Skip to content

Instantly share code, notes, and snippets.

@AlonsoMackenlly
Created November 29, 2022 06:59
Show Gist options
  • Save AlonsoMackenlly/8276572f26ea2d036a26a3420f6a27b4 to your computer and use it in GitHub Desktop.
Save AlonsoMackenlly/8276572f26ea2d036a26a3420f6a27b4 to your computer and use it in GitHub Desktop.
Dockerfile to build image with python and sshd
FROM python:3-alpine
RUN apk update && \
apk add curl bash git openssh rsync augeas shadow rssh sudo && \
#### SSHD
deluser $(getent passwd 33 | cut -d: -f1) && \
delgroup $(getent group 33 | cut -d: -f1) 2>/dev/null || true && \
mkdir -p ~root/.ssh /etc/authorized_keys && chmod 700 ~root/.ssh/ && \
augtool 'set /files/etc/ssh/sshd_config/AuthorizedKeysFile ".ssh/authorized_keys /etc/authorized_keys/%u"' && \
echo -e "Port 22\n" >> /etc/ssh/sshd_config && \
cp -a /etc/ssh /etc/ssh.cache && \
rm -rf /var/cache/apk/* && \
#### SU
# echo '%wheel ALL=(ALL) ALL' > /etc/sudoers.d/wheel && \
echo '%wheel ALL=NOPASSWD: ALL' > /etc/sudoers && \
chmod 4755 /bin/su
EXPOSE 22
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["/usr/sbin/sshd", "-D", "-e", "-f", "/etc/ssh/sshd_config"]
#!/usr/bin/env bash
set -e
[ "$DEBUG" == 'true' ] && set -x
DAEMON=sshd
echo "> Starting SSHD"
# Copy default config from cache, if required
if [ ! "$(ls -A /etc/ssh)" ]; then
cp -a /etc/ssh.cache/* /etc/ssh/
fi
set_hostkeys() {
printf '%s\n' \
'set /files/etc/ssh/sshd_config/HostKey[1] /etc/ssh/keys/ssh_host_rsa_key' \
'set /files/etc/ssh/sshd_config/HostKey[2] /etc/ssh/keys/ssh_host_dsa_key' \
'set /files/etc/ssh/sshd_config/HostKey[3] /etc/ssh/keys/ssh_host_ecdsa_key' \
'set /files/etc/ssh/sshd_config/HostKey[4] /etc/ssh/keys/ssh_host_ed25519_key' \
| augtool -s 1> /dev/null
}
print_fingerprints() {
local BASE_DIR=${1-'/etc/ssh'}
for item in dsa rsa ecdsa ed25519; do
echo ">>> Fingerprints for ${item} host key"
ssh-keygen -E md5 -lf ${BASE_DIR}/ssh_host_${item}_key
ssh-keygen -E sha256 -lf ${BASE_DIR}/ssh_host_${item}_key
ssh-keygen -E sha512 -lf ${BASE_DIR}/ssh_host_${item}_key
done
}
check_authorized_key_ownership() {
local file="$1"
local _uid="$2"
local _gid="$3"
local uid_found="$(stat -c %u ${file})"
local gid_found="$(stat -c %g ${file})"
if ! ( [[ ( "$uid_found" == "$_uid" ) && ( "$gid_found" == "$_gid" ) ]] || [[ ( "$uid_found" == "0" ) && ( "$gid_found" == "0" ) ]] ); then
echo "WARNING: Incorrect ownership for ${file}. Expected uid/gid: ${_uid}/${_gid}, found uid/gid: ${uid_found}/${gid_found}. File uid/gid must match SSH_USERS or be root owned."
fi
}
# Generate Host keys, if required
if ls /etc/ssh/keys/ssh_host_* 1> /dev/null 2>&1; then
echo ">> Found host keys in keys directory"
set_hostkeys
print_fingerprints /etc/ssh/keys
elif ls /etc/ssh/ssh_host_* 1> /dev/null 2>&1; then
echo ">> Found Host keys in default location"
# Don't do anything
print_fingerprints
else
echo ">> Generating new host keys"
mkdir -p /etc/ssh/keys
ssh-keygen -A
mv /etc/ssh/ssh_host_* /etc/ssh/keys/
set_hostkeys
print_fingerprints /etc/ssh/keys
fi
# Fix permissions, if writable.
# NB ownership of /etc/authorized_keys are not changed
if [ -w ~/.ssh ]; then
chown root:root ~/.ssh && chmod 700 ~/.ssh/
fi
if [ -w ~/.ssh/authorized_keys ]; then
chown root:root ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
fi
if [ -w /etc/authorized_keys ]; then
chown root:root /etc/authorized_keys
chmod 755 /etc/authorized_keys
# test for writability before attempting chmod
for f in $(find /etc/authorized_keys/ -type f -maxdepth 1); do
[ -w "${f}" ] && chmod 644 "${f}"
done
fi
# Add users if SSH_USERS=user:uid:gid set
if [ -n "${SSH_USERS}" ]; then
USERS=$(echo $SSH_USERS | tr "," "\n")
for U in $USERS; do
IFS=':' read -ra UA <<< "$U"
_NAME=${UA[0]}
_UID=${UA[1]}
_GID=${UA[2]}
if [ ${#UA[*]} -ge 4 ]; then
_SHELL=${UA[3]}
else
_SHELL=''
fi
echo ">> Adding user ${_NAME} with uid: ${_UID}, gid: ${_GID}, shell: ${_SHELL:-<default>}."
if [ ! -e "/etc/authorized_keys/${_NAME}" ]; then
echo "WARNING: No SSH authorized_keys found for ${_NAME}!"
else
check_authorized_key_ownership /etc/authorized_keys/${_NAME} ${_UID} ${_GID}
fi
getent group ${_NAME} >/dev/null 2>&1 || groupadd -g ${_GID} ${_NAME}
getent passwd ${_NAME} >/dev/null 2>&1 || useradd -r -m -p '' -u ${_UID} -g ${_GID} -s ${_SHELL:-""} -c 'SSHD User' ${_NAME}
adduser ${_NAME} wheel
done
else
# Warn if no authorized_keys
if [ ! -e ~/.ssh/authorized_keys ] && [ ! "$(ls -A /etc/authorized_keys)" ]; then
echo "WARNING: No SSH authorized_keys found!"
fi
fi
# Unlock root account, if enabled
if [[ "${SSH_ENABLE_ROOT}" == "true" ]]; then
echo ">> Unlocking root account"
usermod -p '' root
else
echo "INFO: root account is now locked by default. Set SSH_ENABLE_ROOT to unlock the account."
fi
# Update MOTD
if [ -v MOTD ]; then
echo -e "$MOTD" > /etc/motd
fi
# PasswordAuthentication (disabled by default)
if [[ "${SSH_ENABLE_PASSWORD_AUTH}" == "true" ]] || [[ "${SSH_ENABLE_ROOT_PASSWORD_AUTH}" == "true" ]]; then
echo 'set /files/etc/ssh/sshd_config/PasswordAuthentication yes' | augtool -s 1> /dev/null
echo "WARNING: password authentication enabled."
# Root Password Authentification
if [[ "${SSH_ENABLE_ROOT_PASSWORD_AUTH}" == "true" ]]; then
echo 'set /files/etc/ssh/sshd_config/PermitRootLogin yes' | augtool -s 1> /dev/null
echo "WARNING: password authentication for root user enabled."
else
echo "INFO: This password authentication is not enabled for the root user. Set SSH_ENABLE_ROOT_PASSWORD_AUTH=true to enable."
fi
else
echo 'set /files/etc/ssh/sshd_config/PasswordAuthentication no' | augtool -s 1> /dev/null
echo "INFO: password authentication is disabled by default. Set SSH_ENABLE_PASSWORD_AUTH=true to enable."
fi
configure_sftp_only_mode() {
echo "INFO: configuring sftp only mode"
: ${SFTP_CHROOT:='/data'}
chown 0:0 ${SFTP_CHROOT}
chmod 755 ${SFTP_CHROOT}
printf '%s\n' \
'set /files/etc/ssh/sshd_config/Subsystem/sftp "internal-sftp"' \
'set /files/etc/ssh/sshd_config/AllowTCPForwarding no' \
'set /files/etc/ssh/sshd_config/GatewayPorts no' \
'set /files/etc/ssh/sshd_config/X11Forwarding no' \
'set /files/etc/ssh/sshd_config/ForceCommand internal-sftp' \
"set /files/etc/ssh/sshd_config/ChrootDirectory ${SFTP_CHROOT}" \
| augtool -s 1> /dev/null
}
configure_scp_only_mode() {
echo "INFO: configuring scp only mode"
USERS=$(echo $SSH_USERS | tr "," "\n")
for U in $USERS; do
_NAME=$(echo "${U}" | cut -d: -f1)
usermod -s '/usr/bin/rssh' ${_NAME}
done
(grep '^[a-zA-Z]' /etc/rssh.conf.default; echo "allowscp") > /etc/rssh.conf
}
configure_rsync_only_mode() {
echo "INFO: configuring rsync only mode"
USERS=$(echo $SSH_USERS | tr "," "\n")
for U in $USERS; do
_NAME=$(echo "${U}" | cut -d: -f1)
usermod -s '/usr/bin/rssh' ${_NAME}
done
(grep '^[a-zA-Z]' /etc/rssh.conf.default; echo "allowrsync") > /etc/rssh.conf
}
configure_ssh_options() {
# Enable AllowTcpForwarding
if [[ "${TCP_FORWARDING}" == "true" ]]; then
echo 'set /files/etc/ssh/sshd_config/AllowTcpForwarding yes' | augtool -s 1> /dev/null
fi
# Enable GatewayPorts
if [[ "${GATEWAY_PORTS}" == "true" ]]; then
echo 'set /files/etc/ssh/sshd_config/GatewayPorts yes' | augtool -s 1> /dev/null
fi
# Disable SFTP
if [[ "${DISABLE_SFTP}" == "true" ]]; then
printf '%s\n' \
'rm /files/etc/ssh/sshd_config/Subsystem/sftp' \
'rm /files/etc/ssh/sshd_config/Subsystem' \
| augtool -s 1> /dev/null
fi
}
# Configure mutually exclusive modes
if [[ "${SFTP_MODE}" == "true" ]]; then
configure_sftp_only_mode
elif [[ "${SCP_MODE}" == "true" ]]; then
configure_scp_only_mode
elif [[ "${RSYNC_MODE}" == "true" ]]; then
configure_rsync_only_mode
else
configure_ssh_options
fi
# Run scripts in /etc/entrypoint.d
for f in /etc/entrypoint.d/*; do
if [[ -x ${f} ]]; then
echo ">> Running: ${f}"
${f}
fi
done
stop() {
echo "Received SIGINT or SIGTERM. Shutting down $DAEMON"
# Get PID
local pid=$(cat /var/run/$DAEMON/$DAEMON.pid)
# Set TERM
kill -SIGTERM "${pid}"
# Wait for exit
wait "${pid}"
# All done.
echo "Done."
}
echo "Running $@"
if [ "$(basename $1)" == "$DAEMON" ]; then
trap stop SIGINT SIGTERM
$@ &
pid="$!"
mkdir -p /var/run/$DAEMON && echo "${pid}" > /var/run/$DAEMON/$DAEMON.pid
wait "${pid}"
exit $?
else
exec "$@"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment