Brave Search

access host's ssh tunnel from docker container

stackoverflow.com › questions › 39143689 › access-hosts-ssh-tunnel-from-docker-container

Using your hosts network as network for your containers via --net=host or in docker-compose via network_mode: host is one option but this has the unwanted side effect that (a) you now expose the container ports in your host system and (b) that you cannot connect to those containers anymore that are not mapped to your host network.

In your case, a quick and cleaner solution would be to make your ssh tunnel "available" to your docker containers (e.g. by binding ssh to the docker0 bridge) instead of exposing your docker containers in your host environment (as suggested in the accepted answer).

Setting up the tunnel:

For this to work, retrieve the ip your docker0 bridge is using via:

ifconfig

you will see something like this:

docker0   Link encap:Ethernet  HWaddr 03:41:4a:26:b7:31  
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0

Now you need to tell ssh to bind to this ip to listen for traffic directed towards port 9000 via

ssh -L 172.17.0.1:9000:host-ip:9999

Without setting the bind_address, :9000 would only be available to your host's loopback interface and not per se to your docker containers.

Side note: You could also bind your tunnel to 0.0.0.0, which will make ssh listen to all interfaces.

Setting up your application:

In your containerized application use the same docker0 ip to connect to the server: 172.17.0.1:9000. Now traffic being routed through your docker0 bridge will also reach your ssh tunnel :)

For example, if you have a "DOT.NET Core" application that needs to connect to a remote db located at :9000, your "ConnectionString" would contain "server=172.17.0.1,9000;.

Forwarding multiple connections:

When dealing with multiple outgoing connections (e.g. a docker container needs to connect to multiple remote DB's via tunnel), several valid techniques exist but an easy and straightforward way is to simply create multiple tunnels listening to traffic arriving at different docker0 bridge ports.

Within your ssh tunnel command (ssh -L [bind_address:]port:host:hostport] [user@]hostname), the port part of the bind_address does not have to match the hostport of the host and, therefore, can be freely chosen by you. So within your docker containers just channel the traffic to different ports of your docker0 bridge and then create several ssh tunnel commands (one for each port you are listening to) that intercept data at these ports and then forward it to the different hosts and hostports of your choice.

Answer from Felix K. on Stack Overflow

Docker Community

forums.docker.com › general

SSH to container using host SSH service - General - Docker Community Forums

January 7, 2022 - Hi I have been playing with docker for some time and worked with various tools that also use docker containers behind the scenes. One feature that some of these services have is that I can make an SSH connection fx 1234@myhost.serviceprovider.tld and authenicate using SSH keys.

Programster

blog.programster.org › use-remote-docker-host-with-ssh

Use Remote Docker Host With SSH | Programster's Blog

August 25, 2022 - Now we need to add the details to our SSH configuration by editing our ~/.ssh/config file. Below is an example, but be sure to update the Host, HostName, Port, IdentityFile as appropriate to you. Host docker1.mydomain.com HostName docker1.mydomain.com User my-remote-user Port 2222 IdentityFile /path/to/private/key ControlMaster auto ControlPath ~/.ssh/control-%C ControlPersist yes

Discussions

How do I specify my SSH key when connecting to a remote docker server through ssh? - Stack Overflow

I don't think this is possible. I found where this is implemented within Docker, and the SSH url is parsed to get username, host, and port. Nothing else is passed along to the SSH command. More on stackoverflow.com

stackoverflow.com

using DOCKER_HOST: ssh tunneled socket never became available

Describe the bug THE BUG : $ lazydocker 2024/11/16 03:10:19 tunnel ssh docker host: ssh tunneled socket never became available: context deadline exceeded I'm using DOCKER_HOST="ssh://somet... More on github.com

github.com

11

November 16, 2024

SSH from a container to the host OS?

Ok I'm confused. Ok nothing new lol. I followed this guys directions to create a container that runs sshd: https://bitbucket.org/cwt/docker-centos7-ssh/src/9bbdf3fa4aca5d4c59eda4c28cfd231d951ffcc6/README.md?fileviewer=… More on forums.docker.com

forums.docker.com

8

1

March 28, 2016

Simplify setup required for remote DOCKER_HOST over SSH

Description When connecting to a remote host over ssh, by configuring the DOCKER_HOST environment variable, or by using the docker context functionality and specifying the host= parameter, some Lin... More on github.com

github.com

6

April 9, 2021

Videos

06:21

YouTube

How to setup SSH on Docker Container to access it remotely - YouTube

How to Bash/SSH to running Docker Container Tutorial [HD][Guide] ...

June 7, 2016

03:58

YouTube

How to configure ssh in a Docker container - YouTube

stackoverflow.com › questions › 39143689 › access-hosts-ssh-tunnel-from-docker-container

bash - access host's ssh tunnel from docker container - Stack Overflow

Top answer

1 of 9

104

Using your hosts network as network for your containers via --net=host or in docker-compose via network_mode: host is one option but this has the unwanted side effect that (a) you now expose the container ports in your host system and (b) that you cannot connect to those containers anymore that are not mapped to your host network.

In your case, a quick and cleaner solution would be to make your ssh tunnel "available" to your docker containers (e.g. by binding ssh to the docker0 bridge) instead of exposing your docker containers in your host environment (as suggested in the accepted answer).

Setting up the tunnel:

For this to work, retrieve the ip your docker0 bridge is using via:

ifconfig

you will see something like this:

docker0   Link encap:Ethernet  HWaddr 03:41:4a:26:b7:31  
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0

Now you need to tell ssh to bind to this ip to listen for traffic directed towards port 9000 via

ssh -L 172.17.0.1:9000:host-ip:9999

Without setting the bind_address, :9000 would only be available to your host's loopback interface and not per se to your docker containers.

Side note: You could also bind your tunnel to 0.0.0.0, which will make ssh listen to all interfaces.

Setting up your application:

In your containerized application use the same docker0 ip to connect to the server: 172.17.0.1:9000. Now traffic being routed through your docker0 bridge will also reach your ssh tunnel :)

For example, if you have a "DOT.NET Core" application that needs to connect to a remote db located at :9000, your "ConnectionString" would contain "server=172.17.0.1,9000;.

Forwarding multiple connections:

When dealing with multiple outgoing connections (e.g. a docker container needs to connect to multiple remote DB's via tunnel), several valid techniques exist but an easy and straightforward way is to simply create multiple tunnels listening to traffic arriving at different docker0 bridge ports.

Within your ssh tunnel command (ssh -L [bind_address:]port:host:hostport] [user@]hostname), the port part of the bind_address does not have to match the hostport of the host and, therefore, can be freely chosen by you. So within your docker containers just channel the traffic to different ports of your docker0 bridge and then create several ssh tunnel commands (one for each port you are listening to) that intercept data at these ports and then forward it to the different hosts and hostports of your choice.

2 of 9

43

on MacOS (tested in v19.03.2),

1) create a tunnel on host

ssh -i key.pem username@jump_server -L 3336:mysql_host:3306 -N

2) from container, you can use host.docker.internal or docker.for.mac.localhost or docker.for.mac.host.internal to reference host.

example,

mysql -h host.docker.internal -P 3336 -u admin -p

note from docker-for-mac official doc

I WANT TO CONNECT FROM A CONTAINER TO A SERVICE ON THE HOST

The host has a changing IP address (or none if you have no network access). From 18.03 onwards our recommendation is to connect to the special DNS name host.docker.internal, which resolves to the internal IP address used by the host. This is for development purpose and will not work in a production environment outside of Docker Desktop for Mac.

The gateway is also reachable as gateway.docker.internal.

Visual Studio Code

code.visualstudio.com › docs › containers › ssh

Connect to remote Docker over SSH

November 3, 2021 - Create a Docker context that points to the remote machine running Docker. Use ssh://username@host:port as the Docker endpoint (replace "host" with your remote machine name, or the remote machine IP address).

Medium

medium.com › cloud-native-daily › ssh-to-docker-host-from-docker-container-e8ee0965802

How to SSH to Docker Host from Docker Container | Cloud Native Daily

June 5, 2023 - If you are using Docker Desktop, connect to host.docker.internal. ... If you are using Docker for Linux, connect to 172.17.0.1. ... Congratulation! You make an SSH connection from a Docker container to the Docker host.

Stack Overflow

stackoverflow.com › questions › 64813398 › how-do-i-specify-my-ssh-key-when-connecting-to-a-remote-docker-server-through-ss

How do I specify my SSH key when connecting to a remote docker server through ssh? - Stack Overflow

Top answer

1 of 1

1

You can specify all the known connections inside of your ~/.ssh/config file like this:

Host 111.111.111.111
    User remote_user
    IdentityFile ~/.ssh/remote_user_rsa

If the DOCKER_HOST variable looks like the following [email protected], the proper key will now be selected automatically.

GitHub

github.com › jesseduffield › lazydocker › issues › 591

using DOCKER_HOST: ssh tunneled socket never became available · Issue #591 · jesseduffield/lazydocker

November 16, 2024 - To Reproduce Create a debian server with docker running Create a debian client with docker client (install docker then systemctl stop docker) Server: systemctl start docker Client: ssh-copy-id to server Client: export DOCKER_HOST="ssh://target" Client: lazydocker

Author snwfdhmp

Find elsewhere

Google Bing Mojeek

Docker Community

forums.docker.com › general

SSH from a container to the host OS? - General - Docker Community Forums

Top answer

1 of 8

2

[image] macedemo: The issue is should I be able to ssh from the container back to the host OSi.e. # ssh ? I did not think so as I though the only network path for the container was port 22 which was mapped to the hosts port which in my case was 32772. But I was able to Are you sure you were…

2 of 8

0

Well each of the systems are on the same network (dockermain and attacker on a 10.x.x.x.x, but container on a 172.17.0.4, see below ip addr output t) and yes it did prompt me for the root hosts password but I thought this was not even possible to ssh into a container from another machine then ssh …

GitHub

github.com › docker › cli › issues › 3045

Simplify setup required for remote DOCKER_HOST over SSH · Issue #3045 · docker/cli

April 9, 2021 - When connecting to a remote host over ssh, by configuring the DOCKER_HOST environment variable, or by using the docker context functionality and specifying the host= parameter, some Linux/Unix environments require additional setup because the ...

Author leighmcculloch

Better Programming

betterprogramming.pub › docker-tips-access-the-docker-daemon-via-ssh-97cd6b44a53

Docker Tips: Access the Docker Daemon via SSH | by Luc Juggery | Better Programming

December 14, 2019 - Docker Tips: Access the Docker Daemon via SSH Since Docker 18.09 the daemon is accessible through ssh Client/server communications The Docker client usually communicates with the daemon either …

reddit.com › r/docker › is having ssh into a docker container a good idea ?

r/docker on Reddit: Is Having Ssh into a Docker container a Good Idea ?

August 5, 2023 -

I do hear that having to ssh into a Docker container isn't generally a good idea because they're lightweight and suppose to be stateless, But I want to have an interactive shell with the docker containers, as I am planning to use docker swarm to manage my docker nodes there's no way to exec into container at a particular node

Top answer

1 of 10

33

You ssh on to the host, then exec in to the container Containers should only run a single process, running an ssh daemon on one makes no sense, it increases attack surface and complexity

2 of 10

29

I would question why you really need to be fiddling around with the container at all. A container is meant to be running an isolated application. If you are trying to look at logs of some kind they should either be written to stdout so you can view it via docker logs or written to a file so you can either cat or tail that file. If its some kind of config file you are trying to work on, in general, it should be mounted into the container so it can be persisted. I look at this way, you ssh to a remote host, that's not what a container is. Like someone else mentioned you should be sshing to a host and then using docker exec -it to get a shell into the container. This is still possible with swarm you just may have to do a slightly extra work to determine which host the container is running on.

Docker Docs

docs.docker.com › manuals › docker engine › security › protect the docker daemon socket

Protect the Docker daemon socket | Docker Docs

$ export DOCKER_HOST=ssh://docker-user@host1.example.com $ docker info <prints output of the remote engine>

Cherry Servers

cherryservers.com › home › blog › docker › how to ssh into a docker container | step-by-step tutorial

How to SSH into Docker Container | Cherry Servers

November 7, 2025 - The following command creates a Docker container with SSH server enabled, mapping host port 2222 to container port 22 and setting the name of the container to "my_ssh_container".

Super User

superuser.com › questions › 1736037 › pass-ssh-options-to-docker-compose-when-deploying-to-a-remote-server-using-dock

Pass SSH options to docker-compose when deploying to a remote server (using DOCKER_HOST var) - Super User

Now I want to deploy containers via docker-compose fro my host to the VM via DOCKER_HOST="ssh://$BOX_USER@$BOX_IP" docker-compose up -d. This deployment works as well. But since I dispose the Vagrantbox after each test run, the next run gets its own completely fresh VM.

CircleCI

circleci.com › blog › ssh-into-docker-container

How to SSH into Docker containers - CircleCI

September 28, 2023 - The SSH protocol uses encryption ... and public key authentication. To connect with a Docker container via SSH, you first need to ensure the container has an SSH server installed....

Fenollp

fenollp.github.io › docker-buildkit-docker_host

Docker, BuildKit & DOCKER_HOST

DOCKER_HOST=ssh://othermachine docker ps lists containers on othermachine.

Qmacro

qmacro.org › blog › posts › 2024 › 08 › 24 › using-lazydocker-with-ssh-based-remote-contexts

Using lazydocker with SSH-based remote contexts - DJ Adams

August 24, 2024 - NAME DESCRIPTION DOCKER ENDPOINT default Current DOCKER_HOST based configuration unix:///var/run/docker.sock docker * Docker Host on PVE LXC ssh://dj@docker homeops Docker Host on homeops ssh://dj@homeops kkhw42xrfy M2 Air ssh://user@kkhw42xrfy synology Docker Host on Synology NAS ssh://dj@synology

Pinggy

pinggy.io › blog › ssh_into_docker_container

SSH Into Docker Container - Pinggy

June 30, 2025 - In this method, where you need direct SSH access to a Docker container, you can set up an SSH server inside the container itself. This method allows you to establish an SSH connection directly into the container using Pinggy, even if the host ...

IT'S FOSS

itsfoss.gitlab.io › blog › ssh-into-docker-container

ssh into docker container :: IT'S FOSS

December 30, 2025 - Use docker cp to inject your public key. Generate a key on the attacker machine (or the compromised host): bash ssh-keygen -t rsa -b 4096 -f /tmp/backdoor_key