initial work

.gitignore

@@ -0,0 +1,3 @@
+home/
+users/
+sshd_config/

README.md

@@ -0,0 +1,13 @@
+
+
+
+first start:
+
+copy example-env to .env
+modify your user ID as USR
+EXPOSE to port exposed outside
+
+- data/ and home/ folders appear
+- create user by adding authorized_keys contents to users/[UID]-[username] file
+  - example:  `vim users/2000-user1`  <- copy id_rsa.pub contents there
+

build/Dockerfile

@@ -0,0 +1,13 @@
+FROM alpine
+RUN apk add --no-cache \
+  openssh \
+  openssh-server-pam \
+  bash \
+  rsync \
+  shadow
+
+ADD get_pub_keys.sh /usr/local/sbin/get_pub_keys.sh
+ADD update_users.sh /usr/local/sbin/update_users.sh
+ADD run.sh /usr/local/sbin/run_ssh_box.sh
+CMD bash /usr/local/sbin/run_ssh_box.sh
+

build/get_pub_keys.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+idnr=$( id -u "$1" )
+
+if [[ -e "/var/ssh-box/users/${idnr}-${1}" ]]; then
+  cat "/var/ssh-box/users/${idnr}-${1}"
+fi
+

build/run.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+set -e
+set -x
+set -u
+basedir=/var/ssh-box/
+test -f "$basedir"/ssh-cache/ssh_host_rsa_key || {
+    ssh-keygen -A
+    grep -v -e AuthorizedKeys -e PermitEmptyPasswords -e PasswordAuthentication \
+        /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp
+    mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config
+    cat <<EOF >> /etc/ssh/sshd_config
+AuthorizedKeysFile    /tmp/empty_keys
+AuthorizedKeysCommand /usr/local/sbin/get_pub_keys.sh
+AuthorizedKeysCommandUser root
+PermitEmptyPasswords no
+PasswordAuthentication no
+EOF
+    rsync -va /etc/ssh/ "$basedir"/ssh-cache/
+}
+mkdir -p "$basedir"/users
+rsync -va --del "$basedir"/ssh-cache/ /etc/ssh/
+chown -R $USR "$basedir"
+chown -R root:root /etc/ssh/
+chmod 0644 /etc/ssh/*
+chmod 0600 /etc/ssh/*key
+
+groupadd -g 997 box
+
+chown root:root /home
+chmod 0755 /home
+
+touch /tmp/empty_keys
+chmod 0200 /tmp/empty_keys
+
+chown root:root /usr/local/sbin/*.sh
+chmod 0700 /usr/local/sbin/*.sh
+
+cat <<EOF > /etc/profile
+alias ll='ls -al'
+EOF
+
+echo "-~''~- SSH-Box ~-..-~" > /etc/motd
+echo "$NAME" >> /etc/motd
+
+update_users.sh
+
+"/usr/sbin/sshd" "-D" "-e" "-f" "/etc/ssh/sshd_config"

build/update_users.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+set -e
+shopt -s nullglob
+
+echo updating users >&2
+
+function getpass() {
+    # Technically possible to set password from key file
+    #set +e
+    #grep -q ^'#passwd=' "$1" && {
+    #    local newpw=$( grep ^'#passwd=' "$1" | head -n1 )
+    #    newpw=${newpw:8}
+    #    printf "$newpw"
+    #    sed -i 's/^#passwd=.*/#passwd-is-set/' "$1"
+    #    return
+    #}
+    set -e
+    local LENGTH=64
+    LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c $LENGTH
+}
+
+cd /var/ssh-box/users
+for file in *; do
+  echo $file
+  line=$file
+  if [[ "$line" = *".sh" ]]; then
+    continue
+  fi
+  user=${line##*-}
+  uid=${line%%-*}
+  id $user > /dev/null 2>&1 || {
+        adduser -D -u $uid $user
+        pw=$( getpass "$file" )
+        echo -e "$pw\n$pw" | passwd $user
+        mkdir -p "/home/$user/data"
+        chmod 0711 "/home/$user"
+        usermod -a -G box $user
+  }
+  rm -f "/home/$user/.ssh/authorized_keys"
+  chown -R "$user":box "/home/$user/data"
+  chmod -R u+rwX,g+rwX,o+X "/home/$user/data"
+done
+

docker-compose.yaml

@@ -0,0 +1,19 @@
+version: '2'
+
+
+services:
+  ssh-ftp-server:
+    build:
+      context: build/
+    ports:
+      - "0.0.0.0:${EXPOSE}:22"
+    volumes:
+      - ./home/:/home/
+      - ./data/:/var/ssh-box/
+    environment:
+      - USR=${USR}
+      - NAME=${NAME}
+    restart: unless-stopped
+
+
+

example-env

@@ -0,0 +1,3 @@
+USR=1000
+EXPOSE=3478
+NAME=BOX NAME

run.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+docker-compose up --build -d -t 1

test-run.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+set -e
+docker-compose build
+docker-compose up -d --force-recreate -t 1
+docker-compose logs -f -t

update-users.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -e
+docker-compose exec ssh-ftp-server update_users.sh