lohagram.blogg.se - june 2022

#SSH PROXY AND SSH BROKER FULL#

In this case, you don't have to mount the Docker socket / Kubernetes config into the container. by mounting a file at the same location). You can also completely avoid those requirements by setting $MANUAL_AUTH_FILE=true and maintaing the proxy's /etc/ssh/authorized_keys_cache file yourself (e.g.

We recommend to offer the public key via the /publickey endpoint, as the kubectl exec command can be slow for big clusters. In Kubernetes mode, the SSH proxy and the SSH targets must be in the same namespace. Port and hostname of target containers that users are allowed to access can be restricted via environment variables (see configuration section), but the restrictions can be applied only accross all targets. The authorization happens only for creating and tunneling the final connection. It is still not possible to login to the proxy directly. ℹ️ The SSH proxy accepts an incoming key, if it belongs to one of the targets key, in other words the proxy/bastion server authorizes all target public keys. whereby the port 8080 can be configured via an environment variable) if this does not exist, the ssh-proxy tries to exec into the target container and search for the publickey under $SSH_TARGET_KEY_PATH (default: ~/.ssh/id_ed25519.pub). The ssh-proxy container will try to get a key from a target container via a /publickey endpoint (e.g. The target containers must run an SSH server and provide a valid public key.

🏗 Use it as a base image in your own Docker image to bring the ssh functionality into it (checkout the ml-hub Dockerfile as an example).

🐳 Easy to deploy via Docker and Kubernetes.

📄 Basic access logging based on user logins.

#SSH PROXY AND SSH BROKER FULL#

🛠 Full SSH compatibility (port tunneling, scp, sftp, rsync, sshfs).

🔐 Restrict target containers based on port and DNS pattern.

🛡 SSH access to behind-firewall clusters via a single port.

This proxy has a few security features built-in to make sure that users can only access target containers that they are allowed to. port tunneling, scp, sftp, rsync, sshfs, X11). This enables users to securely access any container via SSH within a cluster only via a single exposed port and provides full SSH compatibility (e.g. This SSH proxy can be deployed as a standalone docker container that allows to proxy any user SSH connection to arbitrary unexposed containers. Dockerized SSH bastion to proxy SSH connections to arbitrary containers.