ssh-bastion: remove photos sync

author: Mike Crute <mike@crute.us> 2020-12-29 02:04:26 +0000
committer: Mike Crute <mike@crute.us> 2020-12-29 02:04:26 +0000
commit: 5ff75eafdd04a7b3ecdb22a18ac344f0e8b429b3 (patch)
tree: 08790e4b1a96c666beb47eda6514fe6d45399827
parent: 588947985f05c7b5e7b5cd5d33268cf04620ea22 (diff)
download: dockerfiles-5ff75eafdd04a7b3ecdb22a18ac344f0e8b429b3.tar.bz2
dockerfiles-5ff75eafdd04a7b3ecdb22a18ac344f0e8b429b3.tar.xz
dockerfiles-5ff75eafdd04a7b3ecdb22a18ac344f0e8b429b3.zip
2 files changed, 1 insertions, 117 deletions
diff --git a/ssh-bastion/entrypoint.sh b/ssh-bastion/entrypoint.sh
index a1dbea2..f48a3c3 100755
--- a/ssh-bastion/entrypoint.sh
+++ b/ssh-bastion/entrypoint.sh
@@ -16,17 +16,6 @@ if [ ! -d /srv/ssh/users ]; then
    mkdir -p /srv/ssh/users
 fi
-if [ "$UPLOAD_MODE" == "true" ]; then
-    if [ ! -d /srv/data ]; then
-        mkdir /srv/data
-        # SSH is extremely paranoid about chroot permissions
-        chown root:root /srv/data
-        chmod 755 /srv/data
-        chmod 755 /srv
-    fi
-fi
 for path in /srv/ssh/users/*; do
    user=$(basename $path)
    if [ "$user" = "*" ]; then
@@ -46,17 +35,6 @@ for path in /srv/ssh/users/*; do
    echo "Creating user ${user}(${uid})"
    adduser -DH -s /sbin/nologin -u $uid $user
-    if [ "$UPLOAD_MODE" == "true" ]; then
-        mkdir -p /srv/data/${user}/photos
-        chown root:root /srv/data/${user}
-        chmod 755 /srv/data/${user}
-        chown ${user}:${user} /srv/data/${user}/photos
-    fi
 done
-if [ "$UPLOAD_MODE" == "true" ]; then
+exec "$@"
-    exec "$@" -f /etc/ssh/sshd_upload_config
-else
-    exec "$@"
-fi
diff --git a/ssh-bastion/etc/ssh/sshd_upload_config b/ssh-bastion/etc/ssh/sshd_upload_config
deleted file mode 100644
index 7aa2ccc..0000000
--- a/ssh-bastion/etc/ssh/sshd_upload_config
+++ /dev/null
@@ -1,94 +0,0 @@
-# vim:set ft=sshdconfig
-HostKey /srv/ssh/hostkeys/rsa_key
-HostKey /srv/ssh/hostkeys/ed25519_key
-# By default SSH attempts to chdir to the logged-in user's home directory. The
-# vast majority of users won't have a home directory on the machine, so
-# suppress the warning with a chroot.
-ChrootDirectory /srv/data/%u
-Subsystem sftp internal-sftp
-# No users will have home directories and all configs are under control of the
-# admin who mounts them from outside of this docker container so there is no
-# need to check modes and in-fact enabling this will cause failures.
-StrictModes no
-Protocol 2
-# Bind a port above 1024 so we can run ssh as an unpriviledged user
-Port 4321
-SyslogFacility AUTH
-LogLevel INFO
-PidFile /var/run/sshd.pid
-PubkeyAuthentication yes
-HostbasedAuthentication no
-IgnoreRhosts yes
-PasswordAuthentication no
-PermitEmptyPasswords no
-AuthorizedKeysFile /srv/ssh/users/%u/ssh
-UsePAM yes
-PermitRootLogin no
-ChallengeResponseAuthentication yes
-AuthenticationMethods publickey
-# Limit the number of authentication attemps per connection. SSH will log
-# failues once attempts reach half this number so this should also log all
-# authentication failures as well.
-PermitTTY no
-MaxAuthTries 2
-ForceCommand internal-sftp
-# This turns off reverse lookups of the originating host which hang sshd on DNS
-# timeouts when DNS is down. This also breaks "from=" lines in authorizd_keys
-# files which must be converted to dotted quad ip addrs.
-UseDNS no
-# By default SSH doesn't accept any environment variables from the client.  But
-# we use this specific variable to pass robot user authentication tokens into
-# the system.
-AcceptEnv LANG LC_*
-# Disconnect after this period of time if the user hasn't provided a correct
-# password.
-LoginGraceTime 120
-# Disconnect dead sessions after 30 minutes of inactivity. The server will send
-# a keepalive every minutes and tolerate up to 30 failures before terminating
-# the session.
-ClientAliveInterval 60
-ClientAliveCountMax 30
-# Don't use TCP keepalives to prevent connections from dying when a temporary
-# routing issue occurs.
-TCPKeepAlive no
-# Allow up to 100 simultaneous unauthenticated connections.  Any connections
-# beyond that limit will be dropped.
-MaxStartups 100
-# The maxiumum number of sessions which can be served on one multi-plexing
-# connection. ssh does not fail gracefully when this number is exceeded, so we
-# keep it high.
-MaxSessions 100
-X11Forwarding no
-PrintMotd no
-# Used hardened crypto algorithms
-#
-# Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html
-# And also: https://access.redhat.com/discussions/3121481
-# And also: https://infosec.mozilla.org/guidelines/openssh
-# Validated by: https://sshcheck.com/
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
-# PhotoSync requires ssh-rsa mode
-HostKeyAlgorithms ssh-rsa,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com
-# These may be needed for older ssh clients but use SHA1 so are discouraged
-#HostKeyAlgorithms ssh-rsa,ssh-rsa-cert-v01@openssh.com
author	Mike Crute <mike@crute.us>	2020-12-29 02:04:26 +0000
committer	Mike Crute <mike@crute.us>	2020-12-29 02:04:26 +0000
commit	5ff75eafdd04a7b3ecdb22a18ac344f0e8b429b3 (patch)
tree	08790e4b1a96c666beb47eda6514fe6d45399827
parent	588947985f05c7b5e7b5cd5d33268cf04620ea22 (diff)
download	dockerfiles-5ff75eafdd04a7b3ecdb22a18ac344f0e8b429b3.tar.bz2 dockerfiles-5ff75eafdd04a7b3ecdb22a18ac344f0e8b429b3.tar.xz dockerfiles-5ff75eafdd04a7b3ecdb22a18ac344f0e8b429b3.zip

diff --git a/ssh-bastion/entrypoint.sh b/ssh-bastion/entrypoint.sh index a1dbea2..f48a3c3 100755 --- a/ssh-bastion/entrypoint.sh +++ b/ssh-bastion/entrypoint.sh
@@ -16,17 +16,6 @@ if [ ! -d /srv/ssh/users ]; then
16	mkdir -p /srv/ssh/users	16	mkdir -p /srv/ssh/users
17	fi	17	fi
18		18
19	if [ "$UPLOAD_MODE" == "true" ]; then
20	if [ ! -d /srv/data ]; then
21	mkdir /srv/data
22
23	# SSH is extremely paranoid about chroot permissions
24	chown root:root /srv/data
25	chmod 755 /srv/data
26	chmod 755 /srv
27	fi
28	fi
29
30	for path in /srv/ssh/users/*; do	19	for path in /srv/ssh/users/*; do
31	user=$(basename $path)	20	user=$(basename $path)
32	if [ "$user" = "*" ]; then	21	if [ "$user" = "*" ]; then
@@ -46,17 +35,6 @@ for path in /srv/ssh/users/*; do
46		35
47	echo "Creating user ${user}(${uid})"	36	echo "Creating user ${user}(${uid})"
48	adduser -DH -s /sbin/nologin -u $uid $user	37	adduser -DH -s /sbin/nologin -u $uid $user
49
50	if [ "$UPLOAD_MODE" == "true" ]; then
51	mkdir -p /srv/data/${user}/photos
52	chown root:root /srv/data/${user}
53	chmod 755 /srv/data/${user}
54	chown ${user}:${user} /srv/data/${user}/photos
55	fi
56	done	38	done
57		39
58	if [ "$UPLOAD_MODE" == "true" ]; then	40	exec "$@"
59	exec "$@" -f /etc/ssh/sshd_upload_config
60	else
61	exec "$@"
62	fi


diff --git a/ssh-bastion/etc/ssh/sshd_upload_config b/ssh-bastion/etc/ssh/sshd_upload_config deleted file mode 100644 index 7aa2ccc..0000000 --- a/ssh-bastion/etc/ssh/sshd_upload_config +++ /dev/null
@@ -1,94 +0,0 @@
1	# vim:set ft=sshdconfig
2
3	HostKey /srv/ssh/hostkeys/rsa_key
4	HostKey /srv/ssh/hostkeys/ed25519_key
5
6	# By default SSH attempts to chdir to the logged-in user's home directory. The
7	# vast majority of users won't have a home directory on the machine, so
8	# suppress the warning with a chroot.
9	ChrootDirectory /srv/data/%u
10
11	Subsystem sftp internal-sftp
12
13	# No users will have home directories and all configs are under control of the
14	# admin who mounts them from outside of this docker container so there is no
15	# need to check modes and in-fact enabling this will cause failures.
16	StrictModes no
17
18	Protocol 2
19
20	# Bind a port above 1024 so we can run ssh as an unpriviledged user
21	Port 4321
22
23	SyslogFacility AUTH
24	LogLevel INFO
25	PidFile /var/run/sshd.pid
26
27	PubkeyAuthentication yes
28	HostbasedAuthentication no
29	IgnoreRhosts yes
30	PasswordAuthentication no
31	PermitEmptyPasswords no
32	AuthorizedKeysFile /srv/ssh/users/%u/ssh
33
34	UsePAM yes
35	PermitRootLogin no
36	ChallengeResponseAuthentication yes
37	AuthenticationMethods publickey
38
39	# Limit the number of authentication attemps per connection. SSH will log
40	# failues once attempts reach half this number so this should also log all
41	# authentication failures as well.
42	PermitTTY no
43	MaxAuthTries 2
44	ForceCommand internal-sftp
45
46	# This turns off reverse lookups of the originating host which hang sshd on DNS
47	# timeouts when DNS is down. This also breaks "from=" lines in authorizd_keys
48	# files which must be converted to dotted quad ip addrs.
49	UseDNS no
50
51	# By default SSH doesn't accept any environment variables from the client. But
52	# we use this specific variable to pass robot user authentication tokens into
53	# the system.
54	AcceptEnv LANG LC_*
55
56	# Disconnect after this period of time if the user hasn't provided a correct
57	# password.
58	LoginGraceTime 120
59
60	# Disconnect dead sessions after 30 minutes of inactivity. The server will send
61	# a keepalive every minutes and tolerate up to 30 failures before terminating
62	# the session.
63	ClientAliveInterval 60
64	ClientAliveCountMax 30
65
66	# Don't use TCP keepalives to prevent connections from dying when a temporary
67	# routing issue occurs.
68	TCPKeepAlive no
69
70	# Allow up to 100 simultaneous unauthenticated connections. Any connections
71	# beyond that limit will be dropped.
72	MaxStartups 100
73
74	# The maxiumum number of sessions which can be served on one multi-plexing
75	# connection. ssh does not fail gracefully when this number is exceeded, so we
76	# keep it high.
77	MaxSessions 100
78
79	X11Forwarding no
80	PrintMotd no
81
82	# Used hardened crypto algorithms
83	#
84	# Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html
85	# And also: https://access.redhat.com/discussions/3121481
86	# And also: https://infosec.mozilla.org/guidelines/openssh
87	# Validated by: https://sshcheck.com/
88	KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
89	Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
90	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
91	# PhotoSync requires ssh-rsa mode
92	HostKeyAlgorithms ssh-rsa,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com
93	# These may be needed for older ssh clients but use SHA1 so are discouraged
94	#HostKeyAlgorithms ssh-rsa,ssh-rsa-cert-v01@openssh.com