
Build like this:
docker build -t sshtest .
Starting the container
You can run it like this – remember to mount /etc/dropbear to a volume or local directory both for persisting host key files and for storing authorized key files:
docker run -v $(pwd)/dropbear:/etc/dropbear -v $(pwd)/dotssh:/home/myuser/.ssh -it sshtest
Dropbear options
The dropbear options -RFEwgsjk are:
-R: Create hostkeys as required-F: Don’t fork into background-E: Log to stderr rather than syslog-w: Disallow root logins-g: Disable password logins for root-s: Disable password logins-j: Disable local port forwarding-k: Disable remote port forwarding
Setting up public key authentication
First, generate a key pair using
ssh-keygen -t ed25519 -f id_dropbear -N ""
We assume that you have mounted the user’s home .ssh directory in ./dotssh (as in our example, see Starting the container above). You can then copy the pubkey that is generated by ssh-keygen – which is saved in id_dropbear.pub – to the authorized_keys file in the Dropbear SSH directory:
cat id_dropbear.pub | sudo tee -a ./dotssh/authorized_keys
The sudo (in sudo tee) is only required because the dotssh directory is owned by another user.
Connecting to the container
First, you need to find the container’s IP address using the method outline in How to list just container names & IP address(es) of all Docker conatiners. In our example, this IP address is 10.254.1.4. You can then connect to the container using the public key:
ssh -i id_dropbear [email protected]