diff --git a/README.md b/README.md
index e03e4bc..0e0835a 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # openconnect + tinyproxy + microsocks
 
-This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) (version 8.04 with pulse/juniper support) and the [tinyproxy proxy server](https://tinyproxy.github.io/) for http/s connections (default on port 8888) and the [microsocks proxy](https://github.com/rofl0r/microsocks) for socks5 connections (default on port 8889) in a very small [alpine linux](https://www.alpinelinux.org/) image (around 20 MB).
+This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) (version 8.04 with pulse/juniper support) and the [tinyproxy proxy server](https://tinyproxy.github.io/) for http/s connections (on port 8888) and the [microsocks proxy](https://github.com/rofl0r/microsocks) for socks5 connections (on port 8889) and a sshd server (on port 22) in a very small [alpine linux](https://www.alpinelinux.org/) image (around 20 MB).
 
 You can find the image on docker hub:
 https://hub.docker.com/r/wazum/openconnect-proxy
@@ -25,24 +25,44 @@ Optionally set a multi factor authentication code:
 
 	OPENCONNECT_MFA_CODE=<Multi factor authentication code>
 
-You can also change the ports the proxies are listening on (these are the default values):
+# SSH server
+
+To use the ssh server, mount your public key as volume with the `-v` option:
+
+	docker run … -v ~/.ssh/id_rsa.pub:/tmp/public_key …
+
+or use the root password `docker`. The ssh server is listening on port 22.
+
+Set
+
+	Host 127.0.0.1
+	   StrictHostKeyChecking no
+	   UserKnownHostsFile=/dev/null
+
+in your `~/.ssh/config` on the host.
 
-	HTTPS_PROXY_PORT=8888
-	SOCKS5_PROXY_PORT=8889
 
 # Run container in foreground
 
 To start the container in foreground run:
 
-	docker run -it --rm --privileged --env-file=.env --net host wazum/openconnect-proxy
+	docker run -it --rm --privileged --env-file=.env --net host wazum/openconnect-proxy:latest
+
+The proxies are listening on ports 8888 (http/https) and 8889 (socks).
+Either use `--net host` or `-p <local port>:8888 -p <local port>:8889` to make the proxy ports available on the host.
+
+Another example:
+
+	docker run -it --rm --privileged --env-file=.env \
+	  -v ~/.ssh/id_rsa.pub:/tmp/public_key \
+          -p 8888:8888 -p 8889:8889 -p 2222:22 wazum/openconnect-proxy:latest
 
-Either use `--net host` or `-p 8888:8888 -p 8889:8889` to make the proxy ports available on the host.
 
 Without using a `.env` file set the environment variables on the command line with the docker run option `-e`:
 
 	docker run … -e OPENCONNECT_URL=vpn.gateway.com/example \
-	-e OPENCONNECT_OPTIONS='<Openconnect Options>' \
-	-e OPENCONNECT_USER=<Username> …
+	  -e OPENCONNECT_OPTIONS='<Openconnect Options>' \
+	  -e OPENCONNECT_USER=<Username> …
 
 # Run container in background
 
@@ -66,6 +86,7 @@ In daemon mode you can view the stderr log with `docker logs`:
     ports:
       - 8888:8888
       - 8889:8889
+      - 22:2222
     networks:
       - mynetwork
 ```
diff --git a/build/Dockerfile b/build/Dockerfile
index d148a95..fca61ff 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -19,6 +19,13 @@ RUN apk add --no-cache ca-certificates wget \
     && make install \
     && apk del .build-deps wget
 
+RUN apk add --no-cache openssh \
+    && echo "root:docker" | chpasswd \
+    && mkdir -p /root/.ssh \
+    && touch /root/.ssh/authorized_keys \
+    && chmod 700 /root/.ssh \
+    && chmod 600 /root/.ssh/authorized_keys
+
 # Use an up-to-date version of vpnc-script
 # https://www.infradead.org/openconnect/vpnc-script.html
 COPY vpnc-script /etc/vpnc/vpnc-script
@@ -29,10 +36,8 @@ COPY tinyproxy.conf /etc/tinyproxy.conf
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
-ENV HTTPS_PROXY_PORT=${HTTPS_PROXY_PORT:-8888}
-ENV SOCKS5_PROXY_PORT=${SOCKS5_PROXY_PORT:-8889}
-
-EXPOSE ${HTTPS_PROXY_PORT}
-EXPOSE ${SOCKS5_PROXY_PORT}
+EXPOSE 8888
+EXPOSE 8889
+EXPOSE 22
 
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/build/entrypoint.sh b/build/entrypoint.sh
index e196918..056535d 100644
--- a/build/entrypoint.sh
+++ b/build/entrypoint.sh
@@ -1,14 +1,27 @@
 #!/bin/sh
 
+# Copy possibly mounted public key for ssh
+if test -f "/tmp/public_key"; then
+  cat /tmp/public_key > /root/.ssh/authorized_keys
+fi
+
 # Set proxy port
-sed "s/^Port .*$/Port $HTTPS_PROXY_PORT/" -i /etc/tinyproxy.conf
+sed "s/^Port .*$/Port 8888/" -i /etc/tinyproxy.conf
 
 # Start proxy
-/usr/bin/tinyproxy -c /etc/tinyproxy.conf && echo "HTTP/S proxy listening on $HTTPS_PROXY_PORT"
+/usr/bin/tinyproxy -c /etc/tinyproxy.conf
 
 # Start socks5 proxy
-/usr/local/bin/microsocks -i 0.0.0.0 -p $SOCKS5_PROXY_PORT & 
-echo "socks5 proxy listening on $SOCKS5_PROXY_PORT"
+/usr/local/bin/microsocks -i 0.0.0.0 -p 8889 & 
+
+# Start ssh server
+sed -i s/#PermitRootLogin.*/PermitRootLogin\ yes/ /etc/ssh/sshd_config
+sed -i s/#AllowTCPForwarding.*/AllowTCPForwarding\ yes/ /etc/ssh/sshd_config
+sed -i s/#PermitTunnel.*/PermitTunnel\ yes/ /etc/ssh/sshd_config
+sed -i s/#AllowAgentForwarding.*/AllowAgentForwarding\ yes/ /etc/ssh/sshd_config
+sed -i s/#GatewayPorts.*/GatewayPorts\ yes/ /etc/ssh/sshd_config
+ssh-keygen -A
+/usr/sbin/sshd -4 -e
 
 # Start openconnect
 if [[ -z "${OPENCONNECT_PASSWORD}" ]]; then
@@ -21,3 +34,4 @@ elif [[ ! -z "${OPENCONNECT_PASSWORD}" ]]; then
 # Standard authentication
   echo $OPENCONNECT_PASSWORD | openconnect -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS --passwd-on-stdin $OPENCONNECT_URL
 fi
+