Fetching contributors…
Cannot retrieve contributors at this time
33 lines (18 sloc) 2.4 KB
title: Application SSH Components and Processes
owner: Diego
<strong><%= modified_date %></strong>
This document describes details about the <%= vars.product_full %> SSH components for access to deployed application instances. <%= vars.product_full %> supports native SSH access to applications and load balancing of SSH sessions with the load balancer for your <%= vars.product_short %> deployment.
The [SSH Overview](../../devguide/deploy-apps/app-ssh-overview.html) document describes procedural and configuration information about application SSH access.
## <a id="ssh-components"></a>SSH Components
The <%= vars.product_short %> SSH includes the following central components, which are described in more detail below:
- An implementation of an SSH [proxy server](#diego-ssh-proxy).
- A lightweight SSH [daemon](#daemon).
If these components are deployed and configured correctly, they provide a simple and scalable way to access containers apps and other long running processes (LRPs).
## <a id='daemon'></a> SSH Daemon ##
The SSH daemon is a lightweight implementation that is built around the Go SSH library. It supports command execution, interactive shells, local port forwarding, and secure copy. The daemon is self-contained and has no dependencies on the container root file system.
The daemon is focused on delivering basic access to application instances in <%= vars.product_short %>. It is intended to run as an unprivileged process, and interactive shells and commands will run as the daemon user. The daemon only supports one authorized key, and it is not intended to support multiple users.
The daemon can be made available on a file server and Diego LRPs that want to use it can include a download action to acquire the binary and a run action to start it. <%= vars.product_short %> applications will download the daemon as part of the lifecycle bundle.
## <a id="diego-ssh-proxy"></a>SSH Proxy Authentication
The SSH proxy hosts the user-accessible SSH endpoint and is responsible for authentication, policy enforcement, and access controls in the context of <%= vars.product_short %>. After a user has successfully authenticated with the proxy, the proxy will attempt to locate the target container and create an SSH session to a daemon running inside the container. After both sessions have been established, the proxy will manage the communication between the user's SSH client and the container's SSH Daemon.