Skip to content

The SSH proxy backend

The SSH proxy backend does not launch containers, instead it connects to a second SSH server and forwards the connections to that backend. This allows for using the audit log to inspect SSH traffic, or to dynamically forwarding connections using the configuration webhook.

The base configuration structure

The minimum configuration is the following:

backend: sshproxy
sshproxy:
  # Add the backend server here
  server: 127.0.0.1
  # Set the following option to true to reuse the connecting user's username.
  usernamePassThrough: true
  # Or specify a username manually
  username: root
  # Specify the password
  password: changeme
  # Or the private key. This can reference a file or be added directly.
  privateKey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    ...
  # Provide all fingerprints of the backing SSH server's host keys:
  allowedHostKeyFingerprints:
    - SHA256:...

Tip

You can obtain the fingerprints of OpenSSH host keys by running the following script:

for i in /etc/ssh/ssh_host_*.pub; do ssh-keygen -l -f $i; done | cut -d ' ' -f 2

Warning

ContainerSSH does not support passing through passwords or public key authentication to the backing server. We recommend setting up private-public key authentication with the backing server.

Configuration options

Option Type Description
server string Host name or IP address of the backing SSH server. Required.
port uint16 Port number of the backing SSH service. Defaults to 22.
usernamePassThrough bool Take username from the connecting client.
username string Explicitly set the username to use for the backing connection. Required if usernamePassThrough is false.
password string Password to use to authenticate with the backing SSH server.
privateKey string Private key to use to authenticate with the backing SSH server. Can be a reference to a file or the private key in PEM or OpenSSH format.
allowedHostKeyFingerprints []string List of SHA256 fingerprints of the backing SSH server.
ciphers []string List of SSH ciphers to use. See Ciphers below.
kex []string List of key exchange algorithms to use. See Key exchange algorithms below.
macs []string List of MAC algorithms to use. See MAC algorithms below.
hostKeyAlgorithms []string List of host key algorithms to request from the backing server. See Host key algorithms below.
timeout string Timeout for connecting / retrying the SSH connection.
clientVersion string Client version string to send to the backing server. Must be in the format of SSH-protoversion-softwareversion SPACE comments. See RFC 4235 section 4.2. Protocol Version Exchange for details. The trailing CR and LF characters should not be added to this string.

Ciphers

ContainerSSH supports the following ciphers for contacting the backing server. The defaults are configured based on Mozilla Modern suite.

Algorithm Default
chacha20-poly1305@openssh.com
aes256-gcm@openssh.com
aes128-gcm@openssh.com
aes256-ctr
aes192-ctr
aes128-ctr
aes128-cbc
arcfour256
arcfour128
arcfour
tripledescbcID

Key exchange algorithms

ContainerSSH supports the following key exchange algorithms for contacting the backing server. The defaults are configured based on Mozilla Modern suite.

Algorithm Default
curve25519-sha256@libssh.org
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1

MAC algorithms

ContainerSSH supports the following MAC algorithms for contacting the backing server. The defaults are configured based on Mozilla Modern suite.

Algorithm Default
hmac-sha2-256-etm@openssh.com
hmac-sha2-256
hmac-sha1
hmac-sha1-96

Host key algorithms

ContainerSSH supports the following host key algorithms for verifying the backing server identity.

Algorithm Default
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-dss
ssh-ed25519