Added a chrooted sshd server

2025-12-15 03:04:19 +01:00 · 2024-09-24 23:20:02 +02:00
parent 9322b554a4
commit dbeeefab86
3 changed files with 66 additions and 1 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,7 +10,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        repository: [immich-souvenirs, dnsupdater, rsync-server, sshd, webhook, gandi, http-tunnel, restic-auto, restic-rest, shairport-sync, telegraf]
+        repository: [chrooted-sshd, immich-souvenirs, dnsupdater, rsync-server, sshd, webhook, gandi, http-tunnel, restic-auto, restic-rest, shairport-sync, telegraf]

    steps:
      - name: Checkout
--- a/chrooted-sshd/Dockerfile
+++ b/chrooted-sshd/Dockerfile
@@ -0,0 +1,9 @@
+FROM alpine:latest
+
+RUN apk add --no-cache openssh
+
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+
+CMD ["/usr/sbin/sshd", "-D", "-e"]
--- a/chrooted-sshd/entrypoint.sh
+++ b/chrooted-sshd/entrypoint.sh
@@ -0,0 +1,56 @@
+#!/bin/sh
+
+# Make sure a volume is properly mounted
+if [ ! -d "/config" ] ; then
+	echo "####################################################################"
+	echo "### Please start this container with a volume mounted to /config ###"
+	echo "####################################################################"
+	exit
+fi
+
+# First use : init the /config directory
+if [ ! -f "/config/ssh_host_ed25519_key" ] ; then
+	ssh-keygen -t ed25519 -f /config/ssh_host_ed25519_key -N "" < /dev/null
+fi
+if [ ! -f "/config/passwd" ] ; then
+	echo -n "Enter username:"
+	read
+	NEW_USER=$REPLY
+	adduser -u 666 $NEW_USER
+	echo $NEW_USER > /config/username
+	grep -E "root|sshd|$NEW_USER" /etc/passwd > /config/passwd
+	grep -E "root|sshd|$NEW_USER" /etc/shadow > /config/shadow
+	grep -E "root|sshd|$NEW_USER" /etc/group > /config/group
+fi
+if [ ! -f "/config/sshd_config" ] ; then
+	echo "ChrootDirectory /chroot" > /config/sshd_config
+fi
+
+# Use the config provided
+cp -f /config/ssh_host_ed25519_key* /etc/ssh/
+cp -f /config/sshd_config /etc/ssh/
+cp -f /config/passwd /etc/passwd
+cp -f /config/shadow /etc/shadow
+cp -f /config/group /etc/group
+
+# Prepare the chrooted env
+if [ ! -d "/chroot" ] ; then
+	mkdir /chroot
+	mkdir /chroot/dev
+	mknod -m 666 /chroot/dev/null c 1 3
+	mknod -m 666 /chroot/dev/zero c 1 5
+	mknod -m 666 /chroot/dev/tty c 5 0
+	mkdir /chroot/bin
+	cp /bin/sh /chroot/bin/
+	mkdir /chroot/lib
+	cp /lib/*.so.* /chroot/lib/
+	mkdir /chroot/usr
+	mkdir /chroot/usr/bin
+	cp /usr/bin/ssh /chroot/usr/bin/
+	mkdir /chroot/etc
+	cp /etc/passwd /chroot/etc/
+	mkdir /chroot/home
+	mkdir /chroot/home/$(cat /config/username)
+fi
+
+"$@"