SSH support for Azure App Service on Linux

Secure Shell (SSH) is a cryptographic network protocol for using network services securely. It is most commonly used to log into a system remotely securely from a command-line and execute administrative commands remotely.

App Service on Linux provides SSH support into the app container with each of the built-in Docker images used for the Runtime Stack of new web apps.

Runtime Stacks

You can also use SSH with your custom Docker images by including the SSH server as part of the image and configuring it as described in this article.

Making a client connection

To make an SSH client connection, the main site must be started.

Paste the Source Control Management (SCM) endpoint for your web app into your browser using the following form:

https://<your sitename>

If you are not already authenticated, you are required to authenticate with your Azure subscription to connect.

SSH connection

SSH support with custom Docker images

In order for a custom Docker image to support SSH communication between the container and the client in the Azure portal, perform the following steps for your Docker image.

These steps are shown in the Azure App Service repository as an example.

  1. Include the openssh-server installation in RUN instruction in the Dockerfile for your image and set the password for the root account to "Docker!".


    This configuration does not allow external connections to the container. SSH can only be accessed via the Kudu / SCM Site, which is authenticated using the publishing credentials.

    # ------------------------
    # SSH Server support
    # ------------------------
    RUN apt-get update \
        && apt-get install -y --no-install-recommends openssh-server \
        && echo "root:Docker!" | chpasswd
  2. Add a COPY instruction to the Dockerfile to copy a sshd_config file to the /etc/ssh/ directory. Your configuration file should be based on the sshd_config file in the Azure-App-Service GitHub repository here.


    The sshd_config file must include the following or the connection fails:

    • Ciphers must include at least one of the following: aes128-cbc,3des-cbc,aes256-cbc.
    • MACs must include at least one of the following: hmac-sha1,hmac-sha1-96.
    COPY sshd_config /etc/ssh/
  3. Include port 2222 in the EXPOSE instruction for the Dockerfile. Although the root password is known, port 2222 cannot be accessed from the internet. It is an internal only port accessible only by containers within the bridge network of a private virtual network.

    EXPOSE 2222 80
  4. Make sure to start the SSH service using a shell script (see example at

    service ssh start

The Dockerfile uses the ENTRYPOINT instruction to run the script.

COPY startup /opt/startup
RUN chmod 755 /opt/startup/
ENTRYPOINT ["/opt/startup/"]

Next steps

You can post questions and concerns on the Azure forum.

For more information on Web App for Containers, see: