this post was submitted on 11 Mar 2025
7 points (100.0% liked)

Docker

1219 readers
1 users here now

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
7
Portainer via SSH? (lemm.ee)
submitted 1 week ago by [email protected] to c/[email protected]
2 comments fedilink hide all child comments
 

Over the week I've been dealing with the Kinsing virus via Docker on my VPS. I've been learning about it and I've come to find I've been thinking about Docker all wrong with the way that I was using it.

I enjoy using Portainer, so that's a must for me. I know Docker allows you to secure Docker sockets via context; docker context create vps --docker "host=ssh://user@vps".

I would like to use this method, via Portainer (locally) to connect to docker (remote) via SSH. Anyone know of a way to do this? I've been looking around and haven't found much.

top 2 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 1 week ago* (last edited 1 week ago) (1 children)

Not a Docker expert by any stretch, but I believe Portainer can only connect to the socket locally. If you were to bind that socket over a ssh tunnel, you’d be limiting your Portainer to managing a single machine. You’d also be dealing with broken pipe errors every time the connection went idle.

Given those limitations, it’s much easier (and, I’d argue, more secure) to just spin up a Portainer container on that machine.

If you absolutely must use SSH, see this thread for the only working solution AFAIK:

https://github.com/portainer/portainer/issues/431

[–] [email protected] 1 points 1 week ago

Yeah, granted it's a niche situation.

I think I've found a medium, though. I ended up setting Portainer agent on my VPS, and I've disallowed connections to everyone on that port but my IP via ufw; ufw allow from x.x.x.0/24 to any port 9001. I would still prefer to do it via SSH to hide behind the protocol and identity keys, but this will have to do. It doesn't seem like the Portainer devs even care about an issue like this, which is pretty fucked up because by default all docker systems exposed to the internet (unless you know what you're doing) are vulnerable to Kinsing.