From 179a60f0341eab82eef4e7da96925bed26fb879f Mon Sep 17 00:00:00 2001 From: ruowen Date: Fri, 25 Jan 2019 09:46:30 +0800 Subject: [PATCH] add sshd docker images Change-Id: Idb8c3930c25301db3915fcfc0bcaf51c284d5381 --- sshd/Dockerfile | 38 ++++++++++++++ sshd/entry.sh | 129 ++++++++++++++++++++++++++++++++++++++++++++++ sshd/sources.list | 19 +++++++ sshd/sshd_config | 88 +++++++++++++++++++++++++++++++ 4 files changed, 274 insertions(+) create mode 100644 sshd/Dockerfile create mode 100755 sshd/entry.sh create mode 100644 sshd/sources.list create mode 100644 sshd/sshd_config diff --git a/sshd/Dockerfile b/sshd/Dockerfile new file mode 100644 index 0000000..9acf024 --- /dev/null +++ b/sshd/Dockerfile @@ -0,0 +1,38 @@ +# +# Copyright (C) 2019 XueTong Tech Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +FROM ubuntu:16.04 +MAINTAINER xt + +COPY sources.list /etc/apt/sources.list +RUN apt-get update \ + && apt-get install -y bash git openssh-server rsync augeas-tools sudo iputils-ping net-tools curl vim \ + && deluser $(getent passwd 33 | cut -d: -f1) \ + && delgroup $(getent group 33 | cut -d: -f1) 2>/dev/null || true \ + && mkdir -p ~root/.ssh /etc/authorized_keys && chmod 700 ~root/.ssh/ \ + && augtool 'set /files/etc/ssh/sshd_config/AuthorizedKeysFile ".ssh/authorized_keys /etc/authorized_keys/%u"' \ + && echo "Port 22\n" >> /etc/ssh/sshd_config \ + && cp -a /etc/ssh /etc/ssh.cache \ + && rm -rf /var/lib/apt/lists/* + +EXPOSE 22 + +COPY sshd_config /etc/ssh/sshd_config +COPY entry.sh /entry.sh + +ENTRYPOINT ["/entry.sh"] + +CMD ["/usr/sbin/sshd", "-D", "-f", "/etc/ssh/sshd_config"] diff --git a/sshd/entry.sh b/sshd/entry.sh new file mode 100755 index 0000000..d19c068 --- /dev/null +++ b/sshd/entry.sh @@ -0,0 +1,129 @@ +#!/usr/bin/env bash + +set -e + +[ "$DEBUG" == 'true' ] && set -x + +DAEMON=sshd + +# Copy default config from cache +if [ ! "$(ls -A /etc/ssh)" ]; then + cp -a /etc/ssh.cache/* /etc/ssh/ +fi + +set_hostkeys() { + printf '%s\n' \ + 'set /files/etc/ssh/sshd_config/HostKey[1] /etc/ssh/keys/ssh_host_rsa_key' \ + 'set /files/etc/ssh/sshd_config/HostKey[2] /etc/ssh/keys/ssh_host_dsa_key' \ + 'set /files/etc/ssh/sshd_config/HostKey[3] /etc/ssh/keys/ssh_host_ecdsa_key' \ + 'set /files/etc/ssh/sshd_config/HostKey[4] /etc/ssh/keys/ssh_host_ed25519_key' \ + | augtool -s +} + +print_fingerprints() { + local BASE_DIR=${1-'/etc/ssh'} + for item in dsa rsa ecdsa ed25519; do + echo ">>> Fingerprints for ${item} host key" + ssh-keygen -E md5 -lf ${BASE_DIR}/ssh_host_${item}_key + ssh-keygen -E sha256 -lf ${BASE_DIR}/ssh_host_${item}_key + ssh-keygen -E sha512 -lf ${BASE_DIR}/ssh_host_${item}_key + done +} + +# Generate Host keys, if required +if ls /etc/ssh/keys/ssh_host_* 1> /dev/null 2>&1; then + echo ">> Host keys in keys directory" + set_hostkeys + print_fingerprints /etc/ssh/keys +elif ls /etc/ssh/ssh_host_* 1> /dev/null 2>&1; then + echo ">> Host keys exist in default location" + # Don't do anything + print_fingerprints +else + echo ">> Generating new host keys" + mkdir -p /etc/ssh/keys + ssh-keygen -A + mv /etc/ssh/ssh_host_* /etc/ssh/keys/ + set_hostkeys + print_fingerprints /etc/ssh/keys +fi + +# Fix permissions, if writable +if [ -w ~/.ssh ]; then + chown root:root ~/.ssh && chmod 700 ~/.ssh/ +fi +if [ -w ~/.ssh/authorized_keys ]; then + chown root:root ~/.ssh/authorized_keys + chmod 600 ~/.ssh/authorized_keys +fi +if [ -w /etc/authorized_keys ]; then + chown root:root /etc/authorized_keys + chmod 755 /etc/authorized_keys + find /etc/authorized_keys/ -type f -exec chmod 644 {} \; +fi + +# Add users if SSH_USERS=user:uid:gid set +if [ -n "${SSH_USERS}" ]; then + USERS=$(echo $SSH_USERS | tr "," "\n") + for U in $USERS; do + IFS=':' read -ra UA <<< "$U" + _NAME=${UA[0]} + _UID=${UA[1]} + _GID=${UA[2]} + + echo ">> Adding user ${_NAME} with uid: ${_UID}, gid: ${_GID}." + if [ ! -e "/etc/authorized_keys/${_NAME}" ]; then + echo "WARNING: No SSH authorized_keys found for ${_NAME}!" + fi + getent group ${_NAME} >/dev/null 2>&1 || addgroup --gid ${_GID} ${_NAME} + getent passwd ${_NAME} >/dev/null 2>&1 || adduser --uid ${_UID} --gid ${_GID} ${_NAME} + passwd -u ${_NAME} || true + done +else + # Warn if no authorized_keys + if [ ! -e ~/.ssh/authorized_keys ] && [ ! $(ls -A /etc/authorized_keys) ]; then + echo "WARNING: No SSH authorized_keys found!" + fi +fi + +# Update MOTD +if [ -v MOTD ]; then + echo -e "$MOTD" > /etc/motd +fi + +if [[ "${SFTP_MODE}" == "true" ]]; then + : ${SFTP_CHROOT:='/data'} + chown 0:0 ${SFTP_CHROOT} + chmod 755 ${SFTP_CHROOT} + + printf '%s\n' \ + 'set /files/etc/ssh/sshd_config/Subsystem/sftp "internal-sftp"' \ + 'set /files/etc/ssh/sshd_config/AllowTCPForwarding no' \ + 'set /files/etc/ssh/sshd_config/X11Forwarding no' \ + 'set /files/etc/ssh/sshd_config/ForceCommand internal-sftp' \ + 'set /files/etc/ssh/sshd_config/ChrootDirectory /data' \ + | augtool -s +fi + +stop() { + echo "Received SIGINT or SIGTERM. Shutting down $DAEMON" + # Get PID + pid=$(cat /var/run/$DAEMON/$DAEMON.pid) + # Set TERM + kill -SIGTERM "${pid}" + # Wait for exit + wait "${pid}" + # All done. + echo "Done." +} + +echo "Running $@" +if [ "$(basename $1)" == "$DAEMON" ]; then + trap stop SIGINT SIGTERM + $@ & + pid="$!" + mkdir -p /var/run/$DAEMON && echo "${pid}" > /var/run/$DAEMON/$DAEMON.pid + wait "${pid}" && exit $? +else + exec "$@" +fi diff --git a/sshd/sources.list b/sshd/sources.list new file mode 100644 index 0000000..16d9236 --- /dev/null +++ b/sshd/sources.list @@ -0,0 +1,19 @@ +# deb cdrom:[Ubuntu 16.04 LTS _Xenial Xerus_ - Release amd64 (20160420.1)]/ xenial main restricted +deb-src http://archive.ubuntu.com/ubuntu xenial main restricted #Added by software-properties +deb http://mirrors.aliyun.com/ubuntu/ xenial main restricted +deb-src http://mirrors.aliyun.com/ubuntu/ xenial main restricted multiverse universe #Added by software-properties +deb http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted +deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted multiverse universe #Added by software-properties +deb http://mirrors.aliyun.com/ubuntu/ xenial universe +deb http://mirrors.aliyun.com/ubuntu/ xenial-updates universe +deb http://mirrors.aliyun.com/ubuntu/ xenial multiverse +deb http://mirrors.aliyun.com/ubuntu/ xenial-updates multiverse +deb http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted universe multiverse +deb-src http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted universe multiverse #Added by software-properties +deb http://archive.canonical.com/ubuntu xenial partner +deb-src http://archive.canonical.com/ubuntu xenial partner +deb http://mirrors.aliyun.com/ubuntu/ xenial-security main restricted +deb-src http://mirrors.aliyun.com/ubuntu/ xenial-security main restricted multiverse universe #Added by software-properties +deb http://mirrors.aliyun.com/ubuntu/ xenial-security universe +deb http://mirrors.aliyun.com/ubuntu/ xenial-security multiverse + diff --git a/sshd/sshd_config b/sshd/sshd_config new file mode 100644 index 0000000..66dbe5b --- /dev/null +++ b/sshd/sshd_config @@ -0,0 +1,88 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 1024 + +# Logging +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PAM authentication via ChallengeResponseAuthentication may bypass +# If you just want the PAM account and session checks to run without +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes +Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc +UseDNS no +AddressFamily inet +PermitRootLogin yes +SyslogFacility AUTHPRIV +PasswordAuthentication no -- GitLab