Add multiple programs

author: Mike Crute <mcrute@gmail.com> 2017-01-21 20:34:22 -0800
committer: Mike Crute <mcrute@gmail.com> 2017-01-21 20:34:22 -0800
commit: 81fcfe8954a81deaa8702cd02831b256d9ade47c (patch)
tree: e2f38371891743549a546ccff5f019b9b87814e9 /ssh-bastion
parent: 76ce4d1311a052ecd25910f4c44e472cac9016a6 (diff)
download: dockerfiles-81fcfe8954a81deaa8702cd02831b256d9ade47c.tar.bz2
dockerfiles-81fcfe8954a81deaa8702cd02831b256d9ade47c.tar.xz
dockerfiles-81fcfe8954a81deaa8702cd02831b256d9ade47c.zip
5 files changed, 188 insertions, 0 deletions
diff --git a/ssh-bastion/Dockerfile b/ssh-bastion/Dockerfile
new file mode 100644
index 0000000..05dade3
--- /dev/null
+++ b/ssh-bastion/Dockerfile
@@ -0,0 +1,22 @@
+FROM ubuntu:14.04
+MAINTAINER Michael Crute <mike@crute.us>
+RUN export DEBIAN_FRONTEND=noninteractive && \
+    apt-get update && \
+    apt-get install -y openssh-server libpam-google-authenticator && \
+    mkdir /var/run/sshd && \
+    chmod 700 /var/run/sshd
+ADD etc/sshd_config /etc/ssh/sshd_config
+ADD etc/sshd-pam /etc/pam.d/sshd
+ADD entrypoint.sh /entrypoint.sh
+RUN \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    rm -rf /tmp/*
+EXPOSE 4321
+VOLUME "/srv/ssh"
+ENTRYPOINT [ "/entrypoint.sh" ]
+CMD [ "/usr/sbin/sshd", "-D", "-e" ]
diff --git a/ssh-bastion/Makefile b/ssh-bastion/Makefile
new file mode 100644
index 0000000..9090c53
--- /dev/null
+++ b/ssh-bastion/Makefile
@@ -0,0 +1,8 @@
+all:
+        docker build -t ssh-bastion .
+run:
+        docker run -d \
+                -p 4321:4321 \
+                -v /srv/ssh-bastion:/srv/ssh \
+                ssh-bastion
diff --git a/ssh-bastion/entrypoint.sh b/ssh-bastion/entrypoint.sh
new file mode 100755
index 0000000..aa8a8e6
--- /dev/null
+++ b/ssh-bastion/entrypoint.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+cd /srv/ssh/users
+for user in *; do
+    if getent passwd $user 2>&1>/dev/null; then
+        echo "User $user already exists"
+        continue
+    fi
+    uid=$(cat /srv/ssh/users/$user/uid)
+    if [[ -z "$uid" ]]; then
+        echo "No UID for $user"
+        exit 1
+    fi
+    useradd -MN -s /usr/sbin/nologin -u $uid $user
+done
+exec "$@"
diff --git a/ssh-bastion/etc/sshd-pam b/ssh-bastion/etc/sshd-pam
new file mode 100644
index 0000000..a62ba2b
--- /dev/null
+++ b/ssh-bastion/etc/sshd-pam
@@ -0,0 +1,60 @@
+# PAM configuration for the Secure Shell service
+# Standard Un*x authentication.
+# Exclude common auth and prefer google authenticator only
+#@include common-auth
+auth    [success=1 default=ignore] pam_google_authenticator.so secret=/srv/ssh/users/${USER}/totp user=root
+auth    requisite                       pam_deny.so
+auth    required                        pam_permit.so
+auth    optional                        pam_cap.so 
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+# Standard Un*x authorization.
+@include common-account
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+# Standard Un*x session setup and teardown.
+@include common-session
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
+session    optional     pam_motd.so # [1]
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+# Standard Un*x password updating.
+@include common-password
diff --git a/ssh-bastion/etc/sshd_config b/ssh-bastion/etc/sshd_config
new file mode 100644
index 0000000..dd65731
--- /dev/null
+++ b/ssh-bastion/etc/sshd_config
@@ -0,0 +1,78 @@
+# vim:set ft=sshdconfig
+HostKey /srv/ssh/hostkeys/rsa_key
+HostKey /srv/ssh/hostkeys/ecdsa_key
+HostKey /srv/ssh/hostkeys/ed25519_key
+# By default SSH attempts to chdir to the logged-in user's home directory.  The
+# vast majority of users won't have a home directory on the machine, so
+# suppress the warning with a chroot.
+ChrootDirectory /
+Protocol 2
+# Bind a port above 1024 so we can run ssh as an unpriviledged user
+Port 4321
+PermitTTY no
+#ForceCommand /bin/false
+SyslogFacility AUTH
+LogLevel INFO
+PrintLastLog yes
+PidFile /var/run/sshd.pid
+StrictModes yes
+AuthorizedKeysFile /srv/ssh/users/%u/ssh
+PubkeyAuthentication yes
+HostbasedAuthentication no
+IgnoreRhosts yes
+PasswordAuthentication no
+PermitEmptyPasswords no
+RhostsRSAAuthentication no
+UsePAM yes
+UseLogin no
+PermitRootLogin no
+ChallengeResponseAuthentication yes
+AuthenticationMethods publickey,keyboard-interactive:pam
+# Use an unprivileged child process to accept connections and
+# authenticate the user before spinning up another process as
+# the user.
+UsePrivilegeSeparation yes
+# This turns off reverse lookups of the originating host which hang sshd
+# on DNS timeouts when DNS is down.  This also breaks "from=" lines in
+# authorizd_keys files which must be converted to dotted quad ip addrs.
+UseDNS no
+# By default SSH doesn't accept any environment variables from the client.  But
+# we use this specific variable to pass robot user authentication tokens into
+# the system.
+AcceptEnv LANG LC_*
+# Disconnect after this period of time if the user hasn't provided
+# a correct password.
+LoginGraceTime 120
+# After 66 seconds of inactivity, request a keep-alive from the
+# client.  If they don't respond after ten requests, kill the
+# connection.
+ClientAliveInterval 66
+ClientAliveCountMax 10
+# Allow up to 100 simultaneous unauthenticated connections.  Any
+# connections beyond that limit will be dropped.
+MaxStartups 100
+# The maxiumum number of sessions which can be served on one
+# multi-plexing connection. ssh does not fail gracefully when this
+# number is exceeded, so we keep it high.
+MaxSessions 100
+X11Forwarding no
+PrintMotd no
author	Mike Crute <mcrute@gmail.com>	2017-01-21 20:34:22 -0800
committer	Mike Crute <mcrute@gmail.com>	2017-01-21 20:34:22 -0800
commit	81fcfe8954a81deaa8702cd02831b256d9ade47c (patch)
tree	e2f38371891743549a546ccff5f019b9b87814e9 /ssh-bastion
parent	76ce4d1311a052ecd25910f4c44e472cac9016a6 (diff)
download	dockerfiles-81fcfe8954a81deaa8702cd02831b256d9ade47c.tar.bz2 dockerfiles-81fcfe8954a81deaa8702cd02831b256d9ade47c.tar.xz dockerfiles-81fcfe8954a81deaa8702cd02831b256d9ade47c.zip

diff --git a/ssh-bastion/Dockerfile b/ssh-bastion/Dockerfile new file mode 100644 index 0000000..05dade3 --- /dev/null +++ b/ssh-bastion/Dockerfile
@@ -0,0 +1,22 @@
	1	FROM ubuntu:14.04
	2	MAINTAINER Michael Crute <mike@crute.us>
	3
	4	RUN export DEBIAN_FRONTEND=noninteractive && \
	5	apt-get update && \
	6	apt-get install -y openssh-server libpam-google-authenticator && \
	7	mkdir /var/run/sshd && \
	8	chmod 700 /var/run/sshd
	9
	10	ADD etc/sshd_config /etc/ssh/sshd_config
	11	ADD etc/sshd-pam /etc/pam.d/sshd
	12	ADD entrypoint.sh /entrypoint.sh
	13
	14	RUN \
	15	apt-get clean && \
	16	rm -rf /var/lib/apt/lists/* && \
	17	rm -rf /tmp/*
	18
	19	EXPOSE 4321
	20	VOLUME "/srv/ssh"
	21	ENTRYPOINT [ "/entrypoint.sh" ]
	22	CMD [ "/usr/sbin/sshd", "-D", "-e" ]


diff --git a/ssh-bastion/Makefile b/ssh-bastion/Makefile new file mode 100644 index 0000000..9090c53 --- /dev/null +++ b/ssh-bastion/Makefile
@@ -0,0 +1,8 @@
	1	all:
	2	docker build -t ssh-bastion .
	3
	4	run:
	5	docker run -d \
	6	-p 4321:4321 \
	7	-v /srv/ssh-bastion:/srv/ssh \
	8	ssh-bastion


diff --git a/ssh-bastion/entrypoint.sh b/ssh-bastion/entrypoint.sh new file mode 100755 index 0000000..aa8a8e6 --- /dev/null +++ b/ssh-bastion/entrypoint.sh
@@ -0,0 +1,20 @@
	1	#!/bin/bash
	2
	3	cd /srv/ssh/users
	4
	5	for user in *; do
	6	if getent passwd $user 2>&1>/dev/null; then
	7	echo "User $user already exists"
	8	continue
	9	fi
	10
	11	uid=$(cat /srv/ssh/users/$user/uid)
	12	if [[ -z "$uid" ]]; then
	13	echo "No UID for $user"
	14	exit 1
	15	fi
	16
	17	useradd -MN -s /usr/sbin/nologin -u $uid $user
	18	done
	19
	20	exec "$@"


diff --git a/ssh-bastion/etc/sshd-pam b/ssh-bastion/etc/sshd-pam new file mode 100644 index 0000000..a62ba2b --- /dev/null +++ b/ssh-bastion/etc/sshd-pam
@@ -0,0 +1,60 @@
	1	# PAM configuration for the Secure Shell service
	2
	3	# Standard Un*x authentication.
	4	# Exclude common auth and prefer google authenticator only
	5	#@include common-auth
	6	auth [success=1 default=ignore] pam_google_authenticator.so secret=/srv/ssh/users/${USER}/totp user=root
	7	auth requisite pam_deny.so
	8	auth required pam_permit.so
	9	auth optional pam_cap.so
	10
	11	# Disallow non-root logins when /etc/nologin exists.
	12	account required pam_nologin.so
	13
	14	# Uncomment and edit /etc/security/access.conf if you need to set complex
	15	# access limits that are hard to express in sshd_config.
	16	# account required pam_access.so
	17
	18	# Standard Un*x authorization.
	19	@include common-account
	20
	21	# SELinux needs to be the first session rule. This ensures that any
	22	# lingering context has been cleared. Without this it is possible that a
	23	# module could execute code in the wrong domain.
	24	session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
	25
	26	# Set the loginuid process attribute.
	27	session required pam_loginuid.so
	28
	29	# Create a new session keyring.
	30	session optional pam_keyinit.so force revoke
	31
	32	# Standard Un*x session setup and teardown.
	33	@include common-session
	34
	35	# Print the message of the day upon successful login.
	36	# This includes a dynamically generated part from /run/motd.dynamic
	37	# and a static (admin-editable) part from /etc/motd.
	38	session optional pam_motd.so motd=/run/motd.dynamic noupdate
	39	session optional pam_motd.so # [1]
	40
	41	# Print the status of the user's mailbox upon successful login.
	42	session optional pam_mail.so standard noenv # [1]
	43
	44	# Set up user limits from /etc/security/limits.conf.
	45	session required pam_limits.so
	46
	47	# Read environment variables from /etc/environment and
	48	# /etc/security/pam_env.conf.
	49	session required pam_env.so # [1]
	50	# In Debian 4.0 (etch), locale-related environment variables were moved to
	51	# /etc/default/locale, so read that as well.
	52	session required pam_env.so user_readenv=1 envfile=/etc/default/locale
	53
	54	# SELinux needs to intervene at login time to ensure that the process starts
	55	# in the proper default security context. Only sessions which are intended
	56	# to run in the user's context should be run after this.
	57	session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
	58
	59	# Standard Un*x password updating.
	60	@include common-password


diff --git a/ssh-bastion/etc/sshd_config b/ssh-bastion/etc/sshd_config new file mode 100644 index 0000000..dd65731 --- /dev/null +++ b/ssh-bastion/etc/sshd_config
@@ -0,0 +1,78 @@
	1	# vim:set ft=sshdconfig
	2
	3	HostKey /srv/ssh/hostkeys/rsa_key
	4	HostKey /srv/ssh/hostkeys/ecdsa_key
	5	HostKey /srv/ssh/hostkeys/ed25519_key
	6
	7	# By default SSH attempts to chdir to the logged-in user's home directory. The
	8	# vast majority of users won't have a home directory on the machine, so
	9	# suppress the warning with a chroot.
	10	ChrootDirectory /
	11
	12	Protocol 2
	13
	14	# Bind a port above 1024 so we can run ssh as an unpriviledged user
	15	Port 4321
	16
	17	PermitTTY no
	18	#ForceCommand /bin/false
	19
	20	SyslogFacility AUTH
	21	LogLevel INFO
	22	PrintLastLog yes
	23
	24	PidFile /var/run/sshd.pid
	25
	26	StrictModes yes
	27
	28	AuthorizedKeysFile /srv/ssh/users/%u/ssh
	29
	30	PubkeyAuthentication yes
	31	HostbasedAuthentication no
	32	IgnoreRhosts yes
	33	PasswordAuthentication no
	34	PermitEmptyPasswords no
	35	RhostsRSAAuthentication no
	36
	37	UsePAM yes
	38	UseLogin no
	39	PermitRootLogin no
	40	ChallengeResponseAuthentication yes
	41	AuthenticationMethods publickey,keyboard-interactive:pam
	42
	43	# Use an unprivileged child process to accept connections and
	44	# authenticate the user before spinning up another process as
	45	# the user.
	46	UsePrivilegeSeparation yes
	47
	48	# This turns off reverse lookups of the originating host which hang sshd
	49	# on DNS timeouts when DNS is down. This also breaks "from=" lines in
	50	# authorizd_keys files which must be converted to dotted quad ip addrs.
	51	UseDNS no
	52
	53	# By default SSH doesn't accept any environment variables from the client. But
	54	# we use this specific variable to pass robot user authentication tokens into
	55	# the system.
	56	AcceptEnv LANG LC_*
	57
	58	# Disconnect after this period of time if the user hasn't provided
	59	# a correct password.
	60	LoginGraceTime 120
	61
	62	# After 66 seconds of inactivity, request a keep-alive from the
	63	# client. If they don't respond after ten requests, kill the
	64	# connection.
	65	ClientAliveInterval 66
	66	ClientAliveCountMax 10
	67
	68	# Allow up to 100 simultaneous unauthenticated connections. Any
	69	# connections beyond that limit will be dropped.
	70	MaxStartups 100
	71
	72	# The maxiumum number of sessions which can be served on one
	73	# multi-plexing connection. ssh does not fail gracefully when this
	74	# number is exceeded, so we keep it high.
	75	MaxSessions 100
	76
	77	X11Forwarding no
	78	PrintMotd no