diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 98e537e6dc6f7409eea3bcfbb57b8f3dd159b267..a847a94a73192ee494aa8886cbd773dc7c89666c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -105,3 +105,18 @@ push-httpd-bullseye:
   needs:
     - job: build-httpd-bullseye
       artifacts: true
+
+# sshd image:
+
+build-sshd:
+  extends: .build
+  variables:
+    CONTEXT: sshd
+
+push-sshd:
+  extends: .push
+  variables:
+    IMAGE: sshd
+  needs:
+    - job: build-sshd
+      artifacts: true
diff --git a/sshd/.dockerignore b/sshd/.dockerignore
new file mode 100644
index 0000000000000000000000000000000000000000..91445b94f5921ddc8269189c6eda60e8ddd65531
--- /dev/null
+++ b/sshd/.dockerignore
@@ -0,0 +1,2 @@
+*
+!entrypoint
diff --git a/sshd/Dockerfile b/sshd/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..3dd2a2a73447ca7e36297cd748747e2114773cb2
--- /dev/null
+++ b/sshd/Dockerfile
@@ -0,0 +1,17 @@
+ARG BASEIMAGE=debian:testing-slim
+FROM ${BASEIMAGE}
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        netcat-openbsd \
+        openssh-server \
+    && \
+    rm -f /etc/ssh/ssh_host_* && \
+    echo > /etc/ssh/sshd_config && \
+    rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/*
+COPY entrypoint /entrypoint
+EXPOSE 22
+ENTRYPOINT ["/entrypoint"]
+HEALTHCHECK --start-period=5m CMD echo | nc localhost 22 | grep -q 'SSH-2.0-OpenSSH'
+ENV SSHD_ARGS="-De -o 'PermitRootLogin no' -o 'PasswordAuthentication no' -o 'ChallengeResponseAuthentication no' -o 'PrintMotd no' -o 'PidFile none' -o 'Subsystem sftp /usr/lib/openssh/sftp-server'"
+ENV EXTRA_SSHD_ARGS=""
+CMD ["/usr/sbin/sshd", "$SSHD_ARGS", "$EXTRAS_SSHD_ARGS"]
diff --git a/sshd/README.md b/sshd/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..fc4f30f7645645b0cf1919cdb349e60460a08fa4
--- /dev/null
+++ b/sshd/README.md
@@ -0,0 +1,3 @@
+# sshd
+
+> A dockerized SSH daemon.
diff --git a/sshd/entrypoint b/sshd/entrypoint
new file mode 100755
index 0000000000000000000000000000000000000000..2adaa67fd52d46a7b7844ecf1e2af822cac5fd7b
--- /dev/null
+++ b/sshd/entrypoint
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -eux
+
+if [ ! -f /etc/ssh/moduli ]
+then
+    ssh-keygen -G /etc/ssh/moduli.candidates
+    ssh-keygen -T /etc/ssh/moduli -f /etc/ssh/moduli.candidates
+    rm /etc/ssh/moduli.candidates
+fi
+ssh-keygen -A
+mkdir -p /run/sshd
+
+eval 'exec "$@"'