github marcpope/borgbackupserver v2.12.0

latest releases: v2.28.3, v2.28.2, v2.28.1...
one month ago

SSH Authentication Fix for Docker Deployments

This release fixes a critical bug where all SSH agents stopped authenticating after a Docker container restart (#11).

What was broken

Four issues in the container entrypoint combined to break SSH authentication on every restart:

  • User recreation failed silently — the entrypoint searched for directories matching bbs-* but home directories are named by agent ID (e.g., 1, 2). SSH users were never recreated in the container's /etc/passwd, so sshd rejected all connections.
  • File ownership was clobbered — a recursive chown reset all .ssh/authorized_keys files to www-data ownership before users were recreated. OpenSSH requires these files to be owned by the connecting user.
  • sshd started too early — the SSH server launched before users existed in the system, guaranteeing auth failures during the startup window.
  • Legacy SSH config was lost — the PubkeyAcceptedAlgorithms +ssh-rsa setting (required by OpenSSH 10 in the container) was only written during updates, not during container startup.

What's fixed

  • SSH users are now recreated from the database with correct UID mapping
  • File ownership is set correctly per-user (home dir user:www-data, .ssh/ dir user:user)
  • sshd now starts after all users and SSH config are in place
  • Legacy SSH compatibility config is written on every container start
  • bbs-ssh-gate is now included in the Docker image (was previously missing)

Upgrade

Pull the latest image and restart your container. No agent reconnection needed — existing agents will authenticate automatically once the container starts with the fix.

docker pull marcpope/borgbackupserver:latest
docker compose up -d

Don't miss a new borgbackupserver release

NewReleases is sending notifications on new releases.