SSH support for Azure App Service on Linux
Secure Shell (SSH) is a cryptographic network protocol for using network services securely. It is most commonly used to log into a system remotely securely from a command-line and execute administrative commands remotely.
App Service on Linux provides SSH support into the app container with each of the built-in Docker images used for the Runtime Stack of new web apps.
You can also use SSH with your custom Docker images by including the SSH server as part of the image and configuring it as described in this article.
Making a client connection
To make an SSH client connection, the main site must be started.
Paste the Source Control Management (SCM) endpoint for your web app into your browser using the following form:
If you are not already authenticated, you are required to authenticate with your Azure subscription to connect.
SSH support with custom Docker images
In order for a custom Docker image to support SSH communication between the container and the client in the Azure portal, perform the following steps for your Docker image.
These steps are shown in the Azure App Service repository as an example.
RUNinstruction in the Dockerfile for your image and set the password for the root account to
This configuration does not allow external connections to the container. SSH can only be accessed via the Kudu / SCM Site, which is authenticated using the publishing credentials.
# ------------------------ # SSH Server support # ------------------------ RUN apt-get update \ && apt-get install -y --no-install-recommends openssh-server \ && echo "root:Docker!" | chpasswd
COPYinstruction to the Dockerfile to copy a sshd_config file to the /etc/ssh/ directory. Your configuration file should be based on the sshd_config file in the Azure-App-Service GitHub repository here.
The sshd_config file must include the following or the connection fails:
Ciphersmust include at least one of the following:
MACsmust include at least one of the following:
COPY sshd_config /etc/ssh/
Include port 2222 in the
EXPOSEinstruction for the Dockerfile. Although the root password is known, port 2222 cannot be accessed from the internet. It is an internal only port accessible only by containers within the bridge network of a private virtual network.
EXPOSE 2222 80
Make sure to start the SSH service using a shell script (see example at init_container.sh).
#!/bin/bash service ssh start
The Dockerfile uses the
ENTRYPOINT instruction to run the script.
```docker COPY startup /opt/startup ... RUN chmod 755 /opt/startup/init_container.sh ... ENTRYPOINT ["/opt/startup/init_container.sh"] ```
You can post questions and concerns on the Azure forum.
For more information on Web App for Containers, see: