initial work

2021-12-16 23:06:58 +02:00
commit 78b8bf290f
11 changed files with 159 additions and 0 deletions
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -0,0 +1,13 @@
+FROM alpine
+RUN apk add --no-cache \
+  openssh \
+  openssh-server-pam \
+  bash \
+  rsync \
+  shadow
+
+ADD get_pub_keys.sh /usr/local/sbin/get_pub_keys.sh
+ADD update_users.sh /usr/local/sbin/update_users.sh
+ADD run.sh /usr/local/sbin/run_ssh_box.sh
+CMD bash /usr/local/sbin/run_ssh_box.sh
+
--- a/build/get_pub_keys.sh
+++ b/build/get_pub_keys.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+idnr=$( id -u "$1" )
+
+if [[ -e "/var/ssh-box/users/${idnr}-${1}" ]]; then
+  cat "/var/ssh-box/users/${idnr}-${1}"
+fi
+
--- a/build/run.sh
+++ b/build/run.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+set -e
+set -x
+set -u
+basedir=/var/ssh-box/
+test -f "$basedir"/ssh-cache/ssh_host_rsa_key || {
+    ssh-keygen -A
+    grep -v -e AuthorizedKeys -e PermitEmptyPasswords -e PasswordAuthentication \
+        /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp
+    mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config
+    cat <<EOF >> /etc/ssh/sshd_config
+AuthorizedKeysFile    /tmp/empty_keys
+AuthorizedKeysCommand /usr/local/sbin/get_pub_keys.sh
+AuthorizedKeysCommandUser root
+PermitEmptyPasswords no
+PasswordAuthentication no
+EOF
+    rsync -va /etc/ssh/ "$basedir"/ssh-cache/
+}
+mkdir -p "$basedir"/users
+rsync -va --del "$basedir"/ssh-cache/ /etc/ssh/
+chown -R $USR "$basedir"
+chown -R root:root /etc/ssh/
+chmod 0644 /etc/ssh/*
+chmod 0600 /etc/ssh/*key
+
+groupadd -g 997 box
+
+chown root:root /home
+chmod 0755 /home
+
+touch /tmp/empty_keys
+chmod 0200 /tmp/empty_keys
+
+chown root:root /usr/local/sbin/*.sh
+chmod 0700 /usr/local/sbin/*.sh
+
+cat <<EOF > /etc/profile
+alias ll='ls -al'
+EOF
+
+echo "-~''~- SSH-Box ~-..-~" > /etc/motd
+echo "$NAME" >> /etc/motd
+
+update_users.sh
+
+"/usr/sbin/sshd" "-D" "-e" "-f" "/etc/ssh/sshd_config"
--- a/build/update_users.sh
+++ b/build/update_users.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+set -e
+shopt -s nullglob
+
+echo updating users >&2
+
+function getpass() {
+    # Technically possible to set password from key file
+    #set +e
+    #grep -q ^'#passwd=' "$1" && {
+    #    local newpw=$( grep ^'#passwd=' "$1" | head -n1 )
+    #    newpw=${newpw:8}
+    #    printf "$newpw"
+    #    sed -i 's/^#passwd=.*/#passwd-is-set/' "$1"
+    #    return
+    #}
+    set -e
+    local LENGTH=64
+    LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c $LENGTH
+}
+
+cd /var/ssh-box/users
+for file in *; do
+  echo $file
+  line=$file
+  if [[ "$line" = *".sh" ]]; then
+    continue
+  fi
+  user=${line##*-}
+  uid=${line%%-*}
+  id $user > /dev/null 2>&1 || {
+        adduser -D -u $uid $user
+        pw=$( getpass "$file" )
+        echo -e "$pw\n$pw" | passwd $user
+        mkdir -p "/home/$user/data"
+        chmod 0711 "/home/$user"
+        usermod -a -G box $user
+  }
+  rm -f "/home/$user/.ssh/authorized_keys"
+  chown -R "$user":box "/home/$user/data"
+  chmod -R u+rwX,g+rwX,o+X "/home/$user/data"
+done
+