Convert ssh bastion to alpine

6 files changed, 63 insertions, 96 deletions

diff --git a/ssh-bastion/Dockerfile b/ssh-bastion/Dockerfile
index 05dade3..c9ded23 100644
--- a/ssh-bastion/Dockerfile
+++ b/ssh-bastion/Dockerfile
@@ -1,22 +1,17 @@
-FROM ubuntu:14.04
-MAINTAINER Michael Crute <mike@crute.us>
-
-RUN export DEBIAN_FRONTEND=noninteractive && \
-    apt-get update && \
-    apt-get install -y openssh-server libpam-google-authenticator && \
-    mkdir /var/run/sshd && \
-    chmod 700 /var/run/sshd
-
-ADD etc/sshd_config /etc/ssh/sshd_config
-ADD etc/sshd-pam /etc/pam.d/sshd
-ADD entrypoint.sh /entrypoint.sh
+FROM alpine:edge
+LABEL maintainer="Mike Crute <mike@crute.us>"
 
+# https://wiki.alpinelinux.org/wiki/Two_Factors_Authentication_With_OpenSSH
 RUN \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* && \
-    rm -rf /tmp/*
+    apk add --no-cache \
+        openssh-server-pam \
+        google-authenticator \
+    && cp /etc/ssh/sshd_config /etc/ssh/sshd_config.alpine \
+    && mkdir /var/run/sshd \
+    && chmod 700 /var/run/sshd
+
+ADD etc/ /etc/
+ADD entrypoint.sh /
 
-EXPOSE 4321
-VOLUME "/srv/ssh"
 ENTRYPOINT [ "/entrypoint.sh" ]
 CMD [ "/usr/sbin/sshd", "-D", "-e" ]
diff --git a/ssh-bastion/Makefile b/ssh-bastion/Makefile
index 9090c53..ffb1275 100644
--- a/ssh-bastion/Makefile
+++ b/ssh-bastion/Makefile
@@ -1,8 +1,19 @@
+REPO=575365190010.dkr.ecr.us-west-2.amazonaws.com
+IMAGE=ssh-bastion:latest-alpine
+
 all:
-        docker build -t ssh-bastion .
+        docker build -t $(IMAGE) .
+
+all-no-cache:
+        docker build --no-cache -t $(IMAGE) .
 
 run:
-        docker run -d \
+        docker run \
                 -p 4321:4321 \
-                -v /srv/ssh-bastion:/srv/ssh \
-                ssh-bastion
+                -v /home/mcrute/tmp/ssh:/srv/ssh \
+                $(IMAGE)
+
+publish:
+        eval $$(aws ecr get-login --region us-west-2)
+        docker tag $(IMAGE) $(REPO)/$(IMAGE)
+        docker push $(REPO)/$(IMAGE)
diff --git a/ssh-bastion/entrypoint.sh b/ssh-bastion/entrypoint.sh
index aa8a8e6..f48a3c3 100755
--- a/ssh-bastion/entrypoint.sh
+++ b/ssh-bastion/entrypoint.sh
@@ -1,9 +1,28 @@
-#!/bin/bash
+#!/bin/sh
 
-cd /srv/ssh/users
+if [ ! -d /srv/ssh/hostkeys ]; then
+    echo "No host keys found... generating"
+    mkdir -p /srv/ssh/hostkeys
 
-for user in *; do
-    if getent passwd $user 2>&1>/dev/null; then
+    ssh-keygen -f /srv/ssh/hostkeys/rsa_key -N '' -t rsa
+    ssh-keygen -f /srv/ssh/hostkeys/ed25519_key -N '' -t ed25519
+    ssh-keygen -f /srv/ssh/hostkeys/ecdsa_key -N '' -t ecdsa
+
+    rm *.pub
+fi
+
+if [ ! -d /srv/ssh/users ]; then
+    echo "No users directory found... creating"
+    mkdir -p /srv/ssh/users
+fi
+
+for path in /srv/ssh/users/*; do
+    user=$(basename $path)
+    if [ "$user" = "*" ]; then
+        break
+    fi
+
+    if getent passwd $user 2>&1 >/dev/null; then
         echo "User $user already exists"
         continue
     fi
@@ -14,7 +33,8 @@ for user in *; do
         exit 1
     fi
 
-    useradd -MN -s /usr/sbin/nologin -u $uid $user
+    echo "Creating user ${user}(${uid})"
+    adduser -DH -s /sbin/nologin -u $uid $user
 done
 
 exec "$@"
diff --git a/ssh-bastion/etc/pam.d/sshd b/ssh-bastion/etc/pam.d/sshd
new file mode 100644
index 0000000..b0f90a4
--- /dev/null
+++ b/ssh-bastion/etc/pam.d/sshd
@@ -0,0 +1,5 @@
+account     include             base-account
+
+auth        required            pam_google_authenticator.so secret=/srv/ssh/users/${USER}/totp user=root no_strict_owner
+
+session     required            pam_unix.so 
diff --git a/ssh-bastion/etc/sshd_config b/ssh-bastion/etc/ssh/sshd_config
index 3177765..e46b5c6 100644
--- a/ssh-bastion/etc/sshd_config
+++ b/ssh-bastion/etc/ssh/sshd_config
@@ -3,11 +3,16 @@
 HostKey /srv/ssh/hostkeys/rsa_key
 HostKey /srv/ssh/hostkeys/ed25519_key
 
-# By default SSH attempts to chdir to the logged-in user's home directory.  The
+# By default SSH attempts to chdir to the logged-in user's home directory. The
 # vast majority of users won't have a home directory on the machine, so
 # suppress the warning with a chroot.
 ChrootDirectory /
 
+# No users will have home directories and all configs are under control of the
+# admin who mounts them from outside of this docker container so there is no
+# need to check modes and in-fact enabling this will cause failures.
+StrictModes no
+
 Protocol 2
 
 # Bind a port above 1024 so we can run ssh as an unpriviledged user
@@ -15,8 +20,6 @@ Port 4321
 
 SyslogFacility AUTH
 LogLevel INFO
-PrintLastLog yes
-StrictModes yes
 PidFile /var/run/sshd.pid
 
 PubkeyAuthentication yes
@@ -24,11 +27,9 @@ HostbasedAuthentication no
 IgnoreRhosts yes
 PasswordAuthentication no
 PermitEmptyPasswords no
-RhostsRSAAuthentication no
 AuthorizedKeysFile /srv/ssh/users/%u/ssh
 
 UsePAM yes
-UseLogin no
 PermitRootLogin no
 ChallengeResponseAuthentication yes
 AuthenticationMethods publickey,keyboard-interactive:pam
@@ -44,11 +45,6 @@ ForceCommand /usr/bin/nologin
 # the host but not be allowed to login or run any commands.
 MaxSessions 0
 
-# Use an unprivileged child process to accept connections and
-# authenticate the user before spinning up another process as
-# the user.
-UsePrivilegeSeparation yes
-
 # This turns off reverse lookups of the originating host which hang sshd
 # on DNS timeouts when DNS is down. This also breaks "from=" lines in
 # authorizd_keys files which must be converted to dotted quad ip addrs.
diff --git a/ssh-bastion/etc/sshd-pam b/ssh-bastion/etc/sshd-pam
deleted file mode 100644
index a62ba2b..0000000
--- a/ssh-bastion/etc/sshd-pam
+++ /dev/null
@@ -1,60 +0,0 @@
-# PAM configuration for the Secure Shell service
-
-# Standard Un*x authentication.
-# Exclude common auth and prefer google authenticator only
-#@include common-auth
-auth    [success=1 default=ignore] pam_google_authenticator.so secret=/srv/ssh/users/${USER}/totp user=root
-auth    requisite                       pam_deny.so
-auth    required                        pam_permit.so
-auth    optional                        pam_cap.so 
-
-# Disallow non-root logins when /etc/nologin exists.
-account    required     pam_nologin.so
-
-# Uncomment and edit /etc/security/access.conf if you need to set complex
-# access limits that are hard to express in sshd_config.
-# account  required     pam_access.so
-
-# Standard Un*x authorization.
-@include common-account
-
-# SELinux needs to be the first session rule.  This ensures that any
-# lingering context has been cleared.  Without this it is possible that a
-# module could execute code in the wrong domain.
-session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
-
-# Set the loginuid process attribute.
-session    required     pam_loginuid.so
-
-# Create a new session keyring.
-session    optional     pam_keyinit.so force revoke
-
-# Standard Un*x session setup and teardown.
-@include common-session
-
-# Print the message of the day upon successful login.
-# This includes a dynamically generated part from /run/motd.dynamic
-# and a static (admin-editable) part from /etc/motd.
-session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
-session    optional     pam_motd.so # [1]
-
-# Print the status of the user's mailbox upon successful login.
-session    optional     pam_mail.so standard noenv # [1]
-
-# Set up user limits from /etc/security/limits.conf.
-session    required     pam_limits.so
-
-# Read environment variables from /etc/environment and
-# /etc/security/pam_env.conf.
-session    required     pam_env.so # [1]
-# In Debian 4.0 (etch), locale-related environment variables were moved to
-# /etc/default/locale, so read that as well.
-session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
-
-# SELinux needs to intervene at login time to ensure that the process starts
-# in the proper default security context.  Only sessions which are intended
-# to run in the user's context should be run after this.
-session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
-
-# Standard Un*x password updating.
-@include common-password