Old manual
You are reading the reference manual of an older release. Read the current manual »
The SSH proxy backend
The SSH proxy backend does not launch containers, instead it connects to a second SSH server and forwards the connections to that backend. This allows for using the audit log to inspect SSH traffic, or to dynamically forwarding connections using the configuration webhook.
The base configuration structure¶
The minimum configuration is the following:
backend: sshproxy
sshproxy:
# Add the backend server here
server: 127.0.0.1
# Set the following option to true to reuse the connecting user's username.
usernamePassThrough: true
# Or specify a username manually
username: root
# Specify the password
password: changeme
# Or the private key. This can reference a file or be added directly.
privateKey: |
-----BEGIN OPENSSH PRIVATE KEY-----
...
# Provide all fingerprints of the backing SSH server's host keys:
allowedHostKeyFingerprints:
- SHA256:...
Tip
You can obtain the fingerprints of OpenSSH host keys by running the following script:
for i in /etc/ssh/ssh_host_*.pub; do ssh-keygen -l -f $i; done | cut -d ' ' -f 2
Warning
ContainerSSH does not support passing through passwords or public key authentication to the backing server. We recommend setting up private-public key authentication with the backing server.
Configuration options¶
Option | Type | Description |
---|---|---|
server |
string |
Host name or IP address of the backing SSH server. Required. |
port |
uint16 |
Port number of the backing SSH service. Defaults to 22. |
usernamePassThrough |
bool |
Take username from the connecting client. |
username |
string |
Explicitly set the username to use for the backing connection. Required if usernamePassThrough is false . |
password |
string |
Password to use to authenticate with the backing SSH server. |
privateKey |
string |
Private key to use to authenticate with the backing SSH server. Can be a reference to a file or the private key in PEM or OpenSSH format. |
allowedHostKeyFingerprints |
[]string |
List of SHA256 fingerprints of the backing SSH server. |
ciphers |
[]string |
List of SSH ciphers to use. See Ciphers below. |
kex |
[]string |
List of key exchange algorithms to use. See Key exchange algorithms below. |
macs |
[]string |
List of MAC algorithms to use. See MAC algorithms below. |
hostKeyAlgorithms |
[]string |
List of host key algorithms to request from the backing server. See Host key algorithms below. |
timeout |
string |
Timeout for connecting / retrying the SSH connection. |
clientVersion |
string |
Client version string to send to the backing server. Must be in the format of SSH-protoversion-softwareversion SPACE comments . See RFC 4235 section 4.2. Protocol Version Exchange for details. The trailing CR and LF characters should not be added to this string. |
Ciphers¶
ContainerSSH supports the following ciphers for contacting the backing server. The defaults are configured based on Mozilla Modern suite.
Algorithm | Default |
---|---|
chacha20-poly1305@openssh.com | |
aes256-gcm@openssh.com | |
aes128-gcm@openssh.com | |
aes256-ctr | |
aes192-ctr | |
aes128-ctr | |
aes128-cbc | |
arcfour256 | |
arcfour128 | |
arcfour | |
tripledescbcID |
Key exchange algorithms¶
ContainerSSH supports the following key exchange algorithms for contacting the backing server. The defaults are configured based on Mozilla Modern suite.
Algorithm | Default |
---|---|
curve25519-sha256@libssh.org | |
ecdh-sha2-nistp521 | |
ecdh-sha2-nistp384 | |
ecdh-sha2-nistp256 | |
diffie-hellman-group14-sha1 | |
diffie-hellman-group1-sha1 |
MAC algorithms¶
ContainerSSH supports the following MAC algorithms for contacting the backing server. The defaults are configured based on Mozilla Modern suite.
Algorithm | Default |
---|---|
hmac-sha2-256-etm@openssh.com | |
hmac-sha2-256 | |
hmac-sha1 | |
hmac-sha1-96 |
Host key algorithms¶
ContainerSSH supports the following host key algorithms for verifying the backing server identity.
Algorithm | Default |
---|---|
ssh-rsa-cert-v01@openssh.com | |
ssh-dss-cert-v01@openssh.com | |
ecdsa-sha2-nistp256-cert-v01@openssh.com | |
ecdsa-sha2-nistp384-cert-v01@openssh.com | |
ecdsa-sha2-nistp521-cert-v01@openssh.com | |
ssh-ed25519-cert-v01@openssh.com | |
ssh-rsa | |
ssh-dss | |
ssh-ed25519 |