diff options
author | Mike Crute <mike@crute.us> | 2020-12-29 02:04:26 +0000 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2020-12-29 02:04:26 +0000 |
commit | 5ff75eafdd04a7b3ecdb22a18ac344f0e8b429b3 (patch) | |
tree | 08790e4b1a96c666beb47eda6514fe6d45399827 | |
parent | 588947985f05c7b5e7b5cd5d33268cf04620ea22 (diff) | |
download | dockerfiles-5ff75eafdd04a7b3ecdb22a18ac344f0e8b429b3.tar.bz2 dockerfiles-5ff75eafdd04a7b3ecdb22a18ac344f0e8b429b3.tar.xz dockerfiles-5ff75eafdd04a7b3ecdb22a18ac344f0e8b429b3.zip |
ssh-bastion: remove photos sync
-rwxr-xr-x | ssh-bastion/entrypoint.sh | 24 | ||||
-rw-r--r-- | ssh-bastion/etc/ssh/sshd_upload_config | 94 |
2 files changed, 1 insertions, 117 deletions
diff --git a/ssh-bastion/entrypoint.sh b/ssh-bastion/entrypoint.sh index a1dbea2..f48a3c3 100755 --- a/ssh-bastion/entrypoint.sh +++ b/ssh-bastion/entrypoint.sh | |||
@@ -16,17 +16,6 @@ if [ ! -d /srv/ssh/users ]; then | |||
16 | mkdir -p /srv/ssh/users | 16 | mkdir -p /srv/ssh/users |
17 | fi | 17 | fi |
18 | 18 | ||
19 | if [ "$UPLOAD_MODE" == "true" ]; then | ||
20 | if [ ! -d /srv/data ]; then | ||
21 | mkdir /srv/data | ||
22 | |||
23 | # SSH is extremely paranoid about chroot permissions | ||
24 | chown root:root /srv/data | ||
25 | chmod 755 /srv/data | ||
26 | chmod 755 /srv | ||
27 | fi | ||
28 | fi | ||
29 | |||
30 | for path in /srv/ssh/users/*; do | 19 | for path in /srv/ssh/users/*; do |
31 | user=$(basename $path) | 20 | user=$(basename $path) |
32 | if [ "$user" = "*" ]; then | 21 | if [ "$user" = "*" ]; then |
@@ -46,17 +35,6 @@ for path in /srv/ssh/users/*; do | |||
46 | 35 | ||
47 | echo "Creating user ${user}(${uid})" | 36 | echo "Creating user ${user}(${uid})" |
48 | adduser -DH -s /sbin/nologin -u $uid $user | 37 | adduser -DH -s /sbin/nologin -u $uid $user |
49 | |||
50 | if [ "$UPLOAD_MODE" == "true" ]; then | ||
51 | mkdir -p /srv/data/${user}/photos | ||
52 | chown root:root /srv/data/${user} | ||
53 | chmod 755 /srv/data/${user} | ||
54 | chown ${user}:${user} /srv/data/${user}/photos | ||
55 | fi | ||
56 | done | 38 | done |
57 | 39 | ||
58 | if [ "$UPLOAD_MODE" == "true" ]; then | 40 | exec "$@" |
59 | exec "$@" -f /etc/ssh/sshd_upload_config | ||
60 | else | ||
61 | exec "$@" | ||
62 | fi | ||
diff --git a/ssh-bastion/etc/ssh/sshd_upload_config b/ssh-bastion/etc/ssh/sshd_upload_config deleted file mode 100644 index 7aa2ccc..0000000 --- a/ssh-bastion/etc/ssh/sshd_upload_config +++ /dev/null | |||
@@ -1,94 +0,0 @@ | |||
1 | # vim:set ft=sshdconfig | ||
2 | |||
3 | HostKey /srv/ssh/hostkeys/rsa_key | ||
4 | HostKey /srv/ssh/hostkeys/ed25519_key | ||
5 | |||
6 | # By default SSH attempts to chdir to the logged-in user's home directory. The | ||
7 | # vast majority of users won't have a home directory on the machine, so | ||
8 | # suppress the warning with a chroot. | ||
9 | ChrootDirectory /srv/data/%u | ||
10 | |||
11 | Subsystem sftp internal-sftp | ||
12 | |||
13 | # No users will have home directories and all configs are under control of the | ||
14 | # admin who mounts them from outside of this docker container so there is no | ||
15 | # need to check modes and in-fact enabling this will cause failures. | ||
16 | StrictModes no | ||
17 | |||
18 | Protocol 2 | ||
19 | |||
20 | # Bind a port above 1024 so we can run ssh as an unpriviledged user | ||
21 | Port 4321 | ||
22 | |||
23 | SyslogFacility AUTH | ||
24 | LogLevel INFO | ||
25 | PidFile /var/run/sshd.pid | ||
26 | |||
27 | PubkeyAuthentication yes | ||
28 | HostbasedAuthentication no | ||
29 | IgnoreRhosts yes | ||
30 | PasswordAuthentication no | ||
31 | PermitEmptyPasswords no | ||
32 | AuthorizedKeysFile /srv/ssh/users/%u/ssh | ||
33 | |||
34 | UsePAM yes | ||
35 | PermitRootLogin no | ||
36 | ChallengeResponseAuthentication yes | ||
37 | AuthenticationMethods publickey | ||
38 | |||
39 | # Limit the number of authentication attemps per connection. SSH will log | ||
40 | # failues once attempts reach half this number so this should also log all | ||
41 | # authentication failures as well. | ||
42 | PermitTTY no | ||
43 | MaxAuthTries 2 | ||
44 | ForceCommand internal-sftp | ||
45 | |||
46 | # This turns off reverse lookups of the originating host which hang sshd on DNS | ||
47 | # timeouts when DNS is down. This also breaks "from=" lines in authorizd_keys | ||
48 | # files which must be converted to dotted quad ip addrs. | ||
49 | UseDNS no | ||
50 | |||
51 | # By default SSH doesn't accept any environment variables from the client. But | ||
52 | # we use this specific variable to pass robot user authentication tokens into | ||
53 | # the system. | ||
54 | AcceptEnv LANG LC_* | ||
55 | |||
56 | # Disconnect after this period of time if the user hasn't provided a correct | ||
57 | # password. | ||
58 | LoginGraceTime 120 | ||
59 | |||
60 | # Disconnect dead sessions after 30 minutes of inactivity. The server will send | ||
61 | # a keepalive every minutes and tolerate up to 30 failures before terminating | ||
62 | # the session. | ||
63 | ClientAliveInterval 60 | ||
64 | ClientAliveCountMax 30 | ||
65 | |||
66 | # Don't use TCP keepalives to prevent connections from dying when a temporary | ||
67 | # routing issue occurs. | ||
68 | TCPKeepAlive no | ||
69 | |||
70 | # Allow up to 100 simultaneous unauthenticated connections. Any connections | ||
71 | # beyond that limit will be dropped. | ||
72 | MaxStartups 100 | ||
73 | |||
74 | # The maxiumum number of sessions which can be served on one multi-plexing | ||
75 | # connection. ssh does not fail gracefully when this number is exceeded, so we | ||
76 | # keep it high. | ||
77 | MaxSessions 100 | ||
78 | |||
79 | X11Forwarding no | ||
80 | PrintMotd no | ||
81 | |||
82 | # Used hardened crypto algorithms | ||
83 | # | ||
84 | # Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html | ||
85 | # And also: https://access.redhat.com/discussions/3121481 | ||
86 | # And also: https://infosec.mozilla.org/guidelines/openssh | ||
87 | # Validated by: https://sshcheck.com/ | ||
88 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | ||
89 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | ||
90 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | ||
91 | # PhotoSync requires ssh-rsa mode | ||
92 | HostKeyAlgorithms ssh-rsa,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com | ||
93 | # These may be needed for older ssh clients but use SHA1 so are discouraged | ||
94 | #HostKeyAlgorithms ssh-rsa,ssh-rsa-cert-v01@openssh.com | ||