From 7176e41edc9c6eb3a2516450ce1816f38dc6f30f Mon Sep 17 00:00:00 2001 From: Ville Rantanen Date: Wed, 24 Aug 2022 17:42:06 +0300 Subject: [PATCH] streamline building, proper makefile help --- Makefile | 29 +++++--- README.md | 6 +- build/Dockerfile | 4 +- build/get_pub_keys.sh | 2 +- build/{run.sh => run_ssh_box.sh} | 29 ++++---- build/update_users.sh | 112 ++++++++++++++++++++++--------- 6 files changed, 123 insertions(+), 59 deletions(-) rename build/{run.sh => run_ssh_box.sh} (67%) diff --git a/Makefile b/Makefile index 56c4ec8..5ebe0d0 100644 --- a/Makefile +++ b/Makefile @@ -1,21 +1,34 @@ +.PHONY: help + +help: ## *:・゚✧*:・゚✧ This help *:・゚✧*:・゚✧ + @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[33m[ \033[36m%-15s \033[33m]\033[0m %s\n", $$1, $$2}' -service-up: + +service-up: ## Build and start SSH BOX service docker-compose up --build -d -t 1 -service-logs: +service-logs: ## View logs docker-compose logs -f -t -service-force-restart: +service-dev: ## Build and start service, foreground docker-compose build - docker-compose up -d --force-recreate -t 1 - docker-compose logs -f -t + docker-compose up --force-recreate -t 0 + #docker-compose logs -f -t -service-down: +service-down: ## Shutdown docker-compose down -t 1 -service-bash: +service-bash: ## Enter shell docker-compose exec ssh-ftp-server bash -update-users: +service-update: ## Pull never image + docker pull alpine:latest + +user-update: ## Run user creation scripts docker-compose exec ssh-ftp-server update_users.sh + +user-add: + bash user-add + + diff --git a/README.md b/README.md index c717d09..c352378 100644 --- a/README.md +++ b/README.md @@ -8,8 +8,10 @@ First start: - modify your user ID number as USR - EXPOSE to port exposed outside -- start with docker-compose -- data/ and home/ folders appear +- start with docker-compose, or by using `make` +- data/ folder appears. It contains users definitions, and home folders - create user by adding authorized_keys contents to data/users/[UID]-[username] file - example: `vim users/2000-user1` <- copy id_rsa.pub contents there +- use UID >=2000 +- you can also use the `user-add` script diff --git a/build/Dockerfile b/build/Dockerfile index 5b4c847..5ebf6d2 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -6,8 +6,6 @@ RUN apk add --no-cache \ rsync \ shadow -ADD get_pub_keys.sh /usr/local/sbin/get_pub_keys.sh -ADD update_users.sh /usr/local/sbin/update_users.sh -ADD run.sh /usr/local/sbin/run_ssh_box.sh +COPY get_pub_keys.sh update_users.sh run_ssh_box.sh /usr/local/sbin/ CMD bash /usr/local/sbin/run_ssh_box.sh diff --git a/build/get_pub_keys.sh b/build/get_pub_keys.sh index 13458e8..6c9cddf 100755 --- a/build/get_pub_keys.sh +++ b/build/get_pub_keys.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh set -e idnr=$( id -u "$1" ) diff --git a/build/run.sh b/build/run_ssh_box.sh similarity index 67% rename from build/run.sh rename to build/run_ssh_box.sh index 1712e1e..5f3fe0b 100755 --- a/build/run.sh +++ b/build/run_ssh_box.sh @@ -3,12 +3,12 @@ set -exu shopt -s nullglob basedir=/var/ssh-box/ test -f "$basedir"/ssh-cache/ssh_host_rsa_key || { - ssh-keygen -A - grep -v -e AuthorizedKeys -e PermitEmptyPasswords -e PasswordAuthentication \ - -e Subsystem \ - /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp - mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config - cat <> /etc/ssh/sshd_config + ssh-keygen -A + grep -v -e AuthorizedKeys -e PermitEmptyPasswords -e PasswordAuthentication \ + -e Subsystem \ + /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp + mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config + cat <> /etc/ssh/sshd_config AuthorizedKeysFile /tmp/empty_keys AuthorizedKeysCommand /usr/local/sbin/get_pub_keys.sh AuthorizedKeysCommandUser root @@ -16,7 +16,7 @@ PermitEmptyPasswords no PasswordAuthentication no Subsystem sftp /usr/lib/ssh/sftp-server -u 002 EOF - rsync -va /etc/ssh/ "$basedir"/ssh-cache/ + rsync -va /etc/ssh/ "$basedir"/ssh-cache/ } mkdir -p "$basedir"/users "$basedir"/ssh-cache "$basedir"/home rsync -va --del "$basedir"/ssh-cache/ /etc/ssh/ @@ -33,10 +33,16 @@ if getent group box; then else groupadd -g $GRP box fi +if getent group trusted; then + echo Trusted already added +else + groupadd trusted +fi -rmdir /home -chown root:root "$basedir"/home -chmod 0711 "$basedir"/home + +rmdir /home || true +chown root:trusted "$basedir"/home +chmod 0751 "$basedir"/home ln -sfT "$basedir"/home /home touch /tmp/empty_keys @@ -49,8 +55,7 @@ cat < /etc/profile alias ll='ls -al' EOF -echo "-~''~- SSH-Box ~-..-~" > /etc/motd -echo "$NAME" >> /etc/motd +echo "$NAME" > /etc/motd update_users.sh diff --git a/build/update_users.sh b/build/update_users.sh index 33dc57e..f9c8675 100755 --- a/build/update_users.sh +++ b/build/update_users.sh @@ -1,45 +1,91 @@ #!/bin/bash -set -e +set -eu shopt -s nullglob echo updating users >&2 -function getpass() { - # Technically possible to set password from key file - #set +e - #grep -q ^'#passwd=' "$1" && { - # local newpw=$( grep ^'#passwd=' "$1" | head -n1 ) - # newpw=${newpw:8} - # printf "$newpw" - # sed -i 's/^#passwd=.*/#passwd-is-set/' "$1" - # return - #} - set -e - local LENGTH=64 - LC_ALL=C tr -dc A-Za-z0-9 =2000 + # uid must be unique + # must be format [number]-[alphanumeric] + for file in *; do + if [[ "$file" =~ ^([0-9]+)-([a-z][a-z0-9_]*)$ ]]; then + if [[ "${BASH_REMATCH[1]}" -lt 2000 ]]; then + echo "$file" has UID under 2000 >&2 + exit 1 + fi + else + echo files must be formatted " [number]-[alphanumeric]" + echo "$file" is not valid user definition >&2 + exit 1 + fi + done + duplicate_uid=$( + for file in *; do + if [[ "$file" =~ ^([0-9]+)-([a-z][a-z0-9_]*)$ ]]; then + echo "${BASH_REMATCH[1]}" + fi + done | sort | uniq -d + ) + if [[ -n "$duplicate_uid" ]]; then + echo user definitions contain duplicate UID >&2 + echo "$duplicate_uid" >&2 + exit 1 + fi } cd /var/ssh-box/users +validate_users + for file in *; do - echo $file - line=$file - if [[ "$line" = *".sh" ]]; then - continue + if [[ "$file" =~ ^([0-9]+)-([a-z][a-z0-9_]*)$ ]]; then + uid=${BASH_REMATCH[1]} + user=${BASH_REMATCH[2]} + echo UID: "${BASH_REMATCH[1]}" username: "${BASH_REMATCH[2]}" >&2 + id $user > /dev/null 2>&1 || { + adduser -D -u $uid $user + pw=$( get_pass "$file" ) + echo -e "$pw\n$pw" | passwd $user 2> /dev/null + mkdir -p "/home/$user/data" + chmod 0711 "/home/$user" + usermod -a -G box $user + if grep -q '^# .*trusted.*' "$file"; then + usermod -a -G trusted $user + fi + } + rm -f "/home/$user/.ssh/authorized_keys" + get_readme > "/home/$user/README.md" + chown -R "$user":box "/home/$user/data" + chmod -R u+rwX,g+rwX,o+X "/home/$user/data" + chmod 0600 "$file" + chown $USR "$file" fi - user=${line##*-} - uid=${line%%-*} - id $user > /dev/null 2>&1 || { - adduser -D -u $uid $user - pw=$( getpass "$file" ) - echo -e "$pw\n$pw" | passwd $user - mkdir -p "/home/$user/data" - chmod 0711 "/home/$user" - usermod -a -G box $user - } - rm -f "/home/$user/.ssh/authorized_keys" - chown -R "$user":box "/home/$user/data" - chmod -R u+rwX,g+rwX,o+X "/home/$user/data" - chmod 0600 "$file" - chown $USR "$file" done chmod 0700 /var/ssh-box/users