add sshd docker images

Change-Id: Idb8c3930c25301db3915fcfc0bcaf51c284d5381

sshd/Dockerfile

+#
+# Copyright (C) 2019 XueTong Tech Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+FROM ubuntu:16.04
+MAINTAINER xt
+
+COPY sources.list /etc/apt/sources.list
+RUN apt-get update \
+    && apt-get install -y bash git openssh-server rsync augeas-tools sudo iputils-ping net-tools curl vim \
+    && deluser $(getent passwd 33 | cut -d: -f1) \
+    && delgroup $(getent group 33 | cut -d: -f1) 2>/dev/null || true \
+    && mkdir -p ~root/.ssh /etc/authorized_keys && chmod 700 ~root/.ssh/ \
+    && augtool 'set /files/etc/ssh/sshd_config/AuthorizedKeysFile ".ssh/authorized_keys /etc/authorized_keys/%u"' \
+    && echo "Port 22\n" >> /etc/ssh/sshd_config \
+    && cp -a /etc/ssh /etc/ssh.cache \
+    && rm -rf /var/lib/apt/lists/*
+
+EXPOSE 22
+
+COPY sshd_config /etc/ssh/sshd_config
+COPY entry.sh /entry.sh
+
+ENTRYPOINT ["/entry.sh"]
+
+CMD ["/usr/sbin/sshd", "-D", "-f", "/etc/ssh/sshd_config"]

sshd/entry.sh

+#!/usr/bin/env bash
+
+set -e
+
+[ "$DEBUG" == 'true' ] && set -x
+
+DAEMON=sshd
+
+# Copy default config from cache
+if [ ! "$(ls -A /etc/ssh)" ]; then
+   cp -a /etc/ssh.cache/* /etc/ssh/
+fi
+
+set_hostkeys() {
+    printf '%s\n' \
+        'set /files/etc/ssh/sshd_config/HostKey[1] /etc/ssh/keys/ssh_host_rsa_key' \
+        'set /files/etc/ssh/sshd_config/HostKey[2] /etc/ssh/keys/ssh_host_dsa_key' \
+        'set /files/etc/ssh/sshd_config/HostKey[3] /etc/ssh/keys/ssh_host_ecdsa_key' \
+        'set /files/etc/ssh/sshd_config/HostKey[4] /etc/ssh/keys/ssh_host_ed25519_key' \
+    | augtool -s
+}
+
+print_fingerprints() {
+    local BASE_DIR=${1-'/etc/ssh'}
+    for item in dsa rsa ecdsa ed25519; do
+        echo ">>> Fingerprints for ${item} host key"
+        ssh-keygen -E md5 -lf ${BASE_DIR}/ssh_host_${item}_key 
+        ssh-keygen -E sha256 -lf ${BASE_DIR}/ssh_host_${item}_key
+        ssh-keygen -E sha512 -lf ${BASE_DIR}/ssh_host_${item}_key
+    done
+}
+
+# Generate Host keys, if required
+if ls /etc/ssh/keys/ssh_host_* 1> /dev/null 2>&1; then
+    echo ">> Host keys in keys directory"
+    set_hostkeys
+    print_fingerprints /etc/ssh/keys
+elif ls /etc/ssh/ssh_host_* 1> /dev/null 2>&1; then
+    echo ">> Host keys exist in default location"
+    # Don't do anything
+    print_fingerprints
+else
+    echo ">> Generating new host keys"
+    mkdir -p /etc/ssh/keys
+    ssh-keygen -A
+    mv /etc/ssh/ssh_host_* /etc/ssh/keys/
+    set_hostkeys
+    print_fingerprints /etc/ssh/keys
+fi
+
+# Fix permissions, if writable
+if [ -w ~/.ssh ]; then
+    chown root:root ~/.ssh && chmod 700 ~/.ssh/
+fi
+if [ -w ~/.ssh/authorized_keys ]; then
+    chown root:root ~/.ssh/authorized_keys
+    chmod 600 ~/.ssh/authorized_keys
+fi
+if [ -w /etc/authorized_keys ]; then
+    chown root:root /etc/authorized_keys
+    chmod 755 /etc/authorized_keys
+    find /etc/authorized_keys/ -type f -exec chmod 644 {} \;
+fi
+
+# Add users if SSH_USERS=user:uid:gid set
+if [ -n "${SSH_USERS}" ]; then
+    USERS=$(echo $SSH_USERS | tr "," "\n")
+    for U in $USERS; do
+        IFS=':' read -ra UA <<< "$U"
+        _NAME=${UA[0]}
+        _UID=${UA[1]}
+        _GID=${UA[2]}
+
+        echo ">> Adding user ${_NAME} with uid: ${_UID}, gid: ${_GID}."
+        if [ ! -e "/etc/authorized_keys/${_NAME}" ]; then
+            echo "WARNING: No SSH authorized_keys found for ${_NAME}!"
+        fi
+        getent group ${_NAME} >/dev/null 2>&1 || addgroup --gid ${_GID} ${_NAME}
+        getent passwd ${_NAME} >/dev/null 2>&1 || adduser --uid ${_UID} --gid ${_GID} ${_NAME}
+        passwd -u ${_NAME} || true
+    done
+else
+    # Warn if no authorized_keys
+    if [ ! -e ~/.ssh/authorized_keys ] && [ ! $(ls -A /etc/authorized_keys) ]; then
+      echo "WARNING: No SSH authorized_keys found!"
+    fi
+fi
+
+# Update MOTD
+if [ -v MOTD ]; then
+    echo -e "$MOTD" > /etc/motd
+fi
+
+if [[ "${SFTP_MODE}" == "true" ]]; then
+    : ${SFTP_CHROOT:='/data'}
+    chown 0:0 ${SFTP_CHROOT}
+    chmod 755 ${SFTP_CHROOT}
+
+    printf '%s\n' \
+        'set /files/etc/ssh/sshd_config/Subsystem/sftp "internal-sftp"' \
+        'set /files/etc/ssh/sshd_config/AllowTCPForwarding no' \
+        'set /files/etc/ssh/sshd_config/X11Forwarding no' \
+        'set /files/etc/ssh/sshd_config/ForceCommand internal-sftp' \
+        'set /files/etc/ssh/sshd_config/ChrootDirectory /data' \
+    | augtool -s
+fi
+
+stop() {
+    echo "Received SIGINT or SIGTERM. Shutting down $DAEMON"
+    # Get PID
+    pid=$(cat /var/run/$DAEMON/$DAEMON.pid)
+    # Set TERM
+    kill -SIGTERM "${pid}"
+    # Wait for exit
+    wait "${pid}"
+    # All done.
+    echo "Done."
+}
+
+echo "Running $@"
+if [ "$(basename $1)" == "$DAEMON" ]; then
+    trap stop SIGINT SIGTERM
+    $@ &
+    pid="$!"
+    mkdir -p /var/run/$DAEMON && echo "${pid}" > /var/run/$DAEMON/$DAEMON.pid
+    wait "${pid}" && exit $?
+else
+    exec "$@"
+fi

sshd/sources.list

+# deb cdrom:[Ubuntu 16.04 LTS _Xenial Xerus_ - Release amd64 (20160420.1)]/ xenial main restricted
+deb-src http://archive.ubuntu.com/ubuntu xenial main restricted #Added by software-properties
+deb http://mirrors.aliyun.com/ubuntu/ xenial main restricted
+deb-src http://mirrors.aliyun.com/ubuntu/ xenial main restricted multiverse universe #Added by software-properties
+deb http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted
+deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted multiverse universe #Added by software-properties
+deb http://mirrors.aliyun.com/ubuntu/ xenial universe
+deb http://mirrors.aliyun.com/ubuntu/ xenial-updates universe
+deb http://mirrors.aliyun.com/ubuntu/ xenial multiverse
+deb http://mirrors.aliyun.com/ubuntu/ xenial-updates multiverse
+deb http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted universe multiverse
+deb-src http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted universe multiverse #Added by software-properties
+deb http://archive.canonical.com/ubuntu xenial partner
+deb-src http://archive.canonical.com/ubuntu xenial partner
+deb http://mirrors.aliyun.com/ubuntu/ xenial-security main restricted
+deb-src http://mirrors.aliyun.com/ubuntu/ xenial-security main restricted multiverse universe #Added by software-properties
+deb http://mirrors.aliyun.com/ubuntu/ xenial-security universe
+deb http://mirrors.aliyun.com/ubuntu/ xenial-security multiverse
+

sshd/sshd_config

+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# If you just want the PAM account and session checks to run without
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
+UseDNS no
+AddressFamily inet
+PermitRootLogin yes
+SyslogFacility AUTHPRIV
+PasswordAuthentication no