# SSH entrypoint with yubikey OTP support

This docker container runs a sshd instance which is exposed through TCP 443. It can be a nice and secure way into your network.

Since this is the only TCP service I expose, traefik handles this automagically while also routing SSL HTTPS traffic the normal way.

The image is a modified version of https://github.com/Hermsi1337/docker-sshd which has been made to work with yubikey OTP certification and allow for personalized `.ssh/config` files to be loaded.

### ENV variable `SSH_USERS`

`SSH_USERS` contain a comma separates lists of username:UID:GUI that will be allowed to login.

Ex:

`SSH_USERS=myuser:1000:1000,anotheruser:1001:1001`

### Key files

The directory mapped to `/conf.d/authorized_keys` contain files for authorized_keys, authorized yubikeys and ssh config.

- A file named `myuser` will be copied to `/home/myuser/.ssh/authorized_keys`
- A file named `myuser.config` will be copied to `/home/myuser/.ssh/config`
- A file name `myuser.yubi` will be copied to `/home/myuser/.yubico/authorized_yubikeys`

The format of the `.yubi` file is your username followed by a list of the first 12 characters from any OTP from all of your yubikeys, all separated by `:`s. E.g.:

```yaml
myuser:cccccccgklgc:ccccccclabca:
```

# [The rest of my docker-compose setup](/thomas/docker-server/)