SSH support for Azure App Service on Linux

Secure Shell (SSH) is a cryptographic network protocol for using network services securely. It is most commonly used to log into a system remotely securely from a command-line and execute administrative commands remotely.

App Service on Linux provides SSH support into the app container with each of the built-in Docker images used for the Runtime Stack of new web apps.

Runtime Stacks

You can also use SSH with your custom Docker images by including the SSH server as part of the image and configuring it as described in this topic.

Making a client connection

To make an SSH client connection, the main site must be started.

Paste the Source Control Management (SCM) endpoint for your web app into your browser using the following form:

https://<your sitename>.scm.azurewebsites.net/webssh/host

If you are not already authenticated, you are required to authenticate with your Azure subscription to connect.

SSH connection

SSH support with custom Docker images

In order for a custom Docker image to support SSH communication between the container and the client in the Azure portal, perform the following steps for your Docker image.

These steps are are shown in the Azure App Service repository as an example.

  1. Include the openssh-server installation in RUN instruction in the Dockerfile for your image and set the password for the root account to "Docker!".

    Note

    This configuration does not allow external connections to the container. SSH can only be accessed via the Kudu / SCM Site, which is authenticated using the publishing credentials.

    # ------------------------
    # SSH Server support
    # ------------------------
    RUN apt-get update \
        && apt-get install -y --no-install-recommends openssh-server \
        && echo "root:Docker!" | chpasswd
    
  2. Add a COPY instruction to the Dockerfile to copy a sshd_config file to the /etc/ssh/ directory. Your configuration file should be based on our sshd_config file in the Azure-App-Service GitHub repository here.

    Note

    The sshd_config file must include the following or the connection fails:

    • Ciphers must include at least one of the following: aes128-cbc,3des-cbc,aes256-cbc.
    • MACs must include at least one of the following: hmac-sha1,hmac-sha1-96.
    COPY sshd_config /etc/ssh/
    
  3. Include port 2222 in the EXPOSE instruction for the Dockerfile. Although the root password is known, port 2222 cannot be accessed from the internet. It is an internal only port accessible only by containers within the bridge network of a private virtual network.

    EXPOSE 2222 80
    
  4. Make sure to start the ssh service using a shell script in /bin directory.

    #!/bin/bash
    service ssh start
    

The Dockerfile uses the CMD instruction to run the script.

```docker
COPY init_container.sh /bin/
...
RUN chmod 755 /bin/init_container.sh
...
CMD ["/bin/init_container.sh"]
```

Next steps

See the following links for more information regarding Web App for Containers. You can post questions and concerns on our forum.