Test static openssh

gitpod-io · Oct 22, 2021 · cb6b6a4 · cb6b6a4
1 parent 911754b
commit cb6b6a4
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 36 deletions.
diff --git a/components/supervisor/BUILD.yaml b/components/supervisor/BUILD.yaml
@@ -19,9 +19,9 @@ packages:
     type: docker
     srcs:
       - "supervisor-config.json"
+      - sshd_config
     deps:
       - :app
-      - :dropbear
       - components/supervisor/frontend:app
       - components/workspacekit:app
       - components/workspacekit:fuse-overlayfs
@@ -35,13 +35,3 @@ packages:
       image:
         - ${imageRepoBase}/supervisor:${version}
         - ${imageRepoBase}/supervisor:commit-${__git_commit}
-  - name: dropbear
-    type: generic
-    config:
-      commands:
-        - ["curl", "-OL", "https://matt.ucc.asn.au/dropbear/dropbear-2020.81.tar.bz2"]
-        - ["tar", "xjf", "dropbear-2020.81.tar.bz2"]
-        - ["sh", "-c", "cd dropbear-2020.81; ./configure --enable-static && sed -i '/clearenv();/d' svr-chansession.c && sed -i '/addnewvar(\"PATH\", DEFAULT_PATH);/d' svr-chansession.c && sed -i 's/filestat.st_mode & (S_IWGRP | S_IWOTH)/0/g' svr-authpubkey.c && make"]
-        - ["mv", "dropbear-2020.81/dropbear", "dropbear"]
-        - ["mv", "dropbear-2020.81/dropbearkey", "dropbearkey"]
-        - ["rm", "-rf", "dropbear-2020.81*"]
diff --git a/components/supervisor/leeway.Dockerfile b/components/supervisor/leeway.Dockerfile
@@ -2,6 +2,8 @@
 # Licensed under the GNU Affero General Public License (AGPL).
 # See License-AGPL.txt in the project root for license information.
 
+FROM ep76/openssh-static:latest AS openssh
+
 FROM scratch
 
 # BEWARE: This must be the first layer in the image, s.t. that blobserve
@@ -16,9 +18,9 @@ COPY components-supervisor--app/supervisor \
      components-workspacekit--fuse-overlayfs/fuse-overlayfs \
      components-gitpod-cli--app/gitpod-cli \
      ./
-WORKDIR "/.supervisor/dropbear"
-COPY components-supervisor--dropbear/dropbear \
-     components-supervisor--dropbear/dropbearkey \
-     ./
 
-ENTRYPOINT ["/.supervisor/supervisor"]
+WORKDIR "/.supervisor/ssh"
+COPY --from=openssh /usr/sbin/sshd .
+COPY --from=openssh /usr/bin/ssh-keygen .
+
+ENTRYPOINT ["/.supervisor/supervisor"]
diff --git a/components/supervisor/pkg/supervisor/supervisor.go b/components/supervisor/pkg/supervisor/supervisor.go
@@ -925,14 +925,14 @@ func startSSHServer(ctx context.Context, cfg *Config, wg *sync.WaitGroup) {
 				return xerrors.Errorf("cannot find executable path: %w", err)
 			}
 
-			dropbear := filepath.Join(filepath.Dir(bin), "dropbear", "dropbear")
-			if _, err := os.Stat(dropbear); err != nil {
-				return xerrors.Errorf("cannot locate dropbear binary in path %v", dropbear)
+			openssh := filepath.Join(filepath.Dir(bin), "ssh", "sshd")
+			if _, err := os.Stat(openssh); err != nil {
+				return xerrors.Errorf("cannot locate sshd binary in path %v", openssh)
 			}
 
-			dropbearkey := filepath.Join(filepath.Dir(bin), "dropbear", "dropbearkey")
-			if _, err := os.Stat(dropbearkey); err != nil {
-				return xerrors.Errorf("cannot locate dropebarkey (path %v)", dropbearkey)
+			sshkeygen := filepath.Join(filepath.Dir(bin), "ssh", "ssh-keygen")
+			if _, err := os.Stat(sshkeygen); err != nil {
+				return xerrors.Errorf("cannot locate ssh-keygen (path %v)", sshkeygen)
 			}
 
 			hostkeyFN, err := ioutil.TempFile("", "hostkey")
@@ -943,7 +943,7 @@ func startSSHServer(ctx context.Context, cfg *Config, wg *sync.WaitGroup) {
 			hostkeyFN.Close()
 			os.Remove(hostkeyFN.Name())
 
-			keycmd := exec.Command(dropbearkey, "-t", "rsa", "-f", hostkeyFN.Name())
+			keycmd := exec.Command(sshkeygen, "-t", "rsa", "-q", "-N", "", "-f", hostkeyFN.Name())
 			// We need to force HOME because the Gitpod user might not have existed at the start of the container
 			// which makes the container runtime set an invalid HOME value.
 			keycmd.Env = func() []string {
@@ -964,24 +964,27 @@ func startSSHServer(ctx context.Context, cfg *Config, wg *sync.WaitGroup) {
 			}
 			_ = os.Chown(hostkeyFN.Name(), gitpodUID, gitpodGID)
 
-			cmd := exec.CommandContext(ctx, dropbear, "-E", "-i", "-w", "-s", "-r", hostkeyFN.Name())
+			cmd := exec.CommandContext(ctx, openssh, "-ieD", "-f/dev/null",
+				"-oProtocol 2",
+				"-oAllowUsers "+cfg.GitUsername+" dyno",
+				"-oPasswordAuthentication no",
+				"-oChallengeResponseAuthentication no",
+				"-oUsePAM no",
+				"-oPermitRootLogin no",
+				"-oLoginGraceTime 20",
+				"-oLogLevel ERROR",
+				"-oPrintLastLog no",
+				"-oUsePrivilegeSeparation no",
+				"-oPermitUserEnvironment yes",
+				"-oHostKey "+hostkeyFN.Name(),
+				"-oPidFile /dev/null",
+			)
 			cmd = runAsGitpodUser(cmd)
 			cmd.Env = buildChildProcEnv(cfg, nil)
 			cmd.ExtraFiles = []*os.File{socketFD}
 			cmd.Stderr = os.Stderr
 			cmd.Stdout = socketFD
-
-			stdin, err := cmd.StdinPipe()
-			if err != nil {
-				return xerrors.Errorf("cannot create StdinPipe: %w", err)
-			}
-
-			go func() {
-				_, err = io.Copy(stdin, socketFD)
-				if err != nil {
-					log.WithError(err).Error("cannot copy to stdin")
-				}
-			}()
+			cmd.Stdin = socketFD
 
 			err = cmd.Start()
 			if err != nil {