First commit

Dockerfile

@@ -0,0 +1,16 @@
+FROM alpine
+
+RUN apk add --update openssh
+
+COPY sshd_config /etc/ssh/sshd_bastion_config
+RUN echo "Include /etc/ssh/sshd_bastion_config" >> /etc/ssh/sshd_config
+
+RUN adduser -D -s /bin/sh -H bastion
+RUN passwd -u -d bastion
+
+EXPOSE 2222
+
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

docker-compose.yml

@@ -0,0 +1,16 @@
+version: "3"
+
+services:
+  ssh-jumphost:
+    container_name: ssh-jumphost
+    build:
+      context: https://github.com/chrisb86/docker-ssh-jumphost.git
+    volumes:
+      - ./config:/config
+    ports:
+      - 2222:2222
+    tmpfs:
+      - /tmp
+      - /run
+      - /var/tmp
+    read_only: true

entrypoint.sh

@@ -0,0 +1,26 @@
+#! /bin/sh
+
+CONFIG_DIR="/config"
+USER="bastion"
+PORT="2222"
+
+## Ensure host ssh keys
+if [ ! -f "/config/ssh_host_rsa_key" ]; then
+    ssh-keygen -t rsa -b 4096 -f /config/ssh_host_rsa_key -N ""
+fi
+
+if [ ! -f "/config/ssh_host_ed25519_key" ]; then
+    ssh-keygen -t ed25519 -f /config/ssh_host_ed25519_key -N ""
+fi
+
+## Ensure authorized_keys file and link it to user's home
+touch ${CONFIG_DIR}/authorized_keys
+
+chown -R ${USER}:${USER} /config
+
+set -xv
+
+/usr/sbin/sshd -D -e -4 \
+    -o "HostKey=${CONFIG_DIR}/ssh_host_rsa_key" \
+    -o "HostKey=${CONFIG_DIR}/ssh_host_ed25519_key" \
+    -o "Port=${PORT}" \

sshd_config

@@ -0,0 +1,8 @@
+PermitTTY no
+X11Forwarding no
+PermitTunnel no
+GatewayPorts no
+ForceCommand /sbin/nologin
+Match User bastion
+    AllowTcpForwarding yes
+    AuthorizedKeysFile  /config/authorized_keys