SSH Authentication Fix for Docker Deployments
This release fixes a critical bug where all SSH agents stopped authenticating after a Docker container restart (#11).
What was broken
Four issues in the container entrypoint combined to break SSH authentication on every restart:
- User recreation failed silently — the entrypoint searched for directories matching
bbs-*but home directories are named by agent ID (e.g.,1,2). SSH users were never recreated in the container's/etc/passwd, so sshd rejected all connections. - File ownership was clobbered — a recursive
chownreset all.ssh/authorized_keysfiles towww-dataownership before users were recreated. OpenSSH requires these files to be owned by the connecting user. - sshd started too early — the SSH server launched before users existed in the system, guaranteeing auth failures during the startup window.
- Legacy SSH config was lost — the
PubkeyAcceptedAlgorithms +ssh-rsasetting (required by OpenSSH 10 in the container) was only written during updates, not during container startup.
What's fixed
- SSH users are now recreated from the database with correct UID mapping
- File ownership is set correctly per-user (home dir
user:www-data,.ssh/diruser:user) - sshd now starts after all users and SSH config are in place
- Legacy SSH compatibility config is written on every container start
bbs-ssh-gateis now included in the Docker image (was previously missing)
Upgrade
Pull the latest image and restart your container. No agent reconnection needed — existing agents will authenticate automatically once the container starts with the fix.
docker pull marcpope/borgbackupserver:latest
docker compose up -d