sshd+tmux+weechat in docker

.env

LOCALE=en_GB.UTF-8
SSH_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA151ak/oQeooHn7TGqzELD+X84eoakFznQEFdz5YlqP8n2PC7KxK07oQ5N9ZDOE3nxqKSLvdG5UkzKSGVBDh7E6TnulHDK4Qu8+M2J/+IqHx1WQrMVrM47avHjpfTQuL8ON44pOPn2weQsvZPPK7DEM4FUlmjIWdvBwN3axNZhY0= robot101@theta"
TZ=Europe/London

docker-compose.yml

version: '3'

volumes:
  ssh:
  weechat:

services:
  weechat:
    build: .
    container_name: weechat
    hostname: weechat
    restart: on-failure
    environment:
      - LOCALE=${LOCALE}
      - SSH_KEY=${SSH_KEY}
      - TZ=${TZ}
    cap_add:
      - AUDIT_WRITE
    ports:
      - '2222:22'
      - '60000-60010:60000-60010/udp'
    volumes:
      - 'ssh:/etc/ssh'
      - 'weechat:/home/weechat/.weechat'
    networks:
      nginx-proxy:

networks:
  nginx-proxy:
    external: true

Dockerfile

FROM debian:bookworm

RUN set -ex; \
    export DEBIAN_FRONTEND=noninteractive; \
    apt-get update; \
    apt-get upgrade -y; \
    touch /etc/locale.gen; \
    apt-get install --no-install-recommends -y \
      locales \
      mosh \
      openssh-server \
      tmux \
      weechat-curses \
      weechat-matrix \
      weechat-plugins \
      weechat-python \
      weechat-scripts; \
    \
    apt-get clean; \
    rm -rf /var/lib/apt/lists

ADD run.sh /run.sh

RUN set -ex; \
    \
    rm -f /etc/ssh/ssh_host*; \
    mv /etc/ssh /etc/ssh~; \
    \
    adduser \
      --disabled-password \
      --gecos "WeeChat User" \
      weechat; \
    \
    chmod +x /run.sh

VOLUME ["/etc/ssh", "/home/weechat/.weechat"]

EXPOSE 22 60000-60010/udp

CMD ["/run.sh"]

run.sh

#!/bin/bash

# loosely inspired by https://github.com/krlmlr/debian-ssh/

set -e

if [ -z "${SSH_KEY}" ]; then
	echo "=> Please pass your public key in the SSH_KEY environment variable"
	exit 1
fi

if [ -n "${LOCALE}" ]; then
	CHARSET="${LOCALE#*.}"
	echo "${LOCALE} ${CHARSET}" >/etc/locale.gen
	locale-gen
fi

WEEHOME=/home/weechat
mkdir -p ${WEEHOME}/.ssh
chmod 700 ${WEEHOME}/.ssh
echo "${SSH_KEY}" > ${WEEHOME}/.ssh/authorized_keys
chmod 600 ${WEEHOME}/.ssh/authorized_keys
chown weechat:weechat ${WEEHOME}/.ssh ${WEEHOME}/.ssh/authorized_keys ${WEEHOME}/.weechat

su -c "tmux new -d -s weechat weechat" weechat

cp -a /etc/ssh~/* /etc/ssh
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure openssh-server

mkdir -p /run/sshd
exec /usr/sbin/sshd -De

So, this doesn't quite work properly and I'd love any suggestions as to why...! The sshd dies during shutdown of the process.

Up and running:

root@iota:/srv/weechat# docker-compose up --remove-orphans -d
Creating weechat ... done
root@iota:/srv/weechat# docker-compose logs
Attaching to weechat
weechat    | Generating locales (this might take a while)...
weechat    |   en_GB.UTF-8... done
weechat    | Generation complete.
weechat    | invoke-rc.d: could not determine current runlevel
weechat    | invoke-rc.d: policy-rc.d denied execution of restart.
weechat    | debug1: sshd version OpenSSH_8.7, OpenSSL 1.1.1m  14 Dec 2021
weechat    | debug1: private host key #0: ssh-rsa SHA256:s/ilbCQAY6+ZY7SIbd3ZRs7xdtC8P5AvTX0PElgc0dg
weechat    | debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:2bFFsjtYKgKUMCIliz4ntEP91KtrSSOMULg8sJOOjWQ
weechat    | debug1: private host key #2: ssh-ed25519 SHA256:tRgp2TqBvpsYMaNp69PU0O2IOqfJHPmD93AgBlRdywE
weechat    | debug1: rexec_argv[0]='/usr/sbin/sshd'
weechat    | debug1: rexec_argv[1]='-Dd'
weechat    | debug1: Set /proc/self/oom_score_adj from 0 to -1000
weechat    | debug1: Bind to port 22 on 0.0.0.0.
weechat    | Server listening on 0.0.0.0 port 22.
weechat    | debug1: Bind to port 22 on ::.
weechat    | Server listening on :: port 22.
root@iota:/srv/weechat# docker-compose exec weechat ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0  13732  7492 ?        Ss   13:15   0:00 sshd: /usr/sb
weechat       27  0.0  0.0   9156  3492 ?        Ss   13:15   0:00 tmux new -d -
weechat       28  0.1  0.0  38168 23008 pts/0    Ss+  13:15   0:00 weechat
root         157  0.0  0.0   7008  3076 pts/1    Rs+  13:16   0:00 ps aux

Log in OK:

ramcq@xi:~$ ssh weechat
Linux weechat 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Environment:
  LANG=en_GB.UTF-8
  USER=weechat
  LOGNAME=weechat
  HOME=/home/weechat
  PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
  SHELL=/bin/bash
  TZ=Europe/London
  TERM=xterm-256color
  MOTD_SHOWN=pam
  SSH_CLIENT=90.243.229.240 54452 22
  SSH_CONNECTION=90.243.229.240 54452 172.18.0.10 22
  SSH_TTY=/dev/pts/1
weechat@weechat:~$ 

Looks good:

root@iota:/srv/weechat# docker-compose exec weechat ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.1  0.0  14188  8348 ?        Ss   13:15   0:00 sshd: weechat
weechat       27  0.0  0.0   9156  3492 ?        Ss   13:15   0:00 tmux new -d -
weechat       28  0.0  0.0  38168 23008 pts/0    Ss+  13:15   0:00 weechat
weechat      168  0.0  0.0  14376  6072 ?        S    13:16   0:00 sshd: weechat
weechat      169  0.0  0.0   7148  3848 pts/1    Ss+  13:16   0:00 -bash
root         172  0.0  0.0   7008  3064 pts/2    Rs+  13:16   0:00 ps aux

Log out, and blam:

weechat    | debug1: Server will not fork when running in debugging mode.
weechat    | debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
weechat    | debug1: sshd version OpenSSH_8.7, OpenSSL 1.1.1m  14 Dec 2021
weechat    | debug1: private host key #0: ssh-rsa SHA256:s/ilbCQAY6+ZY7SIbd3ZRs7xdtC8P5AvTX0PElgc0dg
weechat    | debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:2bFFsjtYKgKUMCIliz4ntEP91KtrSSOMULg8sJOOjWQ
weechat    | debug1: private host key #2: ssh-ed25519 SHA256:tRgp2TqBvpsYMaNp69PU0O2IOqfJHPmD93AgBlRdywE
weechat    | debug1: inetd sockets after dupping: 3, 3
weechat    | Connection from 90.243.229.240 port 54452 on 172.18.0.10 port 22 rdomain ""
weechat    | debug1: Local version string SSH-2.0-OpenSSH_8.7p1 Debian-4
weechat    | debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Endless-5endless1bem1
weechat    | debug1: compat_banner: match: OpenSSH_8.4p1 Endless-5endless1bem1 pat OpenSSH* compat 0x04000000
weechat    | debug1: permanently_set_uid: 101/65534 [preauth]
weechat    | debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
weechat    | debug1: SSH2_MSG_KEXINIT sent [preauth]
weechat    | debug1: SSH2_MSG_KEXINIT received [preauth]
weechat    | debug1: kex: algorithm: curve25519-sha256 [preauth]
weechat    | debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
weechat    | debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com [preauth]
weechat    | debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com [preauth]
weechat    | debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
weechat    | debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
weechat    | debug1: rekey out after 134217728 blocks [preauth]
weechat    | debug1: SSH2_MSG_NEWKEYS sent [preauth]
weechat    | debug1: Sending SSH2_MSG_EXT_INFO [preauth]
weechat    | debug1: expecting SSH2_MSG_NEWKEYS [preauth]
weechat    | debug1: SSH2_MSG_NEWKEYS received [preauth]
weechat    | debug1: rekey in after 134217728 blocks [preauth]
weechat    | debug1: KEX done [preauth]
weechat    | debug1: userauth-request for user weechat service ssh-connection method none [preauth]
weechat    | debug1: attempt 0 failures 0 [preauth]
weechat    | debug1: PAM: initializing for "weechat"
weechat    | debug1: PAM: setting PAM_RHOST to "90.243.229.240"
weechat    | debug1: PAM: setting PAM_TTY to "ssh"
weechat    | debug1: userauth-request for user weechat service ssh-connection method publickey [preauth]
weechat    | debug1: attempt 1 failures 0 [preauth]
weechat    | debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:4c0WU4WKMrFVH4xAMudjqJFYypgXIFVPtIGNe94lrFg [preauth]
weechat    | debug1: temporarily_use_uid: 1000/1000 (e=0/0)
weechat    | debug1: trying public key file /home/weechat/.ssh/authorized_keys
weechat    | debug1: fd 4 clearing O_NONBLOCK
weechat    | debug1: /home/weechat/.ssh/authorized_keys:1: matching key found: RSA SHA256:4c0WU4WKMrFVH4xAMudjqJFYypgXIFVPtIGNe94lrFg
weechat    | debug1: /home/weechat/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
weechat    | Accepted key RSA SHA256:4c0WU4WKMrFVH4xAMudjqJFYypgXIFVPtIGNe94lrFg found at /home/weechat/.ssh/authorized_keys:1
weechat    | debug1: restore_uid: 0/0
weechat    | Postponed publickey for weechat from 90.243.229.240 port 54452 ssh2 [preauth]
weechat    | debug1: userauth-request for user weechat service ssh-connection method publickey [preauth]
weechat    | debug1: attempt 2 failures 0 [preauth]
weechat    | debug1: temporarily_use_uid: 1000/1000 (e=0/0)
weechat    | debug1: trying public key file /home/weechat/.ssh/authorized_keys
weechat    | debug1: fd 4 clearing O_NONBLOCK
weechat    | debug1: /home/weechat/.ssh/authorized_keys:1: matching key found: RSA SHA256:4c0WU4WKMrFVH4xAMudjqJFYypgXIFVPtIGNe94lrFg
weechat    | debug1: /home/weechat/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
weechat    | Accepted key RSA SHA256:4c0WU4WKMrFVH4xAMudjqJFYypgXIFVPtIGNe94lrFg found at /home/weechat/.ssh/authorized_keys:1
weechat    | debug1: restore_uid: 0/0
weechat    | debug1: auth_activate_options: setting new authentication options
weechat    | debug1: do_pam_account: called
weechat    | Accepted publickey for weechat from 90.243.229.240 port 54452 ssh2: RSA SHA256:4c0WU4WKMrFVH4xAMudjqJFYypgXIFVPtIGNe94lrFg
weechat    | debug1: monitor_child_preauth: user weechat authenticated by privileged process
weechat    | debug1: auth_activate_options: setting new authentication options [preauth]
weechat    | debug1: Enabling compression at level 6. [preauth]
weechat    | debug1: monitor_read_log: child log fd closed
weechat    | debug1: PAM: establishing credentials
weechat    | User child is on pid 168
weechat    | debug1: SELinux support disabled
weechat    | debug1: PAM: establishing credentials
weechat    | debug1: permanently_set_uid: 1000/1000
weechat    | debug1: rekey in after 134217728 blocks
weechat    | debug1: rekey out after 134217728 blocks
weechat    | debug1: ssh_packet_set_postauth: called
weechat    | debug1: Enabling compression at level 6.
weechat    | debug1: active: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
weechat    | debug1: Entering interactive session for SSH2.
weechat    | debug1: server_init_dispatch
weechat    | debug1: server_input_channel_open: ctype session rchan 2 win 1048576 max 16384
weechat    | debug1: input_session_request
weechat    | debug1: channel 0: new [server-session]
weechat    | debug1: session_new: session 0
weechat    | debug1: session_open: channel 0
weechat    | debug1: session_open: session 0: link with channel 0
weechat    | debug1: server_input_channel_open: confirm session
weechat    | debug1: server_input_channel_req: channel 0 request pty-req reply 1
weechat    | debug1: session_by_channel: session 0 channel 0
weechat    | debug1: session_input_channel_req: session 0 req pty-req
weechat    | debug1: Allocating pty.
weechat    | debug1: session_new: session 0
weechat    | debug1: SELinux support disabled
weechat    | debug1: session_pty_req: session 0 alloc /dev/pts/1
weechat    | debug1: server_input_channel_req: channel 0 request env reply 0
weechat    | debug1: session_by_channel: session 0 channel 0
weechat    | debug1: session_input_channel_req: session 0 req env
weechat    | debug1: server_input_channel_req: channel 0 request shell reply 1
weechat    | debug1: session_by_channel: session 0 channel 0
weechat    | debug1: session_input_channel_req: session 0 req shell
weechat    | Starting session: shell on pts/1 for weechat from 90.243.229.240 port 54452 id 0
weechat    | debug1: Setting controlling tty using TIOCSCTTY.
weechat    | debug1: Received SIGCHLD.
weechat    | debug1: session_by_pid: pid 169
weechat    | debug1: session_exit_message: session 0 channel 0 pid 169
weechat    | debug1: session_exit_message: release channel 0
weechat    | debug1: session_by_tty: session 0 tty /dev/pts/1
weechat    | debug1: session_pty_cleanup2: session 0 release /dev/pts/1
weechat    | syslogin_perform_logout: logout() returned an error
weechat    | debug1: session_by_channel: session 0 channel 0
weechat    | debug1: session_close_by_channel: channel 0 child 0
weechat    | Close session: user weechat from 90.243.229.240 port 54452 id 0
weechat    | debug1: channel 0: free: server-session, nchannels 1
weechat    | Received disconnect from 90.243.229.240 port 54452:11: disconnected by user
weechat    | Disconnected from user weechat 90.243.229.240 port 54452
weechat    | debug1: do_cleanup
weechat    | debug1: temporarily_use_uid: 1000/1000 (e=1000/1000)
weechat    | debug1: restore_uid: (unprivileged)
weechat    | debug1: do_cleanup
weechat    | debug1: PAM: cleanup
weechat    | debug1: PAM: closing session
weechat    | debug1: PAM: deleting credentials
weechat    | debug1: temporarily_use_uid: 1000/1000 (e=0/0)
weechat    | debug1: restore_uid: 0/0
weechat    | debug1: audit_event: unhandled event 12

And then the container exits. Event 12 looks like https://github.com/openssh/openssh-portable/blob/master/audit.h#L45 SSH_CONNECTION_ABANDON which is only called in one place, cleanup_exit https://github.com/openssh/openssh-portable/blob/21dd5a9a3fb35e8299a1fbcf8d506f1f6b752b85/sshd.c#L2450, and I can tell from strace that the child is exiting with status 255 suggesting this is what is happening. I just can't figure out why. syslogin_perform_logout: logout() returned an error?

weechat | debug1: Server will not fork when running in debugging mode.

Looks rather suspicious, have you tried running sshd without -d?

@andrunko OMG thank you. 🤦 🤦 🤦

     -d      Debug mode.  The server sends verbose debug output to standard error, and does
             not put itself in the background. The server also will not fork and will only process
             one connection.  This option is only intended for debugging for the server.
             Multiple -d options increase the debugging level.  Maximum is 3.

I saw -d in https://bugzilla.redhat.com/show_bug.cgi?id=1923728 when figuring out the need for CAP_AUDIT, and thought "sure debugging why not"... haha.