A minimal SSH server built with Twisted Conch that creates a dedicated Docker container for each new SSH connection.
Each user session runs inside its own isolated container. When the session ends, the container is stopped and replaced.
This project is experimental and still evolving.
⚠️ Not suitable for production env at all.Yet 🙃
Provide SSH access where:
- Each connection gets its own container
- Sessions are isolated from each other
- Containers are ephemeral
- The host system remains protected
-
The server listens for SSH connections.
-
The user authenticates via public key.
-
A container is claimed from a pool.
-
The SSH session is attached to
/bin/bashinside the container. -
When the user disconnects:
- The container is stopped and removed
- A new container is created to maintain the pool size
SSH Client
↓
Twisted Conch SSH Server
↓
Container Pool
↓
docker exec → /bin/bash
-
DockerContainerFactory Creates containers (default image:
debian:12). -
DockerContainerPool Maintains a fixed number of ready containers.
-
DockerizedAvatar Binds the SSH session to a shell running inside a container.
-
Realm Assigns one container per authenticated user.
- Python 3.10+
- Docker (or compatible runtime)
- Twisted
- docker Python SDK
Install dependencies:
pip install twisted docker zope.interfacepython server.pyServer listens on:
localhost:8007
Connect with:
ssh -p 8007 user@localhostAuthentication uses system authorized_keys.
- Basic container pool logic
- No advanced security hardening yet
- Limited error handling
- No production guarantees
Using ACL (on AppArmor)
sudo setfacl -m u:$USER:r-- /etc/ssh/ssh_host_*_keyRestore (to be able to run OpenSsh server for example)
sudo setfacl -b /etc/ssh/ssh_host_*_key