Turn SSH users into API methods. Each Unix user maps to an API endpoint — SSH provides authentication and encryption out of the box, Docker packages and deploys the whole thing.
┌─────────────────────────────────────────────────────────┐
│ sshBasedApi Container │
│ │
│ ssh hello@host ──→ user "hello" ──→ /opt/sshAsApi/hello │
│ ssh greet@host ──→ user "greet" ──→ /opt/sshAsApi/greet │
│ ssh root@host ──→ admin shell ──→ commands/entry.sh │
│ │
│ Auth: SSH public-key or password (per method) │
│ Transport: encrypted SSH tunnel │
└─────────────────────────────────────────────────────────┘
The idea: instead of users, SSH user IDs represent API methods. Each method is a script or binary that runs when a client connects as that user. SSH handles authentication and encryption; Docker handles packaging and deployment.
docker build -t aitorpazos/sshasapi .Multi-architecture (amd64 + arm64):
docker buildx build --platform linux/amd64,linux/arm64 -t aitorpazos/sshasapi .Create a Dockerfile that extends the base image:
FROM aitorpazos/sshasapi
COPY hello /opt/sshAsApi/hello
RUN addApiMethod helloWhere hello is your method script:
#!/bin/bash
echo "World"# Generate admin SSH key
ssh-keygen -t ed25519 -f admin_key -N ""
cp admin_key.pub id_rsa.pub
# Build
docker build -t my-api .
# Run
docker run -d -p 2222:22 --name my-api my-api# Call the "hello" method (password auth by default after setup)
ssh -p 2222 hello@localhost
# Output: World
# Admin access (key-only)
ssh -i admin_key -p 2222 root@localhost helpConnect as root to manage the API:
| Command | Description |
|---|---|
help |
Show available commands |
shell |
Open interactive shell |
authConfig <method|ALL> <PASSWORD|PUBLIC_KEY> |
Set auth mode |
lsKey <method|ALL> |
List registered public keys |
addKey <method|ALL> <base64_key> |
Add a public key |
rmKey <method|ALL> <line_number> |
Remove a key by line number |
changePassword <method|ALL> |
Change method password |
# Switch "hello" to public-key auth
ssh -i admin_key -p 2222 root@localhost authConfig hello PUBLIC_KEY
# Add a client key (base64-encoded)
KEY=$(cat client.pub | base64 -w0)
ssh -i admin_key -p 2222 root@localhost addKey hello "$KEY"
# List keys for all methods
ssh -i admin_key -p 2222 root@localhost lsKey ALL
# Switch to password auth
ssh -i admin_key -p 2222 root@localhost authConfig hello PASSWORD
ssh -i admin_key -p 2222 root@localhost changePassword hello- Root access: public-key only,
ForceCommandrestricts to admin commands - API methods: public-key auth by default, configurable per method
- No forwarding: X11, TCP, agent, and tunnel forwarding all disabled
- No empty passwords: disabled by default
- Host keys: Ed25519, ECDSA, and RSA generated at build time
- Deprecated directives removed: no Protocol 1, no
UsePrivilegeSeparation, etc.
sshBasedApi/
├── Dockerfile # Base image (Debian Bookworm)
├── sshd_config # Hardened SSH server config
├── sshWrapper.sh # Entrypoint: manages sshd lifecycle
├── addApiMethod # Register a new API method (user)
├── commands/
│ ├── entry.sh # Admin command dispatcher
│ ├── help # Print help
│ ├── shell # Interactive shell
│ ├── authConfig # Configure auth per method
│ ├── addKey # Add SSH public key
│ ├── rmKey # Remove SSH public key
│ ├── lsKey # List SSH public keys
│ └── changePassword # Change method password
└── examples/
└── hello/ # Example: simple "hello world" API
├── Dockerfile
└── hello
Available on Docker Hub and GitHub Container Registry:
docker pull aitorpazos/sshasapi:latest
docker pull ghcr.io/aitorpazos/sshasapi:latestSupported platforms: linux/amd64, linux/arm64
GPL-3.0