Add SSH access template documentation

beran-t · beran-t · commit 36e7ae8c0138 · 2026-02-03T16:03:47.000-08:00
Adds a new template example showing how to enable SSH access to E2B
sandboxes using websocat as a WebSocket-to-SSH proxy. This is a manual
workaround while native SSH support is in development.

Includes:
- Template definition for SSH-ready sandbox
- Quick start guide for CLI users
- Connection methods (websocat and curl)
- SSH config shortcut for easier access
- SSH key authentication setup
- SCP file transfer examples
diff --git a/docs.json b/docs.json
@@ -120,7 +120,8 @@
                   "docs/template/examples/nextjs-bun",
                   "docs/template/examples/expo",
                   "docs/template/examples/desktop",
-                  "docs/template/examples/claude-code"
+                  "docs/template/examples/claude-code",
+                  "docs/template/examples/ssh-ready"
                 ]
               },
               "docs/template/migration-v2",
diff --git a/docs/template/examples/ssh-ready.mdx b/docs/template/examples/ssh-ready.mdx
@@ -0,0 +1,339 @@
+---
+title: "SSH Access"
+description: "Connect to your sandbox via SSH using a WebSocket proxy"
+---
+
+<Warning>
+This is a manual workaround. Native SSH support is planned but not yet available in E2B.
+This method uses websocat to proxy SSH connections over WebSocket through the sandbox's exposed ports.
+</Warning>
+
+SSH access enables remote terminal sessions, SCP/SFTP file transfers, and integration with tools that expect SSH connectivity. This guide shows how to create a template with SSH server and WebSocket proxy pre-configured.
+
+<Note>
+For simpler interactive terminal use cases, consider using the [PTY module](/docs/sandbox/pty) instead—it provides real-time bidirectional terminal communication without external SSH clients.
+</Note>
+
+## How it works
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│  Your Machine                                               │
+│  ┌──────────┐     ProxyCommand     ┌──────────────────┐    │
+│  │   SSH    │ ──────────────────── │ websocat / curl  │    │
+│  │  Client  │                      │   (WebSocket)    │    │
+│  └──────────┘                      └────────┬─────────┘    │
+└─────────────────────────────────────────────┼──────────────┘
+                                              │
+                          wss://8081-<sandbox-id>.e2b.app
+                                              │
+┌─────────────────────────────────────────────┼──────────────┐
+│  E2B Sandbox                                ▼              │
+│                                    ┌──────────────────┐    │
+│                                    │    websocat      │    │
+│                                    │  (WS → TCP:22)   │    │
+│                                    └────────┬─────────┘    │
+│                                             │              │
+│                                    ┌────────▼─────────┐    │
+│                                    │   SSH Server     │    │
+│                                    │   (OpenSSH)      │    │
+│                                    └──────────────────┘    │
+└─────────────────────────────────────────────────────────────┘
+```
+
+The WebSocket connection tunnels through E2B's port forwarding (`8081-<sandbox-id>.e2b.app`), and websocat inside the sandbox bridges it to the local SSH server.
+
+## Template definition
+
+<CodeGroup>
+
+```typescript JavaScript & TypeScript
+// template.ts
+import { Template, waitForPort } from 'e2b'
+
+export const template = Template()
+  .fromUbuntuImage('22.04')
+  .aptInstall(['openssh-server', 'wget'])
+  // Download websocat binary
+  .runCmd([
+    'wget -qO /usr/local/bin/websocat https://github.com/vi/websocat/releases/latest/download/websocat.x86_64-unknown-linux-musl',
+    'chmod a+x /usr/local/bin/websocat',
+  ])
+  // Configure SSH
+  .runCmd([
+    'mkdir -p /run/sshd',
+    // Enable password auth (use SSH keys in production)
+    "sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config",
+    // Set default password (change this!)
+    'echo "user:sandbox" | chpasswd',
+  ])
+  .copy('start_ssh.sh', '/start_ssh.sh')
+  .runCmd('chmod +x /start_ssh.sh')
+  .setStartCmd('/start_ssh.sh', waitForPort(8081))
+```
+
+```python Python
+# template.py
+from e2b import Template, wait_for_port
+
+template = (
+    Template()
+    .from_ubuntu_image("22.04")
+    .apt_install(["openssh-server", "wget"])
+    # Download websocat binary
+    .run_cmd([
+        "wget -qO /usr/local/bin/websocat https://github.com/vi/websocat/releases/latest/download/websocat.x86_64-unknown-linux-musl",
+        "chmod a+x /usr/local/bin/websocat",
+    ])
+    # Configure SSH
+    .run_cmd([
+        "mkdir -p /run/sshd",
+        # Enable password auth (use SSH keys in production)
+        "sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config",
+        # Set default password (change this!)
+        'echo "user:sandbox" | chpasswd',
+    ])
+    .copy("start_ssh.sh", "/start_ssh.sh")
+    .run_cmd("chmod +x /start_ssh.sh")
+    .set_start_cmd("/start_ssh.sh", wait_for_port(8081))
+)
+```
+
+</CodeGroup>
+
+```bash start_ssh.sh
+#!/bin/bash
+
+# Start SSH daemon
+/usr/sbin/sshd
+
+# Start WebSocket-to-SSH proxy on port 8081
+exec websocat -b --exit-on-eof ws-l:0.0.0.0:8081 tcp:127.0.0.1:22
+```
+
+## Build the template
+
+<CodeGroup>
+
+```typescript JavaScript & TypeScript
+// build.ts
+import { Template, defaultBuildLogger } from 'e2b'
+import { template as sshTemplate } from './template'
+
+await Template.build(sshTemplate, 'ssh-ready', {
+  cpuCount: 2,
+  memoryMB: 2048,
+  onBuildLogs: defaultBuildLogger(),
+})
+```
+
+```python Python
+# build.py
+from e2b import Template, default_build_logger
+from template import template as ssh_template
+
+Template.build(ssh_template, "ssh-ready",
+    cpu_count=2,
+    memory_mb=2048,
+    on_build_logs=default_build_logger(),
+)
+```
+
+</CodeGroup>
+
+## Quick start (CLI)
+
+You can also set this up manually without building a custom template:
+
+```bash
+# Create a sandbox from the base image
+e2b sbx create base
+
+# Inside the sandbox, install and start the SSH proxy
+sudo apt-get update && sudo apt-get install -y openssh-server
+sudo mkdir -p /run/sshd
+sudo wget -qO /usr/local/bin/websocat https://github.com/vi/websocat/releases/latest/download/websocat.x86_64-unknown-linux-musl
+sudo chmod a+x /usr/local/bin/websocat
+
+# Set a password for the user
+echo "user:sandbox" | sudo chpasswd
+
+# Start SSH and the WebSocket proxy
+sudo /usr/sbin/sshd
+websocat -b --exit-on-eof ws-l:0.0.0.0:8081 tcp:127.0.0.1:22
+```
+
+## Connect via SSH
+
+### Install websocat locally
+
+<Tabs>
+<Tab title="macOS">
+```bash
+brew install websocat
+```
+</Tab>
+<Tab title="Linux">
+```bash
+# Download binary
+sudo wget -qO /usr/local/bin/websocat https://github.com/vi/websocat/releases/latest/download/websocat.x86_64-unknown-linux-musl
+sudo chmod a+x /usr/local/bin/websocat
+```
+</Tab>
+</Tabs>
+
+### Connect using websocat
+
+```bash
+# Replace <sandbox-id> with your actual sandbox ID
+ssh -o 'ProxyCommand=websocat --binary -B 65536 - wss://8081-%h.e2b.app' <sandbox-id>
+```
+
+<Note>
+The `<sandbox-id>` serves as both the SSH "host" and is interpolated into the WebSocket URL via `%h`.
+Default credentials: username `user`, password `sandbox`.
+</Note>
+
+### Connect using curl (alternative)
+
+If you have curl with WebSocket support (macOS Homebrew or recent Linux):
+
+```bash
+# macOS with Homebrew curl
+ssh -o 'ProxyCommand=/opt/homebrew/opt/curl/bin/curl --no-progress-meter -N --http1.1 -T . wss://8081-%h.e2b.app' <sandbox-id>
+
+# Linux with modern curl (7.86+)
+ssh -o 'ProxyCommand=curl --no-progress-meter -N --http1.1 -T . wss://8081-%h.e2b.app' <sandbox-id>
+```
+
+### SSH config shortcut
+
+Add this to `~/.ssh/config` for easier access:
+
+```bash
+Host *.e2b
+    User user
+    ProxyCommand websocat --binary -B 65536 - wss://8081-%h.app
+    StrictHostKeyChecking no
+    UserKnownHostsFile /dev/null
+```
+
+Then connect with:
+
+```bash
+ssh <sandbox-id>.e2b
+```
+
+## SDK usage
+
+<CodeGroup>
+
+```typescript JavaScript & TypeScript
+import { Sandbox } from 'e2b'
+
+const sbx = await Sandbox.create('ssh-ready')
+
+const host = sbx.getHost(8081)
+console.log(`
+Sandbox ready!
+
+Connect with:
+  ssh -o 'ProxyCommand=websocat --binary -B 65536 - wss://${host}' user@localhost
+
+Or with curl:
+  ssh -o 'ProxyCommand=curl --no-progress-meter -N --http1.1 -T . wss://${host}' user@localhost
+
+Password: sandbox
+`)
+
+// Keep sandbox alive - it will timeout based on your settings
+// await sbx.kill()  // Call when done
+```
+
+```python Python
+from e2b import Sandbox
+
+sbx = Sandbox("ssh-ready")
+
+host = sbx.get_host(8081)
+print(f"""
+Sandbox ready!
+
+Connect with:
+  ssh -o 'ProxyCommand=websocat --binary -B 65536 - wss://{host}' user@localhost
+
+Or with curl:
+  ssh -o 'ProxyCommand=curl --no-progress-meter -N --http1.1 -T . wss://{host}' user@localhost
+
+Password: sandbox
+""")
+
+# Keep sandbox alive - it will timeout based on your settings
+# sbx.kill()  # Call when done
+```
+
+</CodeGroup>
+
+## Using SSH keys (recommended)
+
+For production use, configure SSH key authentication instead of passwords:
+
+<CodeGroup>
+
+```typescript JavaScript & TypeScript
+import { Sandbox } from 'e2b'
+
+const sbx = await Sandbox.create('ssh-ready')
+
+// Inject your public key
+const publicKey = 'ssh-rsa AAAA... your-key-here'
+await sbx.files.write('/home/user/.ssh/authorized_keys', publicKey)
+await sbx.commands.run('chmod 600 /home/user/.ssh/authorized_keys')
+await sbx.commands.run('chown -R user:user /home/user/.ssh')
+
+const host = sbx.getHost(8081)
+console.log(`Connect with: ssh -o 'ProxyCommand=websocat --binary -B 65536 - wss://${host}' user@localhost`)
+```
+
+```python Python
+from e2b import Sandbox
+
+sbx = Sandbox("ssh-ready")
+
+# Inject your public key
+public_key = "ssh-rsa AAAA... your-key-here"
+sbx.files.write("/home/user/.ssh/authorized_keys", public_key)
+sbx.commands.run("chmod 600 /home/user/.ssh/authorized_keys")
+sbx.commands.run("chown -R user:user /home/user/.ssh")
+
+host = sbx.get_host(8081)
+print(f"Connect with: ssh -o 'ProxyCommand=websocat --binary -B 65536 - wss://{host}' user@localhost")
+```
+
+</CodeGroup>
+
+To disable password authentication entirely, modify the template:
+
+```typescript
+.runCmd("sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config")
+```
+
+## File transfer with SCP
+
+Once SSH is working, you can use SCP for file transfers:
+
+```bash
+# Upload a file
+scp -o 'ProxyCommand=websocat --binary -B 65536 - wss://8081-%h.e2b.app' ./local-file.txt <sandbox-id>:/home/user/
+
+# Download a file
+scp -o 'ProxyCommand=websocat --binary -B 65536 - wss://8081-%h.e2b.app' <sandbox-id>:/home/user/remote-file.txt ./
+```
+
+## Alternatives
+
+| Approach | Best for |
+|----------|----------|
+| **[PTY module](/docs/sandbox/pty)** | Interactive terminals via SDK, no external tools needed |
+| **[E2B CLI](/docs/cli/connect-to-sandbox)** | Quick terminal access during development |
+| **SSH (this guide)** | Integration with SSH-based tools, SCP/SFTP, remote IDEs |
