diff --git a/Dockerfile b/Dockerfile
index c3f0d44..8591e5b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -53,7 +53,7 @@ ARG PHP_VERSION
 ARG PHP_SERVER
 ARG SHELL_OPTS
 
-ARG PACK_LIST="btrfs-progs e2fsprogs e2fsprogs-extra git ip6tables iptables openssl pigz shadow-uidmap xfsprogs xz zfs docker docker-registry nginx "
+ARG PACK_LIST="btrfs-progs e2fsprogs e2fsprogs-extra git ip6tables iptables openssl pigz shadow-uidmap xfsprogs xz zfs docker docker-registry nginx openssh"
 
 ENV ENV=~/.profile
 ENV SHELL="/bin/sh"
diff --git a/rootfs/tmp/etc/ssh/sshd_config b/rootfs/tmp/etc/ssh/sshd_config
new file mode 100644
index 0000000..d962db7
--- /dev/null
+++ b/rootfs/tmp/etc/ssh/sshd_config
@@ -0,0 +1,35 @@
+Port 7833
+Protocol 2
+
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+LogLevel INFO
+
+HostKey REPLACE_SSH_CONF_DIR/ssh_host_ed25519_key
+HostKey REPLACE_SSH_CONF_DIR/ssh_host_rsa_key
+HostKey REPLACE_SSH_CONF_DIR/ssh_host_ecdsa_key
+
+AuthorizedKeysFile REPLACE_SSH_DATA_DIR/authorized_keys
+AuthorizedPrincipalsFile REPLACE_SSH_DATA_DIR/authorized_principals
+TrustedUserCAKeys REPLACE_SSH_DATA_DIR/gitea-trusted-user-ca-keys.pem
+CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+
+UseDNS no
+AllowAgentForwarding no
+AllowTcpForwarding no
+PrintMotd no
+
+PermitUserEnvironment yes
+PermitRootLogin no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+AllowUsers gitea
+
+Banner none
+Subsystem sftp /usr/lib/ssh/sftp-server
+
+AcceptEnv GIT_PROTOCOL
diff --git a/rootfs/usr/local/etc/docker/init.d/08-gitea.sh b/rootfs/usr/local/etc/docker/init.d/08-gitea.sh
index 45ad6d8..fd71504 100755
--- a/rootfs/usr/local/etc/docker/init.d/08-gitea.sh
+++ b/rootfs/usr/local/etc/docker/init.d/08-gitea.sh
@@ -252,12 +252,27 @@ __update_conf_files() {
 
   # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   # replace variables
-  # __replace "" "" "$CONF_DIR/gitea.conf"
+  __replace "REPLACE_SSH_CONF_DIR" "/config/ssh" "/config/ssh/sshd_config"
+  __replace "REPLACE_SSH_DATA_DIR" "$DATA_DIR/ssh" "/config/ssh/sshd_config"
   # replace variables recursively
   #  __find_replace "" "" "$CONF_DIR"
 
   # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   # define actions
+  if [ ! -f /config/ssh/ssh_host_ed25519_key ]; then
+    echo "Generating /config/ssh/ssh_host_ed25519_key..."
+    ssh-keygen -t ed25519 -f /config/ssh/ssh_host_ed25519_key -N "" >/dev/null
+  fi
+  if [ ! -f /config/ssh/ssh_host_rsa_key ]; then
+    echo "Generating /config/ssh/ssh_host_rsa_key..."
+    ssh-keygen -t rsa -b 3072 -f /config/ssh/ssh_host_rsa_key -N "" >/dev/null
+  fi
+  if [ ! -f /config/ssh/ssh_host_ecdsa_key ]; then
+    echo "Generating /config/ssh/ssh_host_ecdsa_key..."
+    ssh-keygen -t ecdsa -b 256 -f /config/ssh/ssh_host_ecdsa_key -N "" >/dev/null
+  fi
+  chmod 0700 "$DATA_DIR/ssh" /config/ssh
+  chmod 0600 "$DATA_DIR/ssh"/* /config/ssh/*
 
   # exit function
   return $exitCode