A **minimal SSH bastion** that authenticates by key and runs exactly **one preconfigured command** on every login. No fallback shell, no interactive choice — the agent connecting via SSH gets dropped straight into whatever you point `FORCE_COMMAND` at.
Typical uses:
- Give an agent (or a human) an SSH-shaped door into a running container — connection lands inside `docker exec -it app bash` and behaves like SSH'ing into the app.
- Give a deploy bot an SSH-shaped door that runs `./deploy.sh` on connect, streams output, and disconnects when the script exits.
Same image, different `FORCE_COMMAND` per service.
At boot the entrypoint concatenates whichever of these files exist into the agent's `authorized_keys`. **At least one must exist** or the container refuses to start.
| `/etc/bastion/authorized_keys.host` | `~/.ssh/authorized_keys` from the docker host |
| `/etc/bastion/authorized_keys.repo` | `./docker/bastion/authorized_keys` in the repo |
Mount either, both, or neither — but neither = container exits at startup with a clear error.
## How `FORCE_COMMAND` behaves
`FORCE_COMMAND` is run via `sh -c`, so shell metacharacters work — `&&`, `||`, pipes, `cd`, redirects.
- **Interactive command** (`docker exec -it app bash`) — SSH allocates a PTY by default for `ssh user@host`, `docker exec -it` inherits it, the inner bash is interactive. Session ends when the user types `exit`.
- **Script command** (`cd /workspace && ./deploy.sh`) — output streams back over SSH, the session closes the moment the script exits. Exit code propagates to the SSH client.
The client cannot override the command. `SSH_ORIGINAL_COMMAND` is ignored.
| `ALPINE_VERSION` | `3.21` | Alpine base image tag. |
| `SSH_UID` | `1000` | UID of the bastion `agent` user. |
| `SSH_GID` | `1000` | GID of the bastion `agent` group. |
## What's Inside
- **openssh-server** — hardened config: key-only auth, no forwarding, no PAM, no user env, `/sbin/nologin` shell, global `ForceCommand`.
- **docker-cli** + **docker-cli-compose** — so `FORCE_COMMAND` can target containers via a mounted docker socket. Group membership is auto-aligned at boot to the host socket's GID.
- **tini** — PID 1, signal handling.
- **bash**, **ca-certificates**, **tzdata**.
## Security Model
The security boundary is **the authorized_keys file and the ForceCommand wrapper**. Once a key authenticates, the session is hard-pinned to exactly one command. The bastion has the docker socket — equivalent to host root — so the only thing standing between a remote attacker and host root is sshd + your key hygiene.
Practical checklist:
1.**Key-only auth, no passwords** — enforced in `sshd_config`.
2.**No agent / tcp / x11 forwarding, no port tunnels** — enforced in `sshd_config`.
3.**Login shell is `/sbin/nologin`** — no fallback if `ForceCommand` somehow misfires.
5.**Bind the host port to `127.0.0.1` or behind a firewall / VPN unless you actually need it public.**
6.**Keep openssh patched** — `apk upgrade` in a rebuild cycle; an unauth sshd RCE here would mean host root.
7.**Lock down siblings** — anyone who can `docker exec` into the app can also `docker exec` into the mysql/redis container via the same socket. `cap_drop: [ALL]` and `no-new-privileges` on siblings caps the blast radius.
## Architecture
```
start-container (entrypoint)
├─ generate host keys (idempotent, persisted via /etc/ssh/keys volume)
├─ merge AUTHORIZED_KEYS_HOST + AUTHORIZED_KEYS_REPO into authorized_keys
├─ write /etc/bastion/force-command wrapper from $FORCE_COMMAND
├─ align docker socket group membership (if socket is mounted)
