How to SSH into a Docker Container

When working with Docker containers in a corporate environment, there are times when you need direct access to your containers. While Docker provides powerful built-in commands, SSH access can be invaluable for certain scenarios. This guide will show you how to set up SSH access to your Docker containers securely and effectively.

Why would you SSH into a Docker container?

Connecting to a Docker container via SSH simplifies many administration tasks, saving you time. More than just a convenience, it’s a practical way to streamline workflows, aid in troubleshooting, enhance collaboration, and even align with corporate security measures.

An SSH (Secure Shell) lets you administer systems securely and transfer files over unsecured systems. A Docker container, on the other hand, is a software package that contains your application’s code, its dependencies, and environment settings in a lightweight and standalone form that makes it easier to run. 

There are several scenarios where SSH access is preferable:

1. Remote Access
   When you need to access containers across networks or from different locations, SSH provides a secure and standardized way to do so. This is particularly useful in distributed environments where containers might be running on different hosts or cloud providers.
   
   
2. Debugging Production Issues
   When logs aren't enough, SSH access lets you interactively explore the container's environment. Imagine debugging a production issue - you might need to check running processes, investigate file system issues, or run diagnostic commands.
   
   
3. Software Configuration
   When installing or configuring software inside a container, you sometimes need to test configurations interactively. While you can rebuild the image repeatedly, it's tedious and time-consuming. SSH lets you tweak things on the fly, test them, and only update the Dockerfile once you know everything works.
   
   
4. Team Collaboration
   Having standardized SSH access helps with team collaboration. Team members can guide each other through processes or troubleshoot issues directly.
   
   
5. Corporate Security Compliance
   In enterprise networks, security policies often play a significant role. Sometimes setting up SSH is necessary to comply with these policies while maintaining direct access to containers. For example, IT might already have monitoring and access control systems based around SSH, making it easier to integrate Docker containers into existing infrastructure.

Security considerations when SSHing into a Docker Container

Use a strong, unique SSH key

When SSHing into a Docker container within corporate networks, security is paramount. One of the first things you need to consider is the SSH key management. Always use strong, unique SSH keys. 

Avoid using password-based authentication as it's more vulnerable to brute-force attacks. Ensure that your private keys are securely stored and never shared. For instance, you can use tools like `ssh-agent` to manage your keys more securely on your local machine.

Restrict SSH access

Only authorized users should have SSH access to Docker containers. Use network policies to limit which IP addresses can access your container over SSH.

For example, configure your firewalls and security groups to allow SSH connections only from trusted IP addresses. This reduces the attack surface and helps prevent unauthorized access.

Keep your Docker images up to date

Using outdated images can expose you to known vulnerabilities. Regularly update your images and rebuild your containers to include the latest security patches. Tools like Dependabot or Snyk can help automate this process by notifying you of vulnerabilities in your dependencies.

Monitor and log SSH access

Implement logging to track who is accessing your containers and when. Use logging tools like `syslog` or centralized logging solutions such as the ELK stack (Elasticsearch, Logstash, and Kibana) to collect and analyze SSH logs. 

For example, you can configure your Docker container to send SSH access logs to a centralized logging server for easier monitoring and auditing.

Use a bastion host as an intermediary

Instead of allowing direct SSH access to your Docker containers, use a bastion host as an intermediary. This adds an additional layer of security by concentrating SSH access in a single, hardened entry point. Ensure that the bastion host itself is secure, with minimal software installed and regularly updated.

Encrypt sensitive data

Any data transmitted over SSH should be encrypted. This is inherently handled by the SSH protocol, but ensures that your SSH server configuration enforces strong encryption standards. 

Avoid deprecated algorithms and ciphers. For instance, configure your SSH server to use only the strongest algorithms, like `aes256-gcm` for encryption and `sha2-512` for data integrity.

Don’t expose SSH in your Dockerfile

Hardcoding SSH server configurations or keys in your Dockerfile can lead to security risks. Instead, handle these configurations at runtime using environment variables or Docker secrets. This way, sensitive information is not stored in your image and is less likely to be exposed.

Remove SSH access when it’s not needed

If you don't need to SSH into your containers, it's best to disable SSH access altogether. This minimizes potential entry points for attackers. For troubleshooting and management, consider using Docker exec for command-line access instead of SSH, as it provides a more controlled and secure way to interact with your containers.

How to SSH into a Docker container

Method 1: Password Authentication

Step 1: Create the Dockerfile

Dockerfile
FROM ubuntu:latest
ENV DEBIAN_FRONTEND=noninteractive

# Install SSH server
RUN apt-get update && apt-get install -y openssh-server

# Configure SSH
RUN mkdir /var/run/sshd
RUN echo 'root:your_password' | chpasswd

# Allow root login
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config

# SSH login fix
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd

EXPOSE 22
CMD ["/usr/sbin/sshd", "-D"]

‍

Let's understand what this Dockerfile does:

The first two lines set up our base environment:

• We use Ubuntu as our base image
• DEBIAN_FRONTEND=noninteractive prevents package installation prompts

The SSH server installation block:

• Updates the package list to ensure we get the latest version
• Installs the OpenSSH server package

The SSH configuration section:

• Creates the necessary directory for SSH to run
• Sets up a root password (replace 'your_password' with your chosen password)
• Modifies SSH config to allow root login with password
• Adjusts PAM settings to work properly in a container environment

Finally, we:

• Open port 22 for SSH connections
• Start the SSH daemon when the container launches

Step 2: Build and Run

# Build the image
docker build -t ubuntu-ssh .

# Run the container
docker run -d -p 2222:22 --name my-ssh-container ubuntu-ssh

Step 3: Connect

ssh root@localhost -p 2222

Method 2: SSH Key Authentication

Step 1: Generate SSH Keys

ssh-keygen -t ed25519 -f ~/.ssh/docker_rsa

Step 2: Create Proper Directory Structure

mkdir keys
cat ~/.ssh/docker_rsa.pub > keys/authorized_keys

‍
Step 3: Create the Secure Dockerfile

FROM ubuntu:latest
ENV DEBIAN_FRONTEND=noninteractive

# Install SSH server
RUN apt-get update && apt-get install -y openssh-server

# Create SSH directory and set permissions
RUN mkdir -p /root/.ssh
RUN chmod 700 /root/.ssh

# Copy the authorized_keys file
COPY keys/authorized_keys /root/.ssh/authorized_keys
RUN chmod 600 /root/.ssh/authorized_keys

# Setup SSH server
RUN mkdir /var/run/sshd
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config

# Disable password authentication
RUN sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

EXPOSE 22
CMD ["/usr/sbin/sshd", "-D"]

‍

This secure version of the Dockerfile implements several important changes:

• Base setup remains the same, but we focus on security:
• Uses Ubuntu base image
• Installs SSH server with noninteractive setting

Secure SSH directory configuration:

• Creates a .ssh directory with restricted permissions (700)
• Copies your public key to authorized_keys
• Sets proper file permissions (600) for the authorized_keys file

Enhanced security settings:

• Restricts root login to key-based authentication only
• Explicitly disables password authentication
• Maintains proper SSH directory permissions

The container configuration:

• Exposes SSH port (22)
• Runs SSH daemon in the foreground

Step 4: Build and Run

# Build the image
docker build -t ubuntu-ssh-keys .

# Run the container
docker run -d -p 2222:22 --name my-ssh-container ubuntu-ssh-keys

Step 5: Connect

ssh -i ~/.ssh/docker_rsa -p 2222 root@localhost

Best practices to follow when SSHing into a Docker Container

When setting up SSH access to Docker containers, following these security best practices is crucial to maintain a secure environment:

1. Authentication Security

• Always use SSH key authentication instead of passwords
• Create and use non-root users for SSH access
• Use strong SSH keys (ED25519 or RSA with at least 2048 bits)
• Never store private keys in containers or images
• Disable password authentication completely
• Avoid using default usernames
• Or, set up your docker container as a VPN endpoint using Netmaker, and access over a client using identity credentials.

2. SSH Server Configuration

• Disable root login via SSH
• Configure proper permissions for SSH directories and files
• Set restrictive file permissions (700 for .ssh directories, 600 for key files)
• Limit SSH access to specific users
• Disable unnecessary SSH features
• Set up proper logging and monitoring

3. Access Control

• Restrict SSH access to specific IP addresses
• Use network policies to limit SSH access
• Implement proper firewall rules
• Consider using a VPN like Netmaker to secure network access to your containers.

4. Container Security

• Keep base images and SSH server updated
• Use specific versions of base images
• Minimize installed packages to reduce attack surface
• Remove SSH access when not needed
• Regularly scan for vulnerabilities
• Keep your containers updated with security patches

5. Monitoring and Logging

• Implement logging for SSH access attempts
• Use tools like fail2ban to prevent brute-force attacks
• Configure alerts for suspicious activities
• Monitor container logs regularly
• Set up centralized logging

‍