docker-bastion/config/sshd_config

# ===========================================================================
# docker-bastion — hardened sshd config
#
# Every authenticated session is routed through /etc/bastion/force-command,
# which is generated at container start from $FORCE_COMMAND. The bastion
# user has /sbin/nologin as its shell so there is no fallback if the
# ForceCommand wrapper is missing or fails — the session simply ends.
# ===========================================================================

Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

# Host keys live in /etc/ssh/keys/ so they can survive image rebuilds via
# a named volume. start-container generates them on first boot if missing.
HostKey /etc/ssh/keys/ssh_host_ed25519_key
HostKey /etc/ssh/keys/ssh_host_rsa_key

# Privilege separation directory (Alpine default is /var/empty).
StrictModes yes

# Auth — public keys only, no passwords, no interactive prompts.
# (UsePAM is omitted: Alpine's openssh-server is built without PAM support
#  and rejects the directive entirely. Without PAM compiled in, the no-PAM
#  behavior is already the default — nothing to disable.)
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes

# Two key sources sshd consults on every auth attempt:
#   1. The boot-time merged file at /home/%u/.ssh/authorized_keys —
#      populated from $AUTHORIZED_KEYS_HOST / $AUTHORIZED_KEYS_REPO file
#      mounts. Static after container start.
#   2. AuthorizedKeysCommand /usr/local/bin/bastion-list-keys —
#      enumerates *.pub files in $AUTHORIZED_KEYS_DIR (default
#      /etc/bastion/users.d). Runs on every login, so adding or removing
#      a pubkey file takes effect immediately without a container restart.
AuthorizedKeysFile /home/%u/.ssh/authorized_keys
AuthorizedKeysCommand /usr/local/bin/bastion-list-keys
AuthorizedKeysCommandUser agent

# Surface reduction — no forwarding, no tunnels, no user env / rc files.
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
GatewayPorts no
PermitTunnel no
PermitUserEnvironment no
PermitUserRC no

# Logging.
LogLevel VERBOSE
SyslogFacility AUTH

# Belt + suspenders: applies even if per-key command="" is missing.
ForceCommand /etc/bastion/force-command
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot. 2026-05-28 08:50:06 +00:00			`# ===========================================================================`
			`# docker-bastion — hardened sshd config`
			`#`
			`# Every authenticated session is routed through /etc/bastion/force-command,`
			`# which is generated at container start from $FORCE_COMMAND. The bastion`
			`# user has /sbin/nologin as its shell so there is no fallback if the`
			`# ForceCommand wrapper is missing or fails — the session simply ends.`
			`# ===========================================================================`

			`Port 22`
			`AddressFamily any`
			`ListenAddress 0.0.0.0`
			`ListenAddress ::`

			`# Host keys live in /etc/ssh/keys/ so they can survive image rebuilds via`
			`# a named volume. start-container generates them on first boot if missing.`
			`HostKey /etc/ssh/keys/ssh_host_ed25519_key`
			`HostKey /etc/ssh/keys/ssh_host_rsa_key`

			`# Privilege separation directory (Alpine default is /var/empty).`
			`StrictModes yes`

			`# Auth — public keys only, no passwords, no interactive prompts.`
			`# (UsePAM is omitted: Alpine's openssh-server is built without PAM support`
			`# and rejects the directive entirely. Without PAM compiled in, the no-PAM`
			`# behavior is already the default — nothing to disable.)`
			`PermitRootLogin no`
			`PasswordAuthentication no`
			`KbdInteractiveAuthentication no`
			`PubkeyAuthentication yes`
A users.d/ drop-in directory for live-read authorized keys sshd now consults /etc/bastion/users.d/.pub on every authentication attempt via AuthorizedKeysCommand, so adding or removing a user takes effect immediately without restarting the container — just drop `alice.pub` (or any .pub file) into the host-bound dir, sshd picks it up on the next login. Implementation: - /usr/local/bin/bastion-list-keys: minimal POSIX-sh script that cats $AUTHORIZED_KEYS_DIR/*.pub. Runs as the agent user (per AuthorizedKeysCommandUser), reads world-readable pubkeys. - sshd_config: AuthorizedKeysCommand alongside the existing AuthorizedKeysFile — both checked, so the boot-merged file (AUTHORIZED_KEYS_HOST/_REPO) still works for single-file UX. - start-container: 'zero key sources' is now a WARN, not a fatal. Bastion comes up empty; SSH attempts fail with 'publickey denied' until you drop a key. Lets users `docker compose up` first and add keys later. Bug fix on the way through: `grep -c` exits non-zero when no lines match, which under `set -eu` killed the boot script silently after '[2/5] Authorized keys...'. Switched to `awk … \| wc -l` which exits 0 cleanly on empty input. README updated with the new source priority and env var. 2026-05-28 10:31:51 +00:00
			`# Two key sources sshd consults on every auth attempt:`
			`# 1. The boot-time merged file at /home/%u/.ssh/authorized_keys —`
			`# populated from $AUTHORIZED_KEYS_HOST / $AUTHORIZED_KEYS_REPO file`
			`# mounts. Static after container start.`
			`# 2. AuthorizedKeysCommand /usr/local/bin/bastion-list-keys —`
			`# enumerates *.pub files in $AUTHORIZED_KEYS_DIR (default`
			`# /etc/bastion/users.d). Runs on every login, so adding or removing`
			`# a pubkey file takes effect immediately without a container restart.`
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot. 2026-05-28 08:50:06 +00:00			`AuthorizedKeysFile /home/%u/.ssh/authorized_keys`
A users.d/ drop-in directory for live-read authorized keys sshd now consults /etc/bastion/users.d/.pub on every authentication attempt via AuthorizedKeysCommand, so adding or removing a user takes effect immediately without restarting the container — just drop `alice.pub` (or any .pub file) into the host-bound dir, sshd picks it up on the next login. Implementation: - /usr/local/bin/bastion-list-keys: minimal POSIX-sh script that cats $AUTHORIZED_KEYS_DIR/*.pub. Runs as the agent user (per AuthorizedKeysCommandUser), reads world-readable pubkeys. - sshd_config: AuthorizedKeysCommand alongside the existing AuthorizedKeysFile — both checked, so the boot-merged file (AUTHORIZED_KEYS_HOST/_REPO) still works for single-file UX. - start-container: 'zero key sources' is now a WARN, not a fatal. Bastion comes up empty; SSH attempts fail with 'publickey denied' until you drop a key. Lets users `docker compose up` first and add keys later. Bug fix on the way through: `grep -c` exits non-zero when no lines match, which under `set -eu` killed the boot script silently after '[2/5] Authorized keys...'. Switched to `awk … \| wc -l` which exits 0 cleanly on empty input. README updated with the new source priority and env var. 2026-05-28 10:31:51 +00:00			`AuthorizedKeysCommand /usr/local/bin/bastion-list-keys`
			`AuthorizedKeysCommandUser agent`
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot. 2026-05-28 08:50:06 +00:00
			`# Surface reduction — no forwarding, no tunnels, no user env / rc files.`
			`AllowAgentForwarding no`
			`AllowTcpForwarding no`
			`X11Forwarding no`
			`GatewayPorts no`
			`PermitTunnel no`
			`PermitUserEnvironment no`
			`PermitUserRC no`

			`# Logging.`
			`LogLevel VERBOSE`
			`SyslogFacility AUTH`

			`# Belt + suspenders: applies even if per-key command="" is missing.`
			`ForceCommand /etc/bastion/force-command`