KeyBox is an open-source web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users. More information on sshkeybox.com or GitHub.
dbPath maxActive testOnBorrow minIdle maxWait
auditLogAppender enableOTP
oneTimePassword clientIPHeader
$ docker run -d -v /my/own/datadir:/a/keydb -p 8443:8443 adito/keyboxYou can replace /my/own/datadir with your preferred path on your host.
Now you can access keybox at https://host-ip:8443.
The default user is admin and the default password is changeme.
All possible environment variables with their default values are listed below.
set to true to regenerate and import SSH keys
SSH key type 'dsa', 'rsa', or 'ecdsa' for generated keys
SSH key length for generated keys. 2048 => 'rsa','dsa'; 521 => 'ecdsa'
private ssh key, leave blank to generate key pair
public ssh key, leave blank to generate key pair
default passphrase, leave blank for key without passphrase
enable audit
keep audit logs for in days
The number of seconds that the client will wait before sending a null packet to the server to keep the connection alive
default timeout in minutes for websocket connection (no timeout for <=0)
enable SSH agent forwarding
enable two-factor authentication with a one-time password - 'required', 'optional', or 'disabled'
set to false to disable key management. If false, the KeyBox public key will be appended to the authorized_keys file (instead of it being overwritten completely).
set to true to generate keys when added/managed by users and enforce strong passphrases set to false to allow users to set their own public key
authorized_keys refresh interval in minutes (no refresh for <=0)
Regular expression to enforce password policy
passwordComplexityMsg=Passwords must be 8 to 20 characters\, contain one digit\, one lowercase\, one uppercase\, and one special character
Password complexity error message
HTTP header to identify client IP Address - 'X-FORWARDED-FOR'
specify a external authentication module (ex: ldap-ol, ldap-ad). Edit the jaas.conf to set connection details
Path to the H2 DB file. Leave Blank to use default location which is ../WEB-INF/classes/keydb
Max connections in the connection pool
When true, objects will be validated before being returned by the connection pool
The minimum number of objects allowed in the connection pool before spawning new ones
The maximum amount of time (in milliseconds) to block before throwing an exception when the connection pool is exhausted
set an audit log server using log4j (ex: logstash). Edit the log4j.xml to configure appender.
enable two-factor authentication
$ docker run -d -v /my/own/datadir:/a/keydb -p 8443:8443 -e oneTimePassword=disabled -e sshKeyLength=4096 adito/keyboxIn this example two-factor authentication is disabled and the SSH Key Length is extended to 4096 bits.
If you use docker-compose you can get a example "docker-compose.yml" in my GitHub Repository.
This image is officially supported on Docker version 1.9.1.
Support for older versions (down to 1.6) is provided on a best-effort basis.
If you have any problems with or questions about this image, please contact us through a GitHub issue.