diff options
author | Mike Crute <mcrute@gmail.com> | 2017-01-21 20:34:22 -0800 |
---|---|---|
committer | Mike Crute <mcrute@gmail.com> | 2017-01-21 20:34:22 -0800 |
commit | 81fcfe8954a81deaa8702cd02831b256d9ade47c (patch) | |
tree | e2f38371891743549a546ccff5f019b9b87814e9 /ssh-bastion | |
parent | 76ce4d1311a052ecd25910f4c44e472cac9016a6 (diff) | |
download | dockerfiles-81fcfe8954a81deaa8702cd02831b256d9ade47c.tar.bz2 dockerfiles-81fcfe8954a81deaa8702cd02831b256d9ade47c.tar.xz dockerfiles-81fcfe8954a81deaa8702cd02831b256d9ade47c.zip |
Add multiple programs
Diffstat (limited to 'ssh-bastion')
-rw-r--r-- | ssh-bastion/Dockerfile | 22 | ||||
-rw-r--r-- | ssh-bastion/Makefile | 8 | ||||
-rwxr-xr-x | ssh-bastion/entrypoint.sh | 20 | ||||
-rw-r--r-- | ssh-bastion/etc/sshd-pam | 60 | ||||
-rw-r--r-- | ssh-bastion/etc/sshd_config | 78 |
5 files changed, 188 insertions, 0 deletions
diff --git a/ssh-bastion/Dockerfile b/ssh-bastion/Dockerfile new file mode 100644 index 0000000..05dade3 --- /dev/null +++ b/ssh-bastion/Dockerfile | |||
@@ -0,0 +1,22 @@ | |||
1 | FROM ubuntu:14.04 | ||
2 | MAINTAINER Michael Crute <mike@crute.us> | ||
3 | |||
4 | RUN export DEBIAN_FRONTEND=noninteractive && \ | ||
5 | apt-get update && \ | ||
6 | apt-get install -y openssh-server libpam-google-authenticator && \ | ||
7 | mkdir /var/run/sshd && \ | ||
8 | chmod 700 /var/run/sshd | ||
9 | |||
10 | ADD etc/sshd_config /etc/ssh/sshd_config | ||
11 | ADD etc/sshd-pam /etc/pam.d/sshd | ||
12 | ADD entrypoint.sh /entrypoint.sh | ||
13 | |||
14 | RUN \ | ||
15 | apt-get clean && \ | ||
16 | rm -rf /var/lib/apt/lists/* && \ | ||
17 | rm -rf /tmp/* | ||
18 | |||
19 | EXPOSE 4321 | ||
20 | VOLUME "/srv/ssh" | ||
21 | ENTRYPOINT [ "/entrypoint.sh" ] | ||
22 | CMD [ "/usr/sbin/sshd", "-D", "-e" ] | ||
diff --git a/ssh-bastion/Makefile b/ssh-bastion/Makefile new file mode 100644 index 0000000..9090c53 --- /dev/null +++ b/ssh-bastion/Makefile | |||
@@ -0,0 +1,8 @@ | |||
1 | all: | ||
2 | docker build -t ssh-bastion . | ||
3 | |||
4 | run: | ||
5 | docker run -d \ | ||
6 | -p 4321:4321 \ | ||
7 | -v /srv/ssh-bastion:/srv/ssh \ | ||
8 | ssh-bastion | ||
diff --git a/ssh-bastion/entrypoint.sh b/ssh-bastion/entrypoint.sh new file mode 100755 index 0000000..aa8a8e6 --- /dev/null +++ b/ssh-bastion/entrypoint.sh | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | cd /srv/ssh/users | ||
4 | |||
5 | for user in *; do | ||
6 | if getent passwd $user 2>&1>/dev/null; then | ||
7 | echo "User $user already exists" | ||
8 | continue | ||
9 | fi | ||
10 | |||
11 | uid=$(cat /srv/ssh/users/$user/uid) | ||
12 | if [[ -z "$uid" ]]; then | ||
13 | echo "No UID for $user" | ||
14 | exit 1 | ||
15 | fi | ||
16 | |||
17 | useradd -MN -s /usr/sbin/nologin -u $uid $user | ||
18 | done | ||
19 | |||
20 | exec "$@" | ||
diff --git a/ssh-bastion/etc/sshd-pam b/ssh-bastion/etc/sshd-pam new file mode 100644 index 0000000..a62ba2b --- /dev/null +++ b/ssh-bastion/etc/sshd-pam | |||
@@ -0,0 +1,60 @@ | |||
1 | # PAM configuration for the Secure Shell service | ||
2 | |||
3 | # Standard Un*x authentication. | ||
4 | # Exclude common auth and prefer google authenticator only | ||
5 | #@include common-auth | ||
6 | auth [success=1 default=ignore] pam_google_authenticator.so secret=/srv/ssh/users/${USER}/totp user=root | ||
7 | auth requisite pam_deny.so | ||
8 | auth required pam_permit.so | ||
9 | auth optional pam_cap.so | ||
10 | |||
11 | # Disallow non-root logins when /etc/nologin exists. | ||
12 | account required pam_nologin.so | ||
13 | |||
14 | # Uncomment and edit /etc/security/access.conf if you need to set complex | ||
15 | # access limits that are hard to express in sshd_config. | ||
16 | # account required pam_access.so | ||
17 | |||
18 | # Standard Un*x authorization. | ||
19 | @include common-account | ||
20 | |||
21 | # SELinux needs to be the first session rule. This ensures that any | ||
22 | # lingering context has been cleared. Without this it is possible that a | ||
23 | # module could execute code in the wrong domain. | ||
24 | session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close | ||
25 | |||
26 | # Set the loginuid process attribute. | ||
27 | session required pam_loginuid.so | ||
28 | |||
29 | # Create a new session keyring. | ||
30 | session optional pam_keyinit.so force revoke | ||
31 | |||
32 | # Standard Un*x session setup and teardown. | ||
33 | @include common-session | ||
34 | |||
35 | # Print the message of the day upon successful login. | ||
36 | # This includes a dynamically generated part from /run/motd.dynamic | ||
37 | # and a static (admin-editable) part from /etc/motd. | ||
38 | session optional pam_motd.so motd=/run/motd.dynamic noupdate | ||
39 | session optional pam_motd.so # [1] | ||
40 | |||
41 | # Print the status of the user's mailbox upon successful login. | ||
42 | session optional pam_mail.so standard noenv # [1] | ||
43 | |||
44 | # Set up user limits from /etc/security/limits.conf. | ||
45 | session required pam_limits.so | ||
46 | |||
47 | # Read environment variables from /etc/environment and | ||
48 | # /etc/security/pam_env.conf. | ||
49 | session required pam_env.so # [1] | ||
50 | # In Debian 4.0 (etch), locale-related environment variables were moved to | ||
51 | # /etc/default/locale, so read that as well. | ||
52 | session required pam_env.so user_readenv=1 envfile=/etc/default/locale | ||
53 | |||
54 | # SELinux needs to intervene at login time to ensure that the process starts | ||
55 | # in the proper default security context. Only sessions which are intended | ||
56 | # to run in the user's context should be run after this. | ||
57 | session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open | ||
58 | |||
59 | # Standard Un*x password updating. | ||
60 | @include common-password | ||
diff --git a/ssh-bastion/etc/sshd_config b/ssh-bastion/etc/sshd_config new file mode 100644 index 0000000..dd65731 --- /dev/null +++ b/ssh-bastion/etc/sshd_config | |||
@@ -0,0 +1,78 @@ | |||
1 | # vim:set ft=sshdconfig | ||
2 | |||
3 | HostKey /srv/ssh/hostkeys/rsa_key | ||
4 | HostKey /srv/ssh/hostkeys/ecdsa_key | ||
5 | HostKey /srv/ssh/hostkeys/ed25519_key | ||
6 | |||
7 | # By default SSH attempts to chdir to the logged-in user's home directory. The | ||
8 | # vast majority of users won't have a home directory on the machine, so | ||
9 | # suppress the warning with a chroot. | ||
10 | ChrootDirectory / | ||
11 | |||
12 | Protocol 2 | ||
13 | |||
14 | # Bind a port above 1024 so we can run ssh as an unpriviledged user | ||
15 | Port 4321 | ||
16 | |||
17 | PermitTTY no | ||
18 | #ForceCommand /bin/false | ||
19 | |||
20 | SyslogFacility AUTH | ||
21 | LogLevel INFO | ||
22 | PrintLastLog yes | ||
23 | |||
24 | PidFile /var/run/sshd.pid | ||
25 | |||
26 | StrictModes yes | ||
27 | |||
28 | AuthorizedKeysFile /srv/ssh/users/%u/ssh | ||
29 | |||
30 | PubkeyAuthentication yes | ||
31 | HostbasedAuthentication no | ||
32 | IgnoreRhosts yes | ||
33 | PasswordAuthentication no | ||
34 | PermitEmptyPasswords no | ||
35 | RhostsRSAAuthentication no | ||
36 | |||
37 | UsePAM yes | ||
38 | UseLogin no | ||
39 | PermitRootLogin no | ||
40 | ChallengeResponseAuthentication yes | ||
41 | AuthenticationMethods publickey,keyboard-interactive:pam | ||
42 | |||
43 | # Use an unprivileged child process to accept connections and | ||
44 | # authenticate the user before spinning up another process as | ||
45 | # the user. | ||
46 | UsePrivilegeSeparation yes | ||
47 | |||
48 | # This turns off reverse lookups of the originating host which hang sshd | ||
49 | # on DNS timeouts when DNS is down. This also breaks "from=" lines in | ||
50 | # authorizd_keys files which must be converted to dotted quad ip addrs. | ||
51 | UseDNS no | ||
52 | |||
53 | # By default SSH doesn't accept any environment variables from the client. But | ||
54 | # we use this specific variable to pass robot user authentication tokens into | ||
55 | # the system. | ||
56 | AcceptEnv LANG LC_* | ||
57 | |||
58 | # Disconnect after this period of time if the user hasn't provided | ||
59 | # a correct password. | ||
60 | LoginGraceTime 120 | ||
61 | |||
62 | # After 66 seconds of inactivity, request a keep-alive from the | ||
63 | # client. If they don't respond after ten requests, kill the | ||
64 | # connection. | ||
65 | ClientAliveInterval 66 | ||
66 | ClientAliveCountMax 10 | ||
67 | |||
68 | # Allow up to 100 simultaneous unauthenticated connections. Any | ||
69 | # connections beyond that limit will be dropped. | ||
70 | MaxStartups 100 | ||
71 | |||
72 | # The maxiumum number of sessions which can be served on one | ||
73 | # multi-plexing connection. ssh does not fail gracefully when this | ||
74 | # number is exceeded, so we keep it high. | ||
75 | MaxSessions 100 | ||
76 | |||
77 | X11Forwarding no | ||
78 | PrintMotd no | ||