No Description

Fabian Peter Hammerle 17b658f070 sshd: no longer accept RSA keys < 2048 bits for authentication 1 week ago
.github 15a37bb2ac Bump docker/setup-buildx-action from 2.1.0 to 2.2.1 (#32) 1 month ago
CHANGELOG.md 17b658f070 sshd: no longer accept RSA keys < 2048 bits for authentication 1 week ago
Dockerfile 618a1d51bc upgrade borgbackup package from v1.2.0-r0 to v1.2.2-r1 (see below) 1 week ago
Makefile a890c27fad release v0.1.0 1 year ago
README.md c532b69d3e authorize keys in `SSH_CLIENT_PUBLIC_KEYS_ALL` to access all repositories 1 month ago
borgbackup-package-log.url 618a1d51bc upgrade borgbackup package from v1.2.0-r0 to v1.2.2-r1 (see below) 1 week ago
docker-compose.yml c532b69d3e authorize keys in `SSH_CLIENT_PUBLIC_KEYS_ALL` to access all repositories 1 month ago
entrypoint.sh c532b69d3e authorize keys in `SSH_CLIENT_PUBLIC_KEYS_ALL` to access all repositories 1 month ago
openssh-package-log.url 51ae69754d upgrade openssh-server package from v9.0_p1-r2 to v9.1_p1-r1 (see below) 1 week ago
openssh-release-notes.url 80a654ad49 upgrade openssh server package v8.6_p1-r{2->3} (CVE-2021-41617) 1 year ago
sshd_config 17b658f070 sshd: no longer accept RSA keys < 2048 bits for authentication 1 week ago
tini-package-log.url 822269f59f upgrade tini package from v0.19.0-r0 to v0.19.0-r1 (see below) 1 week ago

README.md

docker: borgbackup-sshd 💾 🐳 🐙

Single-user OpenSSH server restricted to BorgBackup backend

$ sudo docker run --name borgbackup_sshd \
    -v ssh_host_keys:/etc/ssh/host_keys:rw \
    -v /somewhere:/repository:rw \
    --tmpfs /home/borg/.ssh:mode=1777,size=16k \
    --tmpfs /tmp:mode=1777,size=1M \
    -p 2200:2200 \
    -e SSH_CLIENT_PUBLIC_KEYS="$(cat ~/.ssh/id_*.pub)" \
    -e SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY="$(cat optional-append-only-keys.pub)" \
    --read-only --security-opt=no-new-privileges --cap-drop=ALL \
    docker.io/fphammerle/borgbackup-sshd

$ borg init --encryption=editme ssh://borg@127.0.0.1:2200//repository

$ borg create --stats ssh://borg@127.0.0.1:2200//repository::{hostname}-{utcnow} \
    ~/documents ~/photos ...

sudo docker may be replaced with podman.

Pre-built docker images are available at https://hub.docker.com/r/fphammerle/borgbackup-sshd/tags (mirror: https://quay.io/repository/fphammerle/borgbackup-sshd?tab=tags)

Annotation of signed git tags docker/* contains docker image digests: https://github.com/fphammerle/docker-borgbackup-sshd/tags

Detached signatures of images are available at https://github.com/fphammerle/container-image-sigstore (exluding automatically built latest tag).

Add Additional Repositories

$ sudo docker run --name borgbackup_sshd \
    -v repo_foo:/some/where/repo-foo \
    -e REPO_PATH_foo=/some/where/repo-foo \
    -e SSH_CLIENT_PUBLIC_KEYS_foo="$(cat keys-foo.pub)" \
    -e SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_foo="$(cat keys-foo-append-only.pub)" \
    ...
    -v repo_bar:/some/where/else/bar \
    -e REPO_PATH_bar=/some/where/else/bar \
    -e SSH_CLIENT_PUBLIC_KEYS_bar="$(cat keys-bar.pub)" \
    -e SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY_bar="$(cat keys-bar-append-only.pub)" \
    ...

Currently, individual keys may be authorized either for a single repository or for all repositories via SSH_CLIENT_PUBLIC_KEYS_ALL:

$ sudo docker run --name borgbackup_sshd \
    -v repo_foo:/some/where/repo-foo \
    -e REPO_PATH_foo=/some/where/repo-foo \
    -v repo_bar:/some/where/else/bar \
    -e REPO_PATH_bar=/some/where/else/bar \
    ...
    -e SSH_CLIENT_PUBLIC_KEYS_ALL="$(cat ~/.ssh/id_*.pub)" \
    ...

Docker Compose 🐙

  1. git clone https://github.com/fphammerle/docker-borgbackup-sshd
  2. Add public keys to docker-compose.yml
  3. docker-compose up --build