moonq/ssh-box
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

streamline building, proper makefile help

Browse Source
This commit is contained in:
Ville Rantanen
2022-08-24 17:42:06 +03:00
parent 97d62d8032
commit 7176e41edc
6 changed files with 123 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
Makefile
View File

@@ -1,21 +1,34 @@
.PHONY: help
help: ## *:・゚✧*:・゚✧ This help *:・゚✧*:・゚✧
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[33m[ \033[36m%-15s \033[33m]\033[0m %s\n", $$1, $$2}'
service-up:
service-up: ## Build and start SSH BOX service
docker-compose up --build -d -t 1 docker-compose up --build -d -t 1
service-logs: service-logs: ## View logs
docker-compose logs -f -t docker-compose logs -f -t
service-force-restart: service-dev: ## Build and start service, foreground
docker-compose build docker-compose build
docker-compose up -d --force-recreate -t 1 docker-compose up --force-recreate -t 0
docker-compose logs -f -t #docker-compose logs -f -t
service-down: service-down: ## Shutdown
docker-compose down -t 1 docker-compose down -t 1
service-bash: service-bash: ## Enter shell
docker-compose exec ssh-ftp-server bash docker-compose exec ssh-ftp-server bash
update-users: service-update: ## Pull never image
docker pull alpine:latest
user-update: ## Run user creation scripts
docker-compose exec ssh-ftp-server update_users.sh docker-compose exec ssh-ftp-server update_users.sh
user-add:
bash user-add

6
README.md
View File

@@ -8,8 +8,10 @@ First start:
- modify your user ID number as USR - modify your user ID number as USR
- EXPOSE to port exposed outside - EXPOSE to port exposed outside
- start with docker-compose - start with docker-compose, or by using `make`
- data/ and home/ folders appear - data/ folder appears. It contains users definitions, and home folders
- create user by adding authorized_keys contents to data/users/[UID]-[username] file - create user by adding authorized_keys contents to data/users/[UID]-[username] file
- example: `vim users/2000-user1` <- copy id_rsa.pub contents there - example: `vim users/2000-user1` <- copy id_rsa.pub contents there
- use UID >=2000
- you can also use the `user-add` script

4
build/Dockerfile
View File

@@ -6,8 +6,6 @@ RUN apk add --no-cache \
rsync \ rsync \
shadow shadow
ADD get_pub_keys.sh /usr/local/sbin/get_pub_keys.sh COPY get_pub_keys.sh update_users.sh run_ssh_box.sh /usr/local/sbin/
ADD update_users.sh /usr/local/sbin/update_users.sh
ADD run.sh /usr/local/sbin/run_ssh_box.sh
CMD bash /usr/local/sbin/run_ssh_box.sh CMD bash /usr/local/sbin/run_ssh_box.sh

2
build/get_pub_keys.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash #!/bin/sh
set -e set -e
idnr=$( id -u "$1" ) idnr=$( id -u "$1" )

29
build/run.sh → build/run_ssh_box.sh
View File

@@ -3,12 +3,12 @@ set -exu
shopt -s nullglob shopt -s nullglob
basedir=/var/ssh-box/ basedir=/var/ssh-box/
test -f "$basedir"/ssh-cache/ssh_host_rsa_key || { test -f "$basedir"/ssh-cache/ssh_host_rsa_key || {
ssh-keygen -A ssh-keygen -A
grep -v -e AuthorizedKeys -e PermitEmptyPasswords -e PasswordAuthentication \ grep -v -e AuthorizedKeys -e PermitEmptyPasswords -e PasswordAuthentication \
-e Subsystem \ -e Subsystem \
/etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp
mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config
cat <<EOF >> /etc/ssh/sshd_config cat <<EOF >> /etc/ssh/sshd_config
AuthorizedKeysFile /tmp/empty_keys AuthorizedKeysFile /tmp/empty_keys
AuthorizedKeysCommand /usr/local/sbin/get_pub_keys.sh AuthorizedKeysCommand /usr/local/sbin/get_pub_keys.sh
AuthorizedKeysCommandUser root AuthorizedKeysCommandUser root
@@ -16,7 +16,7 @@ PermitEmptyPasswords no
PasswordAuthentication no PasswordAuthentication no
Subsystem sftp /usr/lib/ssh/sftp-server -u 002 Subsystem sftp /usr/lib/ssh/sftp-server -u 002
EOF EOF
rsync -va /etc/ssh/ "$basedir"/ssh-cache/ rsync -va /etc/ssh/ "$basedir"/ssh-cache/
} }
mkdir -p "$basedir"/users "$basedir"/ssh-cache "$basedir"/home mkdir -p "$basedir"/users "$basedir"/ssh-cache "$basedir"/home
rsync -va --del "$basedir"/ssh-cache/ /etc/ssh/ rsync -va --del "$basedir"/ssh-cache/ /etc/ssh/
@@ -33,10 +33,16 @@ if getent group box; then
else else
groupadd -g $GRP box groupadd -g $GRP box
fi fi
if getent group trusted; then
echo Trusted already added
else
groupadd trusted
fi
rmdir /home
chown root:root "$basedir"/home rmdir /home || true
chmod 0711 "$basedir"/home chown root:trusted "$basedir"/home
chmod 0751 "$basedir"/home
ln -sfT "$basedir"/home /home ln -sfT "$basedir"/home /home
touch /tmp/empty_keys touch /tmp/empty_keys
@@ -49,8 +55,7 @@ cat <<EOF > /etc/profile
alias ll='ls -al' alias ll='ls -al'
EOF EOF
echo "-~''~- SSH-Box ~-..-~" > /etc/motd echo "$NAME" > /etc/motd
echo "$NAME" >> /etc/motd
update_users.sh update_users.sh

112
build/update_users.sh
View File

@@ -1,45 +1,91 @@
#!/bin/bash #!/bin/bash
set -e set -eu
shopt -s nullglob shopt -s nullglob
echo updating users >&2 echo updating users >&2
function getpass() { function get_pass() {
# Technically possible to set password from key file # Technically possible to set password from key file
#set +e #set +e
#grep -q ^'#passwd=' "$1" && { #grep -q ^'#passwd=' "$1" && {
# local newpw=$( grep ^'#passwd=' "$1" | head -n1 ) # local newpw=$( grep ^'#passwd=' "$1" | head -n1 )
# newpw=${newpw:8} # newpw=${newpw:8}
# printf "$newpw" # printf "$newpw"
# sed -i 's/^#passwd=.*/#passwd-is-set/' "$1" # sed -i 's/^#passwd=.*/#passwd-is-set/' "$1"
# return # return
#} #}
set -e # set -e
local LENGTH=64 local LENGTH=64
LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c $LENGTH LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c $LENGTH
}
function get_readme() {
cat <<EOF
# SSH Box home
- data/ folder is shared to all users, group access is forced.
- create any other folder to keep files to yourself.
- don't mess things up.
EOF
}
function validate_users() {
# users uid must be >=2000
# uid must be unique
# must be format [number]-[alphanumeric]
for file in *; do
if [[ "$file" =~ ^([0-9]+)-([a-z][a-z0-9_]*)$ ]]; then
if [[ "${BASH_REMATCH[1]}" -lt 2000 ]]; then
echo "$file" has UID under 2000 >&2
exit 1
fi
else
echo files must be formatted " [number]-[alphanumeric]"
echo "$file" is not valid user definition >&2
exit 1
fi
done
duplicate_uid=$(
for file in *; do
if [[ "$file" =~ ^([0-9]+)-([a-z][a-z0-9_]*)$ ]]; then
echo "${BASH_REMATCH[1]}"
fi
done | sort | uniq -d
)
if [[ -n "$duplicate_uid" ]]; then
echo user definitions contain duplicate UID >&2
echo "$duplicate_uid" >&2
exit 1
fi
} }
cd /var/ssh-box/users cd /var/ssh-box/users
validate_users
for file in *; do for file in *; do
echo $file if [[ "$file" =~ ^([0-9]+)-([a-z][a-z0-9_]*)$ ]]; then
line=$file uid=${BASH_REMATCH[1]}
if [[ "$line" = *".sh" ]]; then user=${BASH_REMATCH[2]}
continue echo UID: "${BASH_REMATCH[1]}" username: "${BASH_REMATCH[2]}" >&2
id $user > /dev/null 2>&1 || {
adduser -D -u $uid $user
pw=$( get_pass "$file" )
echo -e "$pw\n$pw" | passwd $user 2> /dev/null
mkdir -p "/home/$user/data"
chmod 0711 "/home/$user"
usermod -a -G box $user
if grep -q '^# .*trusted.*' "$file"; then
usermod -a -G trusted $user
fi
}
rm -f "/home/$user/.ssh/authorized_keys"
get_readme > "/home/$user/README.md"
chown -R "$user":box "/home/$user/data"
chmod -R u+rwX,g+rwX,o+X "/home/$user/data"
chmod 0600 "$file"
chown $USR "$file"
fi fi
user=${line##*-}
uid=${line%%-*}
id $user > /dev/null 2>&1 || {
adduser -D -u $uid $user
pw=$( getpass "$file" )
echo -e "$pw\n$pw" | passwd $user
mkdir -p "/home/$user/data"
chmod 0711 "/home/$user"
usermod -a -G box $user
}
rm -f "/home/$user/.ssh/authorized_keys"
chown -R "$user":box "/home/$user/data"
chmod -R u+rwX,g+rwX,o+X "/home/$user/data"
chmod 0600 "$file"
chown $USR "$file"
done done
chmod 0700 /var/ssh-box/users chmod 0700 /var/ssh-box/users