From 5ff75eafdd04a7b3ecdb22a18ac344f0e8b429b3 Mon Sep 17 00:00:00 2001 From: Mike Crute Date: Tue, 29 Dec 2020 02:04:26 +0000 Subject: ssh-bastion: remove photos sync --- ssh-bastion/entrypoint.sh | 24 +-------- ssh-bastion/etc/ssh/sshd_upload_config | 94 ---------------------------------- 2 files changed, 1 insertion(+), 117 deletions(-) delete mode 100644 ssh-bastion/etc/ssh/sshd_upload_config diff --git a/ssh-bastion/entrypoint.sh b/ssh-bastion/entrypoint.sh index a1dbea2..f48a3c3 100755 --- a/ssh-bastion/entrypoint.sh +++ b/ssh-bastion/entrypoint.sh @@ -16,17 +16,6 @@ if [ ! -d /srv/ssh/users ]; then mkdir -p /srv/ssh/users fi -if [ "$UPLOAD_MODE" == "true" ]; then - if [ ! -d /srv/data ]; then - mkdir /srv/data - - # SSH is extremely paranoid about chroot permissions - chown root:root /srv/data - chmod 755 /srv/data - chmod 755 /srv - fi -fi - for path in /srv/ssh/users/*; do user=$(basename $path) if [ "$user" = "*" ]; then @@ -46,17 +35,6 @@ for path in /srv/ssh/users/*; do echo "Creating user ${user}(${uid})" adduser -DH -s /sbin/nologin -u $uid $user - - if [ "$UPLOAD_MODE" == "true" ]; then - mkdir -p /srv/data/${user}/photos - chown root:root /srv/data/${user} - chmod 755 /srv/data/${user} - chown ${user}:${user} /srv/data/${user}/photos - fi done -if [ "$UPLOAD_MODE" == "true" ]; then - exec "$@" -f /etc/ssh/sshd_upload_config -else - exec "$@" -fi +exec "$@" diff --git a/ssh-bastion/etc/ssh/sshd_upload_config b/ssh-bastion/etc/ssh/sshd_upload_config deleted file mode 100644 index 7aa2ccc..0000000 --- a/ssh-bastion/etc/ssh/sshd_upload_config +++ /dev/null @@ -1,94 +0,0 @@ -# vim:set ft=sshdconfig - -HostKey /srv/ssh/hostkeys/rsa_key -HostKey /srv/ssh/hostkeys/ed25519_key - -# By default SSH attempts to chdir to the logged-in user's home directory. The -# vast majority of users won't have a home directory on the machine, so -# suppress the warning with a chroot. -ChrootDirectory /srv/data/%u - -Subsystem sftp internal-sftp - -# No users will have home directories and all configs are under control of the -# admin who mounts them from outside of this docker container so there is no -# need to check modes and in-fact enabling this will cause failures. -StrictModes no - -Protocol 2 - -# Bind a port above 1024 so we can run ssh as an unpriviledged user -Port 4321 - -SyslogFacility AUTH -LogLevel INFO -PidFile /var/run/sshd.pid - -PubkeyAuthentication yes -HostbasedAuthentication no -IgnoreRhosts yes -PasswordAuthentication no -PermitEmptyPasswords no -AuthorizedKeysFile /srv/ssh/users/%u/ssh - -UsePAM yes -PermitRootLogin no -ChallengeResponseAuthentication yes -AuthenticationMethods publickey - -# Limit the number of authentication attemps per connection. SSH will log -# failues once attempts reach half this number so this should also log all -# authentication failures as well. -PermitTTY no -MaxAuthTries 2 -ForceCommand internal-sftp - -# This turns off reverse lookups of the originating host which hang sshd on DNS -# timeouts when DNS is down. This also breaks "from=" lines in authorizd_keys -# files which must be converted to dotted quad ip addrs. -UseDNS no - -# By default SSH doesn't accept any environment variables from the client. But -# we use this specific variable to pass robot user authentication tokens into -# the system. -AcceptEnv LANG LC_* - -# Disconnect after this period of time if the user hasn't provided a correct -# password. -LoginGraceTime 120 - -# Disconnect dead sessions after 30 minutes of inactivity. The server will send -# a keepalive every minutes and tolerate up to 30 failures before terminating -# the session. -ClientAliveInterval 60 -ClientAliveCountMax 30 - -# Don't use TCP keepalives to prevent connections from dying when a temporary -# routing issue occurs. -TCPKeepAlive no - -# Allow up to 100 simultaneous unauthenticated connections. Any connections -# beyond that limit will be dropped. -MaxStartups 100 - -# The maxiumum number of sessions which can be served on one multi-plexing -# connection. ssh does not fail gracefully when this number is exceeded, so we -# keep it high. -MaxSessions 100 - -X11Forwarding no -PrintMotd no - -# Used hardened crypto algorithms -# -# Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html -# And also: https://access.redhat.com/discussions/3121481 -# And also: https://infosec.mozilla.org/guidelines/openssh -# Validated by: https://sshcheck.com/ -KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com -# PhotoSync requires ssh-rsa mode -HostKeyAlgorithms ssh-rsa,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com -# These may be needed for older ssh clients but use SHA1 so are discouraged -#HostKeyAlgorithms ssh-rsa,ssh-rsa-cert-v01@openssh.com -- cgit v1.2.3