SSH entrypoint with yubikey OTP support

This docker container runs a sshd instance which is exposed through TCP 443. It can be a nice and secure way into your network.

Since this is the only TCP service I expose, traefik handles this automagically while also routing SSL HTTPS traffic the normal way.

The image is a modified version of https://github.com/Hermsi1337/docker-sshd which has been made to work with yubikey OTP certification and allow for personalized .ssh/config files to be loaded.

ENV variable SSH_USERS

SSH_USERS contain a comma separates lists of username:UID:GUI that will be allowed to login.

Ex:

SSH_USERS=myuser:1000:1000,anotheruser:1001:1001

ENV variables YUBICO_API_ID, YUBICO_API_KEY

Get API ID and Key from here: here

Key files

The directory mapped to /conf.d/authorized_keys contain files for authorized_keys, authorized yubikeys and ssh config.

• A file named myuser will be copied to /home/myuser/.ssh/authorized_keys
• A file named myuser.config will be copied to /home/myuser/.ssh/config
• A file name myuser.yubi will be copied to /home/myuser/.yubico/authorized_yubikeys

The format of the .yubi file is your username followed by a list of the first 12 characters from any OTP from all of your yubikeys, all separated by :s. E.g.:

myuser:cccccccgklgc:ccccccclabca:

The rest of my docker-compose setup