forked from panubo/docker-sshd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
entry.sh
executable file
·237 lines (211 loc) · 7.52 KB
/
entry.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
#!/usr/bin/env bash
set -e
[ "$DEBUG" == 'true' ] && set -x
DAEMON=sshd
echo "> Starting SSHD"
# Copy default config from cache, if required
if [ ! "$(ls -A /etc/ssh)" ]; then
cp -a /etc/ssh.cache/* /etc/ssh/
fi
set_hostkeys() {
printf '%s\n' \
'set /files/etc/ssh/sshd_config/HostKey[1] /etc/ssh/keys/ssh_host_rsa_key' \
'set /files/etc/ssh/sshd_config/HostKey[2] /etc/ssh/keys/ssh_host_ecdsa_key' \
'set /files/etc/ssh/sshd_config/HostKey[3] /etc/ssh/keys/ssh_host_ed25519_key' \
| augtool -s 1> /dev/null
}
print_fingerprints() {
local BASE_DIR=${1-'/etc/ssh'}
for item in rsa ecdsa ed25519; do
echo ">>> Fingerprints for ${item} host key"
ssh-keygen -E md5 -lf ${BASE_DIR}/ssh_host_${item}_key
ssh-keygen -E sha256 -lf ${BASE_DIR}/ssh_host_${item}_key
ssh-keygen -E sha512 -lf ${BASE_DIR}/ssh_host_${item}_key
done
}
check_authorized_key_ownership() {
local file="$1"
local _uid="$2"
local _gid="$3"
local uid_found="$(stat -c %u ${file})"
local gid_found="$(stat -c %g ${file})"
if ! ( [[ ( "$uid_found" == "$_uid" ) && ( "$gid_found" == "$_gid" ) ]] || [[ ( "$uid_found" == "0" ) && ( "$gid_found" == "0" ) ]] ); then
echo "WARNING: Incorrect ownership for ${file}. Expected uid/gid: ${_uid}/${_gid}, found uid/gid: ${uid_found}/${gid_found}. File uid/gid must match SSH_USERS or be root owned."
fi
}
# Generate Host keys, if required
if ls /etc/ssh/keys/ssh_host_* 1> /dev/null 2>&1; then
echo ">> Found host keys in keys directory"
set_hostkeys
print_fingerprints /etc/ssh/keys
elif ls /etc/ssh/ssh_host_* 1> /dev/null 2>&1; then
echo ">> Found Host keys in default location"
# Don't do anything
print_fingerprints
else
echo ">> Generating new host keys"
mkdir -p /etc/ssh/keys
ssh-keygen -A
mv /etc/ssh/ssh_host_* /etc/ssh/keys/
set_hostkeys
print_fingerprints /etc/ssh/keys
fi
# Fix permissions, if writable.
# NB ownership of /etc/authorized_keys are not changed
if [ -w ~/.ssh ]; then
chown root:root ~/.ssh && chmod 700 ~/.ssh/
fi
if [ -w ~/.ssh/authorized_keys ]; then
chown root:root ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
fi
if [ -w /etc/authorized_keys ]; then
chown root:root /etc/authorized_keys
chmod 755 /etc/authorized_keys
# test for writability before attempting chmod
for f in $(find /etc/authorized_keys/ -type f -maxdepth 1); do
[ -w "${f}" ] && chmod 644 "${f}"
done
fi
# Add users if SSH_USERS=user:uid:gid set
if [ -n "${SSH_USERS}" ]; then
USERS=$(echo $SSH_USERS | tr "," "\n")
for U in $USERS; do
IFS=':' read -ra UA <<< "$U"
_NAME=${UA[0]}
_UID=${UA[1]}
_GID=${UA[2]}
if [ ${#UA[*]} -ge 4 ]; then
_SHELL=${UA[3]}
else
_SHELL=''
fi
echo ">> Adding user ${_NAME} with uid: ${_UID}, gid: ${_GID}, shell: ${_SHELL:-<default>}."
if [ ! -e "/etc/authorized_keys/${_NAME}" ]; then
echo "WARNING: No SSH authorized_keys found for ${_NAME}!"
else
check_authorized_key_ownership /etc/authorized_keys/${_NAME} ${_UID} ${_GID}
fi
getent group ${_NAME} >/dev/null 2>&1 || groupadd -g ${_GID} ${_NAME}
getent passwd ${_NAME} >/dev/null 2>&1 || useradd -r -m -p '' -u ${_UID} -g ${_GID} -s ${_SHELL:-""} -c 'SSHD User' ${_NAME}
done
else
# Warn if no authorized_keys
if [ ! -e ~/.ssh/authorized_keys ] && [ ! "$(ls -A /etc/authorized_keys)" ]; then
echo "WARNING: No SSH authorized_keys found!"
fi
fi
# Unlock root account, if enabled
if [[ "${SSH_ENABLE_ROOT}" == "true" ]]; then
echo ">> Unlocking root account"
usermod -p '' root
else
echo "INFO: root account is now locked by default. Set SSH_ENABLE_ROOT to unlock the account."
fi
# Update MOTD
if [ -v MOTD ]; then
echo -e "$MOTD" > /etc/motd
fi
# PasswordAuthentication (disabled by default)
if [[ "${SSH_ENABLE_PASSWORD_AUTH}" == "true" ]] || [[ "${SSH_ENABLE_ROOT_PASSWORD_AUTH}" == "true" ]]; then
echo 'set /files/etc/ssh/sshd_config/PasswordAuthentication yes' | augtool -s 1> /dev/null
echo "WARNING: password authentication enabled."
# Root Password Authentification
if [[ "${SSH_ENABLE_ROOT_PASSWORD_AUTH}" == "true" ]]; then
echo 'set /files/etc/ssh/sshd_config/PermitRootLogin yes' | augtool -s 1> /dev/null
echo "WARNING: password authentication for root user enabled."
else
echo "INFO: password authentication is not enabled for the root user. Set SSH_ENABLE_ROOT_PASSWORD_AUTH=true to enable."
fi
else
echo 'set /files/etc/ssh/sshd_config/PasswordAuthentication no' | augtool -s 1> /dev/null
echo "INFO: password authentication is disabled by default. Set SSH_ENABLE_PASSWORD_AUTH=true to enable."
fi
configure_sftp_only_mode() {
echo "INFO: configuring sftp only mode"
: ${SFTP_CHROOT:='/data'}
chown 0:0 ${SFTP_CHROOT}
chmod 755 ${SFTP_CHROOT}
printf '%s\n' \
'set /files/etc/ssh/sshd_config/Subsystem/sftp "internal-sftp"' \
'set /files/etc/ssh/sshd_config/AllowTCPForwarding no' \
'set /files/etc/ssh/sshd_config/GatewayPorts no' \
'set /files/etc/ssh/sshd_config/X11Forwarding no' \
'set /files/etc/ssh/sshd_config/ForceCommand internal-sftp' \
"set /files/etc/ssh/sshd_config/ChrootDirectory ${SFTP_CHROOT}" \
| augtool -s 1> /dev/null
}
configure_scp_only_mode() {
echo "INFO: configuring scp only mode"
USERS=$(echo $SSH_USERS | tr "," "\n")
for U in $USERS; do
_NAME=$(echo "${U}" | cut -d: -f1)
usermod -s '/usr/bin/rssh' ${_NAME}
done
(grep '^[a-zA-Z]' /etc/rssh.conf.default; echo "allowscp") > /etc/rssh.conf
}
configure_rsync_only_mode() {
echo "INFO: configuring rsync only mode"
USERS=$(echo $SSH_USERS | tr "," "\n")
for U in $USERS; do
_NAME=$(echo "${U}" | cut -d: -f1)
usermod -s '/usr/bin/rssh' ${_NAME}
done
(grep '^[a-zA-Z]' /etc/rssh.conf.default; echo "allowrsync") > /etc/rssh.conf
}
configure_ssh_options() {
# Enable AllowTcpForwarding
if [[ "${TCP_FORWARDING}" == "true" ]]; then
echo 'set /files/etc/ssh/sshd_config/AllowTcpForwarding yes' | augtool -s 1> /dev/null
fi
# Enable GatewayPorts
if [[ "${GATEWAY_PORTS}" == "true" ]]; then
echo 'set /files/etc/ssh/sshd_config/GatewayPorts yes' | augtool -s 1> /dev/null
fi
# Disable SFTP
if [[ "${DISABLE_SFTP}" == "true" ]]; then
printf '%s\n' \
'rm /files/etc/ssh/sshd_config/Subsystem/sftp' \
'rm /files/etc/ssh/sshd_config/Subsystem' \
| augtool -s 1> /dev/null
fi
}
# Configure mutually exclusive modes
if [[ "${SFTP_MODE}" == "true" ]]; then
configure_sftp_only_mode
elif [[ "${SCP_MODE}" == "true" ]]; then
configure_scp_only_mode
elif [[ "${RSYNC_MODE}" == "true" ]]; then
configure_rsync_only_mode
else
configure_ssh_options
fi
# Run scripts in /etc/entrypoint.d
for f in /etc/entrypoint.d/*; do
if [[ -x ${f} ]]; then
echo ">> Running: ${f}"
${f}
fi
done
stop() {
echo "Received SIGINT or SIGTERM. Shutting down $DAEMON"
# Get PID
local pid=$(cat /var/run/$DAEMON/$DAEMON.pid)
# Set TERM
kill -SIGTERM "${pid}"
# Wait for exit
wait "${pid}"
# All done.
echo "Done."
}
echo "Running $@"
if [ "$(basename $1)" == "$DAEMON" ]; then
trap stop SIGINT SIGTERM
$@ &
pid="$!"
mkdir -p /var/run/$DAEMON && echo "${pid}" > /var/run/$DAEMON/$DAEMON.pid
wait "${pid}"
exit $?
else
exec "$@"
fi