35 lines
1.4 KiB
Markdown
35 lines
1.4 KiB
Markdown
# SSH entrypoint with yubikey OTP support
|
|
|
|
This docker container runs a sshd instance which is exposed through TCP 443. It can be a nice and secure way into your network.
|
|
|
|
Since this is the only TCP service I expose, traefik handles this automagically while also routing SSL HTTPS traffic the normal way.
|
|
|
|
The image is a modified version of https://github.com/Hermsi1337/docker-sshd which has been made to work with yubikey OTP certification and allow for personalized `.ssh/config` files to be loaded.
|
|
|
|
### ENV variable `SSH_USERS`
|
|
|
|
`SSH_USERS` contain a comma separates lists of username:UID:GUI that will be allowed to login.
|
|
|
|
Ex:
|
|
|
|
`SSH_USERS=myuser:1000:1000,anotheruser:1001:1001`
|
|
|
|
### ENV variables `YUBICO_API_ID`, `YUBICO_API_KEY`
|
|
Get API ID and Key from here: [here](https://upgrade.yubico.com/getapikey/)
|
|
|
|
### Key files
|
|
|
|
The directory mapped to `/conf.d/authorized_keys` contain files for authorized_keys, authorized yubikeys and ssh config.
|
|
|
|
- A file named `myuser` will be copied to `/home/myuser/.ssh/authorized_keys`
|
|
- A file named `myuser.config` will be copied to `/home/myuser/.ssh/config`
|
|
- A file name `myuser.yubi` will be copied to `/home/myuser/.yubico/authorized_yubikeys`
|
|
|
|
The format of the `.yubi` file is your username followed by a list of the first 12 characters from any OTP from all of your yubikeys, all separated by `:`s. E.g.:
|
|
|
|
```yaml
|
|
myuser:cccccccgklgc:ccccccclabca:
|
|
```
|
|
|
|
# [The rest of my docker-compose setup](/thomas/docker-server/)
|