From 0805c5342037ebe98caa1752270de88495112d92 Mon Sep 17 00:00:00 2001 From: napnap75 Date: Sun, 10 Apr 2022 12:55:46 +0200 Subject: [PATCH] Added the sshd server --- .github/workflows/build.yml | 2 +- sshd/Dockerfile | 20 ++++++ sshd/etc/cont-init.d/init-host-keys.sh | 7 ++ sshd/etc/cont-init.d/init-sshd.sh | 88 ++++++++++++++++++++++++++ sshd/etc/ssh/sshd_config.default | 25 ++++++++ 5 files changed, 141 insertions(+), 1 deletion(-) create mode 100644 sshd/Dockerfile create mode 100755 sshd/etc/cont-init.d/init-host-keys.sh create mode 100755 sshd/etc/cont-init.d/init-sshd.sh create mode 100644 sshd/etc/ssh/sshd_config.default diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 70a5196..408c40a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,7 +10,7 @@ jobs: strategy: fail-fast: false matrix: - repository: [webhook, docker2mqtt, gandi, go-ipfs, http-tunnel, ipfs-cluster, mopidy, piwigo-souvenirs, restic-auto, restic-rest, shairport-sync, slack-eraser, snapserver, telegraf] + repository: [sshd, webhook, docker2mqtt, gandi, http-tunnel, mopidy, piwigo-souvenirs, restic-auto, restic-rest, shairport-sync, slack-eraser, snapserver, telegraf] steps: - name: Checkout diff --git a/sshd/Dockerfile b/sshd/Dockerfile new file mode 100644 index 0000000..2243d8d --- /dev/null +++ b/sshd/Dockerfile @@ -0,0 +1,20 @@ +FROM alpine:edge AS builder + +ARG TARGETPLATFORM + +RUN apk add --no-cache curl jq \ + && DOWNLOAD_ARCH=$(echo ${TARGETPLATFORM} | sed "s#linux/arm/v6#arm#" | sed "s#linux/arm/v7#armhf#" | sed "s#linux/arm64#aarch64#" | sed "s#linux/amd64#amd64#") \ + && echo "DOWNLOAD_ARCH=${DOWNLOAD_ARCH}" \ + && S6_DOWNLOAD_URL=$(curl -s https://api.github.com/repos/just-containers/s6-overlay/releases/latest | jq -r '.assets | map(select(.name == "s6-overlay-'${DOWNLOAD_ARCH}'.tar.xz"))[0].browser_download_url') \ + && curl --retry 3 -L -s -o /tmp/s6-overlay.tar.xz $S6_DOWNLOAD_URL \ + && mkdir /tmp/s6-overlay \ + && tar -xf /tmp/s6-overlay.tar.xz -C /tmp/s6-overlay + +FROM alpine:edge + +RUN apk add --no-cache bash curl openssh-server rsync rrsync borgbackup +COPY --from=builder /tmp/s6-overlay / +ADD etc /etc/ + +ENTRYPOINT ["/init"] +CMD /usr/sbin/sshd -D -e diff --git a/sshd/etc/cont-init.d/init-host-keys.sh b/sshd/etc/cont-init.d/init-host-keys.sh new file mode 100755 index 0000000..b68221e --- /dev/null +++ b/sshd/etc/cont-init.d/init-host-keys.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +if [ ! -f "/config/host_keys/ssh_host_rsa_key" ] ; then + mkdir -p /config/host_keys + ssh-keygen -t ed25519 -f /config/host_keys/ssh_host_ed25519_key -N "" < /dev/null + ssh-keygen -t rsa -b 4096 -f /config/host_keys/ssh_host_rsa_key -N "" < /dev/null +fi diff --git a/sshd/etc/cont-init.d/init-sshd.sh b/sshd/etc/cont-init.d/init-sshd.sh new file mode 100755 index 0000000..86028c7 --- /dev/null +++ b/sshd/etc/cont-init.d/init-sshd.sh @@ -0,0 +1,88 @@ +#! /bin/bash + +cp /etc/ssh/sshd_config.default /etc/ssh/sshd_config + +function init_user { + # First create the user + options= + if [[ "$3" != "" ]]; then + options+="-u $3 " + fi + if [[ "$4" != "" ]]; then + grep ":$4:" /etc/group || addgroup -g $4 "group-$4" + options+="-G `getent group $4 | sed 's/:.*//'` " + fi + if [[ "$5" != "" ]]; then + options+="-h $5 " + else + options+="-h /home/$1 " + fi + if [[ "$2" = "ssh" || "$2" = "borg" || "$2" = "rsync" ]]; then + adduser -D $options -s /bin/bash $1 + else + adduser -D $options -s /bin/false $1 + fi + passwd -u $1 + + # Adjust the keys permissions + chown $1 /config/users_keys/$1 + chmod 400 /config/users_keys/$1 + + # Update sshd-config + sed -i "/^AllowUsers/ s/$/ $1/" /etc/ssh/sshd_config + if [[ $2 = "sftp" ]]; then + echo "Match User $1" >> /etc/ssh/sshd_config + echo " ForceCommand internal-sftp" >> /etc/ssh/sshd_config + if [[ $6 != "" ]]; then + echo " ChrootDirectory $6" >> /etc/ssh/sshd_config + chown root:root $6 + fi + elif [[ $2 = "borg" ]]; then + echo "Match User $1" >> /etc/ssh/sshd_config + if [[ $6 != "" ]]; then + echo " ForceCommand borg serve --restrict-to-path $6" >> /etc/ssh/sshd_config + else + echo " ForceCommand borg serve" >> /etc/ssh/sshd_config + fi + elif [[ $2 = "rsync" ]]; then + echo "Match User $1" >> /etc/ssh/sshd_config + if [[ $6 != "" ]]; then + echo " ForceCommand rrsync $6" >> /etc/ssh/sshd_config + else + echo " ForceCommand rrsync ." >> /etc/ssh/sshd_config + fi + fi +} + +while read line; do + if [[ "$line" =~ ^\[ ]]; then + if [[ "$user" != "" ]]; then + init_user "$user" "$type" "$uid" "$gid" "$home" "$chroot" + fi + + name=${line#*\[} + name=${name%%\]} + + user=$name + type= + uid= + gid= + home= + chroot= + elif [[ "$line" =~ ^[^#]*= ]]; then + name=${line%% =*} + value=${line#*= } + if [[ $name = "Type" ]]; then + type=$value + elif [[ $name = "UID" ]]; then + uid=$value + elif [[ $name = "GID" ]]; then + gid=$value + elif [[ $name = "Home" ]]; then + home=$value + elif [[ $name = "Chroot" ]]; then + chroot=$value + fi + fi +done < /config/config.ini +init_user "$user" "$type" "$uid" "$gid" "$home" "$chroot" diff --git a/sshd/etc/ssh/sshd_config.default b/sshd/etc/ssh/sshd_config.default new file mode 100644 index 0000000..7557725 --- /dev/null +++ b/sshd/etc/ssh/sshd_config.default @@ -0,0 +1,25 @@ +HostKey /config/host_keys/ssh_host_rsa_key +HostKey /config/host_keys/ssh_host_ed25519_key + +Protocol 2 +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + +#LogLevel DEBUG +PermitRootLogin no + +PubkeyAuthentication yes +AuthorizedKeysFile /config/users_keys/%u +IgnoreUserKnownHosts yes +PasswordAuthentication no +ChallengeResponseAuthentication no + +AllowAgentForwarding no +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no +PrintMotd no +UseDNS no + +Subsystem sftp internal-sftp + +AllowUsers