The SSH proxy backend

The SSH proxy backend does not launch containers, instead it connects to a second SSH server and forwards the connections to that backend. This allows for using the audit log to inspect SSH traffic, or to dynamically forwarding connections using the configuration server.

The base configuration structure¶

The minimum configuration is the following:

backend: sshproxy
sshproxy:
  # Add the backend server here
  server: 127.0.0.1
  # Set the following option to true to reuse the connecting user's username.
  usernamePassThrough: true
  # Or specify a username manually
  username: root
  # Specify the password
  password: changeme
  # Or the private key. This can reference a file or be added directly.
  privateKey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    ...
  # Provide all fingerprints of the backing SSH server's host keys:
  allowedHostKeyFingerprints:
    - SHA256:...

Tip

You can obtain the fingerprints of OpenSSH host keys by running the following script:

for i in /etc/ssh/ssh_host_*.pub; do ssh-keygen -l -f $i; done | cut -d ' ' -f 2

Warning

ContainerSSH does not support passing through passwords or public key authentication to the backing server. We recommend setting up private-public key authentication with the backing server.

Configuration options¶

Option	Type	Description
`server`	`string`	Host name or IP address of the backing SSH server. Required.
`port`	`uint16`	Port number of the backing SSH service. Defaults to 22.
`usernamePassThrough`	`bool`	Take username from the connecting client.
`username`	`string`	Explicitly set the username to use for the backing connection. Required if `usernamePassThrough` is `false`.
`password`	`string`	Password to use to authenticate with the backing SSH server.
`privateKey`	`string`	Private key to use to authenticate with the backing SSH server. Can be a reference to a file or the private key in PEM or OpenSSH format.
`allowedHostKeyFingerprints`	`[]string`	List of SHA256 fingerprints of the backing SSH server.
`ciphers`	`[]string`	List of SSH ciphers to use. See Ciphers below.
`kex`	`[]string`	List of key exchange algorithms to use. See Key exchange algorithms below.
`macs`	`[]string`	List of MAC algorithms to use. See MAC algorithms below.
`hostKeyAlgorithms`	`[]string`	List of host key algorithms to request from the backing server. See Host key algorithms below.
`timeout`	`string`	Timeout for connecting / retrying the SSH connection.
`clientVersion`	`string`	Client version string to send to the backing server. Must be in the format of `SSH-protoversion-softwareversion SPACE comments`. See RFC 4235 section 4.2. Protocol Version Exchange for details. The trailing CR and LF characters should not be added to this string.

Ciphers¶

ContainerSSH supports the following ciphers for contacting the backing server. The defaults are configured based on Mozilla Modern suite.

Algorithm	Default
chacha20-poly1305@openssh.com
aes256-gcm@openssh.com
aes128-gcm@openssh.com
aes256-ctr
aes192-ctr
aes128-ctr
aes128-cbc
arcfour256
arcfour128
arcfour
tripledescbcID

Key exchange algorithms¶

ContainerSSH supports the following key exchange algorithms for contacting the backing server. The defaults are configured based on Mozilla Modern suite.

Algorithm	Default
curve25519-sha256@libssh.org
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1

MAC algorithms¶

ContainerSSH supports the following MAC algorithms for contacting the backing server. The defaults are configured based on Mozilla Modern suite.

Algorithm	Default
hmac-sha2-256-etm@openssh.com
hmac-sha2-256
hmac-sha1
hmac-sha1-96

Host key algorithms¶

ContainerSSH supports the following host key algorithms for verifying the backing server identity.

Algorithm	Default
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-dss
ssh-ed25519