shollingsworth/.00_README.md

## .00_README.md

      
    Raw
  

              .00_README.md
            
          
    Prep


Download the zip ^ in this gist and unzip into a project directory.
On your home internet gateway, port forward 443 to your internal ip port 2222

Instructions


Local

Edit variables in docker-compose.yaml
run docker-compose up


Remote

run command ssh -p 443 -R 5551:127.0.0.1:22 stevo@76.76.76.76 replacing the last part with your public ip and configured username
if the user doesn't have a password set your public key


mkdir ~/.ssh
chmod 0700 ~/.ssh
echo ssh-rsa AAAAB3NzaC1y...zJHbQLdOESaYw== stevo@myhost  > ~/.ssh/authorized_keys
chmod 0600 ~/.ssh~/.ssh/authorized_keys


Local

run command ssh -p 5551 ec2-user@localhost


Flow


## .gitignore
.$*

## docker-compose.yaml
---
version: "2.1"
services:
  openssh-server:
    build: .
    container_name: openssh-server-listener
    hostname: openssh-server #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Los_Angeles
      # - PUBLIC_KEY=yourpublickey #optional
      # - PUBLIC_KEY_FILE=/path/to/file #optional
      # - PUBLIC_KEY_DIR=/path/to/directory/containing/_only_/pubkeys #optional
      # - PUBLIC_KEY_URL=https://github.com/username.keys #optional
      # - USER_PASSWORD_FILE=/path/to/file #optional
      - SUDO_ACCESS=true #optional
      - PASSWORD_ACCESS=true #optional
      - USER_PASSWORD=FooBarBaz1 #optional
      - USER_NAME=stevo #optional
    ports:
      - 2222:2222
      - 5551:5551
    restart: unless-stopped

## Dockerfile
FROM lscr.io/linuxserver/openssh-server:latest

COPY init.sh /etc/cont-init.d/50-config

## init.sh
#!/usr/bin/with-contenv bash

# create folders
mkdir -p \
    /config/{.ssh,ssh_host_keys,logs/openssh}

USER_NAME=${USER_NAME:-linuxserver.io}
echo "User name is set to $USER_NAME"

# set password for abc to unlock it and set sudo access
sed -i "/${USER_NAME} ALL.*/d" /etc/sudoers
if [ "$SUDO_ACCESS" == "true" ]; then
    if [ -n "$USER_PASSWORD" ] || [ -n "$USER_PASSWORD_FILE" ] && [ -f "$USER_PASSWORD_FILE" ]; then
        echo "${USER_NAME} ALL=(ALL) ALL" >> /etc/sudoers
        echo "Sudo is enabled with password."
    else
        echo "${USER_NAME} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
        echo "Sudo is enabled without password."
    fi
else
    echo "Sudo is disabled."
fi
[[ -n "$USER_PASSWORD_FILE" ]] && [[ -f "$USER_PASSWORD_FILE" ]] && \
    USER_PASSWORD=$(cat "$USER_PASSWORD_FILE") && \
    echo "User password is retrieved from file."
USER_PASSWORD=${USER_PASSWORD:-$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c"${1:-8}";echo;)}
echo "${USER_NAME}:${USER_PASSWORD}" | chpasswd

# symlink out ssh config directory
if [ ! -L /etc/ssh ];then
    if [ ! -f /config/ssh_host_keys/sshd_config ]; then
        sed -i '/#PidFile/c\PidFile \/config\/sshd.pid' /etc/ssh/sshd_config
        cp -a /etc/ssh/sshd_config /config/ssh_host_keys/
    fi
    rm -Rf /etc/ssh
    ln -s /config/ssh_host_keys /etc/ssh
    ssh-keygen -A
fi

# password access
if [ "$PASSWORD_ACCESS" == "true" ]; then
    sed -i '/^#PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config
    sed -i '/^PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config
    chown root:"${USER_NAME}" \
        /etc/shadow
    echo "User/password ssh access is enabled."
else
    sed -i '/^PasswordAuthentication/c\PasswordAuthentication no' /etc/ssh/sshd_config
    chown root:root \
        /etc/shadow
    echo "User/password ssh access is disabled."
fi

sed -i '/^AllowTcpForwarding no/c\AllowTcpForwarding yes' /etc/ssh/sshd_config
sed -i '/^GatewayPorts no/c\GatewayPorts yes' /etc/ssh/sshd_config

# set umask for sftp
UMASK=${UMASK:-022}
sed -i "s|/usr/lib/ssh/sftp-server$|/usr/lib/ssh/sftp-server -u ${UMASK}|g" /etc/ssh/sshd_config

# set key auth in file
if [ ! -f /config/.ssh/authorized_keys ];then
    touch /config/.ssh/authorized_keys
fi

[[ -n "$PUBLIC_KEY" ]] && \
    [[ ! $(grep "${PUBLIC_KEY}" /config/.ssh/authorized_keys) ]] && \
    echo "$PUBLIC_KEY" >> /config/.ssh/authorized_keys && \
    echo "Public key from env variable added"

[[ -n "$PUBLIC_KEY_URL" ]] && \
    PUBLIC_KEY_DOWNLOADED=$(curl -s "$PUBLIC_KEY_URL") && \
    [[ ! $(grep "$PUBLIC_KEY_DOWNLOADED" /config/.ssh/authorized_keys) ]] && \
    echo "$PUBLIC_KEY_DOWNLOADED" >> /config/.ssh/authorized_keys && \
    echo "Public key downloaded from '$PUBLIC_KEY_URL' added"

[[ -n "$PUBLIC_KEY_FILE" ]] && [[ -f "$PUBLIC_KEY_FILE" ]] && \
    PUBLIC_KEY2=$(cat "$PUBLIC_KEY_FILE") && \
    [[ ! $(grep "$PUBLIC_KEY2" /config/.ssh/authorized_keys) ]] && \
    echo "$PUBLIC_KEY2" >> /config/.ssh/authorized_keys && \
    echo "Public key from file added"

if [ -d "$PUBLIC_KEY_DIR" ];then
    for F in "${PUBLIC_KEY_DIR}"/*;do
        PUBLIC_KEYN=$(cat "$F") && \
        [[ ! $(grep "$PUBLIC_KEYN" /config/.ssh/authorized_keys) ]] && \
        echo "$PUBLIC_KEYN" >> /config/.ssh/authorized_keys && \
        echo "Public key from file '$F' added"
    done
fi

# back up old log files processed by logrotate
[[ -f /config/logs/openssh/openssh.log ]] && \
    mv /config/logs/openssh /config/logs/openssh.old.logs && \
    mkdir -p /config/logs/openssh

# add log file info
[[ ! -f /config/logs/loginfo.txt ]] && \
    echo "The current log file is named \"current\". The rotated log files are gzipped, named with a TAI64N timestamp and a \".s\" extension" > /config/logs/loginfo.txt

# permissions
chown -R "${USER_NAME}":"${USER_NAME}" \
    /config
chmod go-w \
    /config
chmod 700 \
    /config/.ssh
chmod 600 \
    /config/.ssh/authorized_keys

## reverse-tunnel.drawio
<mxfile host="Electron" modified="2022-08-06T05:53:52.451Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/19.0.3 Chrome/102.0.5005.63 Electron/19.0.3 Safari/537.36" etag="0ObX__Ou8DHX-t_ophvO" version="19.0.3" type="device"><diagram name="Page-1" id="55a83fd1-7818-8e21-69c5-c3457e3827bb">7Vxbd5u4Fv41XuucB3shieujncTTOdNZTZP2dPqUhY1sc4KRCziX/vqRQAKEhA0JdtrTcS82kpBAe+9vX7SlEbrYPv2W+LvNnyTA0QgawdMIXY4gBKYL6RcreeYljusWJeskDHhZVXAbfse80OCl+zDAqdQwIyTKwp1cuCRxjJeZVOYnCXmUm61IJI+689dYKbhd+pFa+iUMsg0vBYZRVbzD4XrDh3YtXrHwl/frhOxjPl5MYlzUbH3RDW+abvyAPNbGQ1cjdJEQkhW/tk8XOGLzKmasuG/eUrv6/umrPV1f3zx/Cv5z/fh1c/PtcWwVQz340Z6/2YI80YktHiB7Fu8bkeU9Zh2BEZqJV0xwnL14ZEcZeQTtiPY3S3d+LI1uf9uzd56tSJyN05wXprQBQrun/GlEPf21Zt+fU5zQ+nckzUSf9OGKbosWoniRvGqgwZ4YeHACbHcCJjkHtTxzgyY5F5VEedyEGb7d+UtW+0jFjpZtsm3EqyN/gaNrkoZZSGJatqS0o7OEZg84yULK2O8bDTLCevCjcK1tPuUVC5JlZCsGmJXcfUEikuTPiYz8UzYhSYATUR3glb/P33YVRlHtpiub/WFzK6SAvcU68lMmuay3LXnwF/lcsJoE02muX5PMz2rXFIFw/RoHYf2S40SthJGu9jzz/MPLOR4hpBWGg4JGpw8LGCxlmuIkJlucJc+0Ca+1BZRwiESAS8xjhTcO8IqyTQ1qkMdv9DnGrcu+KxmlP7iY9hBZTxHZG5xmSbjMKBfK8tZNsKDXIg8f4ohNxdWakjVl2L7c0Sc2TUR/T6OIPOYDfthnrxOKGi2hV8jxMozXM87TOZvxMn71g4oRrUaIV7cJUl12JKF6I0E6leA4styMkdCnNcEBUOhjSXKsU0kO0mm7BueG29zmUEBbywyr/EOb8Lsuw+2aPlkULuj/yyjc3flJxn6S7W5PWY4K0fwLSe5TSkzKmHcAuk/032THOHsmC03JHEZOz224FFyTJeS+tHdgQ4DgCWkKgClTlYqDQlRXQ1L3ZBR1X0TRHuS6xQmdoAal2jniIv8c1bIVwYCtgsXMuzKmlsIRpyKrCRuyahpvTVZVxylk7aBU5v42jNhL0XdO1qEvz7zplsJUm3uITNMKFDEDKpWoD+EG6GxUshtUQhrZQ6YOT+0ByAQUgmz9MFaI0tcnWZCLWfYRX/43mAUo2d3erf6ajy1L6RcH1O/jlyTJNmRNYj+6qkobRKjavCdM9eeF/8NZ9syJ7+8zIjOMhLdNAaWAnWRT5rGyB6CzIMrmYSQ6wHEgWiyZkmeAzQprTWSeMg8iyXwOPODpWLSswU9h9pcYnf7+yp5+YvGryyf+MvnFs9Ake4pn7bzK6ZySfbLEB2jENSmdgjXODtHSLBoyAh7k8gRHVCc+yI69jmPzW+lE+8+1BjsSxlla6/maFdSsEQdJwmM5jsyXjfa25R5qT38UT1DJTvkqncTp0JzWZOyaMH1kUEWr4l/6GG4jP841G0nC75RjGVtyE4GyprAIDGE+FqawZxxhO2rDIhXtyvJjaCeQorulaHkT20HVR5p507YUmIP2xJY+pop6wEETVP+YrwfBP7bL/dVNME7I7v3MSGH67TMel3EiPVrlkaXXA1Lgp5ty0luoJ9sXpfJ7h6MHzNychqUocE7n3AyKd7UBXLhAtq1Fwga/BRZ2A1PhNwF5Fcx9rdV0gDzKp8lzrQd2+bVeV/WRX4lOXg6VbkeohOiHgMrSqhMC6BijVuhT7kYWnFiyNVmViEcopoLf2RC/fjiqlUjgnkgia7xjumade4yJZ7tHOCi/usZJSN+PRR/kEMBbCzmflbqQG28l5APZKNDrKHnI+iEkD4CmIwbsA7I3lNkBVWcrTTcssmdM8j8jNNXYH366K5Z0VuETI1ZdUPib0nbWbGRd1kJvEV5llQOusKrOMd+mSx8zTzwjCa29S5/j5V1K3fJwiSfpQ+mP18J9SWEHtIYDt2EQ5F5DMwBYVrQbSJ2d896GEDDsBnQCoPp4tsbFG8LD00uG9xau2EuUfJv7Bgc3Z7rgWTsmShjfyTKpNMnQlgkSa7bHANIdGh9fx5RqMOI9oUJMiz7hZBvG7KdNJx3ktE83tGK8o/9ZlgXYvKTb8Z4tTppGxO7b5CsmTfdq4+8KJCqQ6vDKwiF/am5eIA3UlGsNCpDmQ05FaR0WN1nGVtanbP7gfIOj3cTf7SI8WdKe4JxyLWYKZm4Di7pV5tQEHnRN68JENrgwvWlVNZOrpnRe5ji++3xLvwPP9H2wND3HW0ALe6vVIvA9Z7Vc+BgCz68HQXWLMMoyi36ppMWjVGW3KXT5bMzqK/jceCkq8nFqFk1jNQkNhdbAkGMEJjQmwsusrw5q8NoZAK/1pi86tekLJGiaQOsIOkm4/PM6riWzvrFNK0zVn8Wb9FDDpBXu5VAmrX79QGPRcsynd8YUsfyMpdcYhXLgq6UMxqwLrQDlqC9LxNHF5NKWrK/lGlrr+KD6gG3rSVK0riEfFMSyDwz5MjbxrtHBXj0IKAoulrPGX2zEQ/2teDmmYAGQDJmAw2U/HlSYbGx78i1ktaKa8JWxhYPyp2WtQTykkp80PhKAR3yka5ykJK57RX18mBemVbRaNoP4RI7dDCiV7k595ctRtewQeQRaJjA1HnOGH8g5OMAZhgNK4NDjSpX3VebdwBMwiGywSeMqSQ47ETm7lR7pbMsUrtdYEvLUTDBdOssQtt7BpbUaFwYsPzQp9JoawKlywlpSGX/VkM7517xsKDOTDdDEVvnpVLEe78/77zP3+v6Pj+Glf/8b+vzB/TiGCjupQT/aTbhL2WweSb9QWKkxtaZnwjKRU5dRpVjgpYnfTOFoyfSQEeREATvFBVQXK89Kw8MrHycO1/VJQzienpNrurasxT7+WW+lVUVmjpn49eBPS6pXF4e0v2+oJf5pVjHU3AhPduksC8pdtCzv9XUdTctqjIMa8vE6z1E7h7rEs0JvBuFDbcOBv2WUjxcp++JpGnOSPPoJ07vjsgVvX0+dLrcVSD2e3+nUyVqLSKps3dVj7SN3DU3dMV6oysshZNQ7rX1An9pTyJZhX6jO17qxwh0W3nFj2XwQr/YQcmi4nlGf1qx8jjxii0AVm6vtGqCzK6hVFQrF/eptOxQx9NsUyv0JK8Js3+77jmhx8X6dtiPxl2OPkqwX/6JvdMFMbP7172IG8mdecSliTetBTFHf4Z2OTs5Zn+b367yBjHrUMRd/u+6V6p+KHePskST3zN+D8y8hlTBK6rsbwtKzOydl9wmiDWmU1KLSSsp+y/aQ4W3URsq+JSJ6Z8jt1mKNungHFD75x81ouBnNILp5vrwAfVj4cF7AEClWox5L4P8sMjUSJ3p4YkMlW3FYqS9MndFL6etcWLJEwUOJVmqKpG1NPA/apmNYrguRbLZpEh6L2TtdwqNzamkcU6sXNJZ+LRP+wGJZCd0ByeSyey6xlAMkTg+51OaODiusB3MD31haXUUBGn3kVdng5pkTqlUtaCNgOa4nFo+GF1ft6rQaaO3tChkthnqxnp1galxQ84k2KyITKxGZGOAYhtaxB3sJ+RgGNOVpW6X/kY8ypiUAOvkCB5AWOI45Ib/2er7YZDTEej4AjTiIiFi8MhACDCj1ixoBxkECIVrR1LgiwytS25EVqXcsh+r4zoGf1+Z14azvZgEphbZte5Bn1XOH6bXTZ5MQrfl1ta1jKdr2NcrWtiewmz2sAQLHnCDTKD9A7tp0JqZb1RoNnBhun9FBuvZR5AzHx1zVMCVYahtNNK5NP97gLcmYdq9lO79Arw/xKGd531oGd3H2zPhmxJO50bRpAxhFJo5pvCA82TXnu8MxMf+/ad9NhTFYGjhPNfqUq9TamT/v8/ySS2TLKlXa9Kxqgmba9xiaejOqFde7B+ig1yE+d6o8cH2QVY2y/s6o8AUv1FPlyD6LwpgqZXFIn+b8ovJcE1mBVwbGOvGDEFe2A7eVRPFlmPAMW1aVsEnRRMWFAG6f1uzEwgmP/qeTZUT2wQHrpEUQ+UNoGI/XHI/4I1gxE5+aVsdA4mDoHmfSfBxOCENm7wHY0pa50tPEjKGGKQEagCv1ybMKUxYJa2N24A7JHdY9Q/nxeLEPoyD/lVBl94DHJNlt/Fjl3RNkWFqjw0lrl/kz8zQ1TQJtO8J1cAslFnKH4QOHqUj5VAUkErGl07gAc0VUfjBOxQ/q4U08k6Lw+Jva+TQHXpS50C89hGnoAy/YNiKkHm5x/vMv6GV1zGlhNFfnyKKrvwE=</diagram></mxfile>

## reverse-tunnel.png

      
    Raw
  

              reverse-tunnel.png
            
          
## sshd_config

      
    Raw
  

              sshd_config
            
          
            View raw
              (Sorry about that, but we can’t show files that are this big right now.)
	---
	version: "2.1"
	services:
	openssh-server:
	build: .
	container_name: openssh-server-listener
	hostname: openssh-server #optional
	environment:
	- PUID=1000
	- PGID=1000
	- TZ=America/Los_Angeles
	# - PUBLIC_KEY=yourpublickey #optional
	# - PUBLIC_KEY_FILE=/path/to/file #optional
	# - PUBLIC_KEY_DIR=/path/to/directory/containing/_only_/pubkeys #optional
	# - PUBLIC_KEY_URL=https://github.com/username.keys #optional
	# - USER_PASSWORD_FILE=/path/to/file #optional
	- SUDO_ACCESS=true #optional
	- PASSWORD_ACCESS=true #optional
	- USER_PASSWORD=FooBarBaz1 #optional
	- USER_NAME=stevo #optional
	ports:
	- 2222:2222
	- 5551:5551
	restart: unless-stopped
	FROM lscr.io/linuxserver/openssh-server:latest

	COPY init.sh /etc/cont-init.d/50-config
	#!/usr/bin/with-contenv bash

	# create folders
	mkdir -p \
	/config/{.ssh,ssh_host_keys,logs/openssh}

	USER_NAME=${USER_NAME:-linuxserver.io}
	echo "User name is set to $USER_NAME"

	# set password for abc to unlock it and set sudo access
	sed -i "/${USER_NAME} ALL.*/d" /etc/sudoers
	if [ "$SUDO_ACCESS" == "true" ]; then
	if [ -n "$USER_PASSWORD" ] \|\| [ -n "$USER_PASSWORD_FILE" ] && [ -f "$USER_PASSWORD_FILE" ]; then
	echo "${USER_NAME} ALL=(ALL) ALL" >> /etc/sudoers
	echo "Sudo is enabled with password."
	else
	echo "${USER_NAME} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
	echo "Sudo is enabled without password."
	fi
	else
	echo "Sudo is disabled."
	fi
	[[ -n "$USER_PASSWORD_FILE" ]] && [[ -f "$USER_PASSWORD_FILE" ]] && \
	USER_PASSWORD=$(cat "$USER_PASSWORD_FILE") && \
	echo "User password is retrieved from file."
	USER_PASSWORD=${USER_PASSWORD:-$(< /dev/urandom tr -dc _A-Z-a-z-0-9 \| head -c"${1:-8}";echo;)}
	echo "${USER_NAME}:${USER_PASSWORD}" \| chpasswd

	# symlink out ssh config directory
	if [ ! -L /etc/ssh ];then
	if [ ! -f /config/ssh_host_keys/sshd_config ]; then
	sed -i '/#PidFile/c\PidFile \/config\/sshd.pid' /etc/ssh/sshd_config
	cp -a /etc/ssh/sshd_config /config/ssh_host_keys/
	fi
	rm -Rf /etc/ssh
	ln -s /config/ssh_host_keys /etc/ssh
	ssh-keygen -A
	fi

	# password access
	if [ "$PASSWORD_ACCESS" == "true" ]; then
	sed -i '/^#PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config
	sed -i '/^PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config
	chown root:"${USER_NAME}" \
	/etc/shadow
	echo "User/password ssh access is enabled."
	else
	sed -i '/^PasswordAuthentication/c\PasswordAuthentication no' /etc/ssh/sshd_config
	chown root:root \
	/etc/shadow
	echo "User/password ssh access is disabled."
	fi

	sed -i '/^AllowTcpForwarding no/c\AllowTcpForwarding yes' /etc/ssh/sshd_config
	sed -i '/^GatewayPorts no/c\GatewayPorts yes' /etc/ssh/sshd_config

	# set umask for sftp
	UMASK=${UMASK:-022}
	sed -i "s\|/usr/lib/ssh/sftp-server$\|/usr/lib/ssh/sftp-server -u ${UMASK}\|g" /etc/ssh/sshd_config

	# set key auth in file
	if [ ! -f /config/.ssh/authorized_keys ];then
	touch /config/.ssh/authorized_keys
	fi

	[[ -n "$PUBLIC_KEY" ]] && \
	[[ ! $(grep "${PUBLIC_KEY}" /config/.ssh/authorized_keys) ]] && \
	echo "$PUBLIC_KEY" >> /config/.ssh/authorized_keys && \
	echo "Public key from env variable added"

	[[ -n "$PUBLIC_KEY_URL" ]] && \
	PUBLIC_KEY_DOWNLOADED=$(curl -s "$PUBLIC_KEY_URL") && \
	[[ ! $(grep "$PUBLIC_KEY_DOWNLOADED" /config/.ssh/authorized_keys) ]] && \
	echo "$PUBLIC_KEY_DOWNLOADED" >> /config/.ssh/authorized_keys && \
	echo "Public key downloaded from '$PUBLIC_KEY_URL' added"

	[[ -n "$PUBLIC_KEY_FILE" ]] && [[ -f "$PUBLIC_KEY_FILE" ]] && \
	PUBLIC_KEY2=$(cat "$PUBLIC_KEY_FILE") && \
	[[ ! $(grep "$PUBLIC_KEY2" /config/.ssh/authorized_keys) ]] && \
	echo "$PUBLIC_KEY2" >> /config/.ssh/authorized_keys && \
	echo "Public key from file added"

	if [ -d "$PUBLIC_KEY_DIR" ];then
	for F in "${PUBLIC_KEY_DIR}"/*;do
	PUBLIC_KEYN=$(cat "$F") && \
	[[ ! $(grep "$PUBLIC_KEYN" /config/.ssh/authorized_keys) ]] && \
	echo "$PUBLIC_KEYN" >> /config/.ssh/authorized_keys && \
	echo "Public key from file '$F' added"
	done
	fi

	# back up old log files processed by logrotate
	[[ -f /config/logs/openssh/openssh.log ]] && \
	mv /config/logs/openssh /config/logs/openssh.old.logs && \
	mkdir -p /config/logs/openssh

	# add log file info
	[[ ! -f /config/logs/loginfo.txt ]] && \
	echo "The current log file is named \"current\". The rotated log files are gzipped, named with a TAI64N timestamp and a \".s\" extension" > /config/logs/loginfo.txt

	# permissions
	chown -R "${USER_NAME}":"${USER_NAME}" \
	/config
	chmod go-w \
	/config
	chmod 700 \
	/config/.ssh
	chmod 600 \
	/config/.ssh/authorized_keys