SSH from a container to the host OS?

General
3

Well each of the systems are on the same network (dockermain and attacker on a 10.x.x.x.x, but container on a 172.17.0.4, see below ip addr output t) and yes it did prompt me for the root hosts password but I thought this was not even possible to ssh into a container from another machine then ssh again to the host system? I’m concerned as I’m looking at docker as a way to provide another layer of security/protection. I had thought if an attacker had 100% control of a container they had no way to access the hosts system without say a bug/compromising the host docker daemon. That does not seem to be the case. I followed that guys directions/dockerfile, even removing the other ports of 80 an 443 from the dockerfile. Command I ran are below.

On host running docker:
$docker run -d -P -t --name centos7-1 centos7-ssh
[docker@dockermain ssh_container]$ hostname
dockermain.localdomain
[docker@dockermain ssh_container]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
62ee503a4392 centos7-ssh “/usr/sbin/sshd -D” 3 minutes ago Up 3 minutes 0.0.0.0:32768->22/tcp centos7-1

from another VM of Centos/attacker on same physical host I ran:
[attacker@attacker ~]$ ssh admin@dockermain -p 32768
The authenticity of host ‘[dockermain]:32768 ([10.0.2.225]:32768)’ can’t be established.
ECDSA key fingerprint is b2:6d:2e:71:57:e2:33:87:be:df:3f:82:6e:cd:cf:55.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[dockermain]:32768,[10.0.2.225]:32768’ (ECDSA) to the list of known hosts.
admin@dockermain’s password:
[admin@62ee503a4392 ~]$ sudo -i

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for admin:
[root@62ee503a4392 ~]# ssh 10.0.2.225
The authenticity of host ‘10.0.2.225 (10.0.2.225)’ can’t be established.
ECDSA key fingerprint is b6:91:79:df:17:64:02:68:93:26:7e:de:73:54:35:40.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.0.2.225’ (ECDSA) to the list of known hosts.
root@10.0.2.225’s password:
Last login: Mon Mar 28 12:55:13 2016 from 172.17.0.4
[root@dockermain ~]# hostname
dockermain.localdomain

admin@d669ee5ead02 ~]$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
16: eth0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.4/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:4/64 scope link
valid_lft forever preferred_lft forever

Is it possible for Docker/containers out of the box to be a security enabler to existing apps?