Reputation: 555
Configure SSHD running in a Docker container to only accept logins to a certain account from another containers
I have an app which consists of multiple Docker containers. One of these containers runs SSHD, the primary use-case being to accept connections from other devices which need to communicate with my app via forwarded ports. However, I also need to enable one particular other container to execute commands inside the SSHD container, to, e.g., check which devices are currently connected, or to terminate the connection from a given device. Enabling one container to run commands in another directly through Docker is dangerous; it effectively gives the container root access to the host machine. However, conveniently, allowing commands to be run remotely is one of the things SSHD is designed to do.
I wish to ensure everything is as secure as possible. I have created separate, non-root user accounts for incoming connections from other devices and incoming connections from the other container, and the connections-from-other-devices user is locked down to only be able to do just the sort of port-forwarding required and nothing else. The connections-from-other-containers user, however, cannot be quite so locked down, since it must be able to run the aforementioned commands. Thus, as a second line of defense, I wish to configure SSHD so that login to the connections-from-other-containers user is only permitted via connections from other Docker containers on the same network, or better yet only from the one specific container which is supposed to execute the commands.
Unfortunately, I have yet to find a definitive way to restrict login to only connections from another container, not the outside world.
Resources
- I am using OpenSSH 8.4
- I have full control over the Docker configuration of the SSHD container, the container which will be executing the commands, and the Docker network which connects the two.
- I have full control over the configuration of SSH:
sshd_config,ssh_config, andauthorized_keys - We may assume no attacks that require access to root or to Docker commands on the host machine (because if an attacker has those, they can execute arbitrary commands inside any container anyway)
- This app will eventually be deployed by various clients, and I do not control or even know in advance how their local networking might be set up; despite this, if possible, I'd like to be secure against attacks coming from within the client's local network or even from non-privileged accounts on the host machine
Idea 1: Access Control by Ports
Have SSHD listen on two ports, 22 and some other one. Only allow logins to the connections-from-other-containers user from the second port. Map port 22 on the SSHD container to some port on the host machine, but leave the other one unmapped. Other containers on the same Docker network can connect to the second port in order to log in as that user, but nothing outside Docker can do so.
Problem
While SSHD does support listening for connections on more than one port, there is no way I can find to restrict login to a certain user based on which port the connection comes from. I'd have to run two instances of SSHD, one listening on each port, in order to implement separate access restrictions, and the core idea of Docker containers is for each one to have a single central process; running two is awkward and messy.
Idea 2: Access Control by IP Address
Configure the Docker network to use a particular subnet, and configure the container which needs to run the commands to have a particular IP address within this subnet. Then use a Match Address block in sshd_config and/or a from= option in authorized_keys to only allow logins to the connections-from-other-containers user from this IP address.
Problem
I do not control or even know the networking setup of the client who will be running the app. If I set up the Docker network to use any of the standard IPv4 private address spaces (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16), then for all I know the host machine might be part of a private network using the same subnet, and there might be a machine on that network with the same IP address as my container, which would presumably be able to access the user.
Alternatively, I might use a non-private IP address which is real, unlikely to be compromised, and unlikely to ever be host to my app, such as the Google DNS server at 8.8.8.8. But I have no idea what side-effects setting up my Docker network to include a real address like that might have.
Upvotes: 0
Views: 88
Answers (0)
Related Questions
- Copying files from Docker container to host
- How to enter in a Docker container already running with a new TTY
- How to copy files from host to Docker container?
- Accessing a Docker container from another container
- How to rebuild docker container in docker-compose.yml?
- How to copy Docker images from one host to another without using a repository
- docker-compose up for only certain containers