KeyBox is an open-source web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users. More information on sshkeybox.com or GitHub.

dbPath maxActive testOnBorrow minIdle maxWait

auditLogAppender enableOTP

oneTimePassword clientIPHeader

$ docker run -d -v /my/own/datadir:/a/keydb -p 8443:8443 adito/keybox

You can replace /my/own/datadir with your preferred path on your host.

Now you can access keybox at https://host-ip:8443.

The default user is admin and the default password is changeme.

All possible environment variables with their default values are listed below.

set to true to regenerate and import SSH keys

SSH key type 'dsa', 'rsa', or 'ecdsa' for generated keys

SSH key length for generated keys. 2048 => 'rsa','dsa'; 521 => 'ecdsa'

private ssh key, leave blank to generate key pair

public ssh key, leave blank to generate key pair

default passphrase, leave blank for key without passphrase

enable audit

keep audit logs for in days

The number of seconds that the client will wait before sending a null packet to the server to keep the connection alive

default timeout in minutes for websocket connection (no timeout for <=0)

enable SSH agent forwarding

enable two-factor authentication with a one-time password - 'required', 'optional', or 'disabled'

set to false to disable key management. If false, the KeyBox public key will be appended to the authorized_keys file (instead of it being overwritten completely).

set to true to generate keys when added/managed by users and enforce strong passphrases set to false to allow users to set their own public key

authorized_keys refresh interval in minutes (no refresh for <=0)

Regular expression to enforce password policy

Password complexity error message

HTTP header to identify client IP Address - 'X-FORWARDED-FOR'

specify a external authentication module (ex: ldap-ol, ldap-ad). Edit the jaas.conf to set connection details

Path to the H2 DB file. Leave Blank to use default location which is ../WEB-INF/classes/keydb

Max connections in the connection pool

When true, objects will be validated before being returned by the connection pool

The minimum number of objects allowed in the connection pool before spawning new ones

The maximum amount of time (in milliseconds) to block before throwing an exception when the connection pool is exhausted

set an audit log server using log4j (ex: logstash). Edit the log4j.xml to configure appender.

enable two-factor authentication

$ docker run -d -v /my/own/datadir:/a/keydb -p 8443:8443 -e oneTimePassword=disabled -e sshKeyLength=4096 adito/keybox

In this example two-factor authentication is disabled and the SSH Key Length is extended to 4096 bits.

If you use docker-compose you can get a example "docker-compose.yml" in my GitHub Repository.

Edit the jaas.conf file and include the necessary data.

ldap-ad {
    //AD example config
    com.sun.security.auth.module.LdapLoginModule REQUIRED
    userProvider="ldap://172.16.0.1:389/DC=company,DC=com"
    //authIdentity="{USERNAME}"
    userFilter="(&(samAccountName={USERNAME})(objectClass=user))"
    authzIdentity="{displayName}" //set this to return full name
    java.naming.security.authentication="simple"
    java.naming.security.principal="CN=service ldap,OU=Active Directory,OU=Service Accounts,DC=company,DC=com"
    java.naming.security.credentials="passw0rd"
    useSSL=false
    debug=false;
};

This image is officially supported on Docker version 1.9.1.

Support for older versions (down to 1.6) is provided on a best-effort basis.

If you have any problems with or questions about this image, please contact us through a GitHub issue.