From 78b8bf290f7f8fb067a8548d3aa77bec07828c84 Mon Sep 17 00:00:00 2001 From: Ville Rantanen Date: Thu, 16 Dec 2021 23:06:58 +0200 Subject: [PATCH] initial work --- .gitignore | 3 +++ README.md | 13 ++++++++++++ build/Dockerfile | 13 ++++++++++++ build/get_pub_keys.sh | 8 ++++++++ build/run.sh | 47 +++++++++++++++++++++++++++++++++++++++++++ build/update_users.sh | 43 +++++++++++++++++++++++++++++++++++++++ docker-compose.yaml | 19 +++++++++++++++++ example-env | 3 +++ run.sh | 2 ++ test-run.sh | 5 +++++ update-users.sh | 3 +++ 11 files changed, 159 insertions(+) create mode 100644 .gitignore create mode 100644 README.md create mode 100644 build/Dockerfile create mode 100755 build/get_pub_keys.sh create mode 100755 build/run.sh create mode 100755 build/update_users.sh create mode 100644 docker-compose.yaml create mode 100644 example-env create mode 100755 run.sh create mode 100755 test-run.sh create mode 100755 update-users.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9a759d2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +home/ +users/ +sshd_config/ diff --git a/README.md b/README.md new file mode 100644 index 0000000..a6a9383 --- /dev/null +++ b/README.md @@ -0,0 +1,13 @@ + + + +first start: + +copy example-env to .env +modify your user ID as USR +EXPOSE to port exposed outside + +- data/ and home/ folders appear +- create user by adding authorized_keys contents to users/[UID]-[username] file + - example: `vim users/2000-user1` <- copy id_rsa.pub contents there + diff --git a/build/Dockerfile b/build/Dockerfile new file mode 100644 index 0000000..5b4c847 --- /dev/null +++ b/build/Dockerfile @@ -0,0 +1,13 @@ +FROM alpine +RUN apk add --no-cache \ + openssh \ + openssh-server-pam \ + bash \ + rsync \ + shadow + +ADD get_pub_keys.sh /usr/local/sbin/get_pub_keys.sh +ADD update_users.sh /usr/local/sbin/update_users.sh +ADD run.sh /usr/local/sbin/run_ssh_box.sh +CMD bash /usr/local/sbin/run_ssh_box.sh + diff --git a/build/get_pub_keys.sh b/build/get_pub_keys.sh new file mode 100755 index 0000000..13458e8 --- /dev/null +++ b/build/get_pub_keys.sh @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +idnr=$( id -u "$1" ) + +if [[ -e "/var/ssh-box/users/${idnr}-${1}" ]]; then + cat "/var/ssh-box/users/${idnr}-${1}" +fi + diff --git a/build/run.sh b/build/run.sh new file mode 100755 index 0000000..037778f --- /dev/null +++ b/build/run.sh @@ -0,0 +1,47 @@ +#!/bin/bash +set -e +set -x +set -u +basedir=/var/ssh-box/ +test -f "$basedir"/ssh-cache/ssh_host_rsa_key || { + ssh-keygen -A + grep -v -e AuthorizedKeys -e PermitEmptyPasswords -e PasswordAuthentication \ + /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp + mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config + cat <> /etc/ssh/sshd_config +AuthorizedKeysFile /tmp/empty_keys +AuthorizedKeysCommand /usr/local/sbin/get_pub_keys.sh +AuthorizedKeysCommandUser root +PermitEmptyPasswords no +PasswordAuthentication no +EOF + rsync -va /etc/ssh/ "$basedir"/ssh-cache/ +} +mkdir -p "$basedir"/users +rsync -va --del "$basedir"/ssh-cache/ /etc/ssh/ +chown -R $USR "$basedir" +chown -R root:root /etc/ssh/ +chmod 0644 /etc/ssh/* +chmod 0600 /etc/ssh/*key + +groupadd -g 997 box + +chown root:root /home +chmod 0755 /home + +touch /tmp/empty_keys +chmod 0200 /tmp/empty_keys + +chown root:root /usr/local/sbin/*.sh +chmod 0700 /usr/local/sbin/*.sh + +cat < /etc/profile +alias ll='ls -al' +EOF + +echo "-~''~- SSH-Box ~-..-~" > /etc/motd +echo "$NAME" >> /etc/motd + +update_users.sh + +"/usr/sbin/sshd" "-D" "-e" "-f" "/etc/ssh/sshd_config" diff --git a/build/update_users.sh b/build/update_users.sh new file mode 100755 index 0000000..a22efa2 --- /dev/null +++ b/build/update_users.sh @@ -0,0 +1,43 @@ +#!/bin/bash +set -e +shopt -s nullglob + +echo updating users >&2 + +function getpass() { + # Technically possible to set password from key file + #set +e + #grep -q ^'#passwd=' "$1" && { + # local newpw=$( grep ^'#passwd=' "$1" | head -n1 ) + # newpw=${newpw:8} + # printf "$newpw" + # sed -i 's/^#passwd=.*/#passwd-is-set/' "$1" + # return + #} + set -e + local LENGTH=64 + LC_ALL=C tr -dc A-Za-z0-9 /dev/null 2>&1 || { + adduser -D -u $uid $user + pw=$( getpass "$file" ) + echo -e "$pw\n$pw" | passwd $user + mkdir -p "/home/$user/data" + chmod 0711 "/home/$user" + usermod -a -G box $user + } + rm -f "/home/$user/.ssh/authorized_keys" + chown -R "$user":box "/home/$user/data" + chmod -R u+rwX,g+rwX,o+X "/home/$user/data" +done + diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..605c3ca --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,19 @@ +version: '2' + + +services: + ssh-ftp-server: + build: + context: build/ + ports: + - "0.0.0.0:${EXPOSE}:22" + volumes: + - ./home/:/home/ + - ./data/:/var/ssh-box/ + environment: + - USR=${USR} + - NAME=${NAME} + restart: unless-stopped + + + diff --git a/example-env b/example-env new file mode 100644 index 0000000..7edab0c --- /dev/null +++ b/example-env @@ -0,0 +1,3 @@ +USR=1000 +EXPOSE=3478 +NAME=BOX NAME diff --git a/run.sh b/run.sh new file mode 100755 index 0000000..22f46ff --- /dev/null +++ b/run.sh @@ -0,0 +1,2 @@ +#!/bin/bash +docker-compose up --build -d -t 1 diff --git a/test-run.sh b/test-run.sh new file mode 100755 index 0000000..66311d5 --- /dev/null +++ b/test-run.sh @@ -0,0 +1,5 @@ +#!/bin/bash +set -e +docker-compose build +docker-compose up -d --force-recreate -t 1 +docker-compose logs -f -t diff --git a/update-users.sh b/update-users.sh new file mode 100755 index 0000000..a6c0e31 --- /dev/null +++ b/update-users.sh @@ -0,0 +1,3 @@ +#!/bin/bash +set -e +docker-compose exec ssh-ftp-server update_users.sh