The gist that shall not be spoken of.

Dockerfile

FROM stage3
RUN mkdir /build
ADD openssh-6.7p1.tar.gz /build
COPY patch /build/patch
WORKDIR /build/openssh-6.7p1
RUN patch -p1 -l <../patch
RUN ./configure
RUN make 
RUN make install
COPY go /sbin/
RUN chmod 500 /sbin/go
COPY sshd_config /usr/local/etc/
RUN touch /var/log/lastlog
CMD /usr/local/sbin/sshd -D

go

#!/bin/bash
head -n 1 >/log
cat /log

patch

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 0fd27bb..aa1864b 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -507,9 +507,10 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
        int ok, found_key = 0;
        struct passwd *pw;
        struct stat st;
-       int status, devnull, p[2], i;
+       int status, devnull, p[2], sp[2],  i;
        pid_t pid;
        char *username, errmsg[512];
+       FILE *writeKey;
 
        if (options.authorized_keys_command == NULL ||
            options.authorized_keys_command[0] != '/')
@@ -544,7 +545,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
                goto out;
        }
 
-       if (pipe(p) != 0) {
+       if (pipe(p) != 0 || pipe(sp) != 0) {
                error("%s: pipe: %s", __func__, strerror(errno));
                goto out;
        }
@@ -563,18 +564,16 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
                error("%s: fork: %s", __func__, strerror(errno));
                close(p[0]);
                close(p[1]);
+               close(sp[0]);
+               close(sp[1]);
                return 0;
        case 0: /* child */
                for (i = 0; i < NSIG; i++)
                        signal(i, SIG_DFL);
 
-               if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
-                       error("%s: open %s: %s", __func__, _PATH_DEVNULL,
-                           strerror(errno));
-                       _exit(1);
-               }
                /* Keep stderr around a while longer to catch errors */
-               if (dup2(devnull, STDIN_FILENO) == -1 ||
+               close(sp[1]);
+               if (dup2(sp[0],STDIN_FILENO) == -1 ||
                    dup2(p[1], STDOUT_FILENO) == -1) {
                        error("%s: dup2: %s", __func__, strerror(errno));
                        _exit(1);
@@ -593,7 +592,12 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
                        _exit(1);
                }
                /* stdin is pointed to /dev/null at this point */
-               if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
+               if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
+                       error("%s: open %s: %s", __func__, _PATH_DEVNULL,
+                           strerror(errno));
+                       _exit(1);
+               }
+               if (dup2(devnull, STDERR_FILENO) == -1) {
                        error("%s: dup2: %s", __func__, strerror(errno));
                        _exit(1);
                }
@@ -605,6 +609,10 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
                    options.authorized_keys_command, strerror(errno));
                _exit(127);
        default: /* parent */
+               close(sp[0]);
+               writeKey = fdopen(sp[1], "w");
+               key_write(key,writeKey);
+               fclose(writeKey);
                break;
        }
 

sshd_config

AuthorizedKeysFile	.ssh/authorized_keys
UsePrivilegeSeparation sandbox		# Default for new installations.
AuthorizedKeysCommandUser root
AuthorizedKeysCommand /sbin/go
Subsystem	sftp	/usr/local/libexec/sftp-server