From cb049abe19856dd3aea4552b2d46c8f0446ac8fa Mon Sep 17 00:00:00 2001 From: Moncef AOUDIA Date: Thu, 19 Sep 2024 23:10:16 +0200 Subject: [PATCH] feat: :sparkles: add Additional SSHD configuration fix some bugs Signed-off-by: Moncef AOUDIA --- .dockerignore | 2 +- .github/workflows/cd.yml | 3 ++- .github/workflows/ci.yml | 2 +- .gitignore | 22 +++++++++++++++++++++- Dockerfile | 27 ++++++++++++--------------- README.md | 27 +++++++++++++++++---------- configure-ssh-user.sh | 22 +++++++++++++++++++--- 7 files changed, 73 insertions(+), 32 deletions(-) diff --git a/.dockerignore b/.dockerignore index ce6b2f9..2a43537 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,3 +1,3 @@ .github/ LICENCE -readme.md \ No newline at end of file +README.md diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 45dcf51..86725da 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -46,9 +46,10 @@ jobs: - name: Build and push to Docker Hub and GitHub Container Registry id: build - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . + sbom: true push: true tags: | aoudiamoncef/ubuntu-sshd:latest diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9a5b098..a2951cc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,7 @@ jobs: ghcr.io/${{ github.repository }}/ubuntu-sshd - name: Build Docker image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . push: false diff --git a/.gitignore b/.gitignore index 9bea433..db55ff1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,22 @@ - +.vagrant* +bin +docker/docker +.*.swp +a.out +*.orig +build_src +.flymake* +.idea .DS_Store +docs/_build +docs/_static +docs/_templates +.gopath/ +.dotcloud +*.test +bundles/ +.hg/ +.git/ +vendor/pkg/ +pyenv +Vagrantfile diff --git a/Dockerfile b/Dockerfile index 7998560..21d7cb5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,24 +3,21 @@ FROM ubuntu:24.04 # Set environment variables to avoid interactive prompts during installation ENV DEBIAN_FRONTEND=noninteractive -ENV SSH_USERNAME=ubuntu -ENV PASSWORD=changeme +ENV SSH_USERNAME="ubuntu" +ENV SSHD_CONFIG_ADDITIONAL="" -# Install OpenSSH server and clean up +# Install OpenSSH server, clean up, create directories, set permissions, and configure SSH RUN apt-get update \ - && apt-get install -y openssh-server iputils-ping telnet iproute2 \ + && apt-get install -y iproute2 iputils-ping openssh-server telnet \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* - -# Create the privilege separation directory and fix permissions -RUN mkdir -p /run/sshd \ - && chmod 755 /run/sshd - -# Check if the user exists before trying to create it -RUN if ! id -u $SSH_USERNAME > /dev/null 2>&1; then useradd -ms /bin/bash $SSH_USERNAME; fi - -# Set up SSH configuration -RUN mkdir -p /home/$SSH_USERNAME/.ssh && chown $SSH_USERNAME:$SSH_USERNAME /home/$SSH_USERNAME/.ssh \ + && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ + && mkdir -p /run/sshd \ + && chmod 755 /run/sshd \ + && if ! id -u "$SSH_USERNAME" > /dev/null 2>&1; then useradd -ms /bin/bash "$SSH_USERNAME"; fi \ + && chown -R "$SSH_USERNAME":"$SSH_USERNAME" /home/"$SSH_USERNAME" \ + && chmod 755 /home/"$SSH_USERNAME" \ + && mkdir -p /home/"$SSH_USERNAME"/.ssh \ + && chown "$SSH_USERNAME":"$SSH_USERNAME" /home/"$SSH_USERNAME"/.ssh \ && echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config \ && echo "PermitRootLogin no" >> /etc/ssh/sshd_config diff --git a/README.md b/README.md index 6cb7661..f1fa7f0 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,11 @@ -# SSH-Enabled Ubuntu Docker Image - -[![Docker Image CI](https://github.com/aoudiamoncef/ubuntu-sshd/actions/workflows/ci.yml/badge.svg)](https://github.com/aoudiamoncef/ubuntu-sshd/actions/workflows/ci.yml) -[![Docker Image Deployment](https://github.com/aoudiamoncef/ubuntu-sshd/actions/workflows/cd.yml/badge.svg)](https://github.com/aoudiamoncef/ubuntu-sshd/actions/workflows/cd.yml) -[![Docker Pulls](https://img.shields.io/docker/pulls/aoudiamoncef/ubuntu-sshd.svg)](https://hub.docker.com/r/aoudiamoncef/ubuntu-sshd) -[![Maintenance](https://img.shields.io/badge/Maintained-Yes-green.svg)](https://github.com/aoudiamoncef/ubuntu-sshd) - This Docker image provides an Ubuntu 24.04 base with SSH server enabled. It allows you to easily create SSH-accessible containers via SSH keys or with a default username and password. ## Usage ### Cloning the Repository -To get started, clone the GitHub [repository](https://github.com/aoudiamoncef/ubuntu-sshd) containing the Dockerfile and scripts: +To get started, clone the GitHub [repository](https://github.com/aoudiamoncef/ubuntu-sshd) containing the Dockerfile and +scripts: ```bash git clone https://github.com/aoudiamoncef/ubuntu-sshd @@ -31,14 +25,26 @@ docker build -t my-ubuntu-sshd:latest . To run a container based on the image, use the following command: ```bash -docker run -d -p host-port:22 -e SSH_USERNAME=myuser -e PASSWORD=mysecretpassword -e AUTHORIZED_KEYS="$(cat path/to/authorized_keys_file)" my-ubuntu-sshd:latest +docker run -d \ + -p host-port:22 \ + -e SSH_USERNAME=myuser \ + -e SSH_PASSWORD=mysecretpassword \ + -e AUTHORIZED_KEYS="$(cat path/to/authorized_keys_file)" \ + -e SSHD_CONFIG_ADDITIONAL="your_additional_config" \ + -e SSHD_CONFIG_FILE="/path/to/your/sshd_config_file" \ + my-ubuntu-sshd:latest ``` - `-d` runs the container in detached mode. - `-p host-port:22` maps a host port to port 22 in the container. Replace `host-port` with your desired port. - `-e SSH_USERNAME=myuser` sets the SSH username in the container. Replace `myuser` with your desired username. -- `-e PASSWORD=mysecretpassword` sets the SSH user's password in the container. Replace `mysecretpassword` with your desired password. +- `-e SSH_PASSWORD=mysecretpassword` sets the SSH user's password in the container. **This environment variable is + required**. Replace `mysecretpassword` with your desired password. - `-e AUTHORIZED_KEYS="$(cat path/to/authorized_keys_file)"` sets authorized SSH keys in the container. Replace `path/to/authorized_keys_file` with the path to your authorized_keys file. +- `-e SSHD_CONFIG_ADDITIONAL="your_additional_config"` allows you to pass additional SSHD configuration. Replace + `your_additional_config` with your desired configuration. +- `-e SSHD_CONFIG_FILE="/path/to/your/sshd_config_file"` allows you to specify a file containing additional SSHD + configuration. Replace `/path/to/your/sshd_config_file` with the path to your configuration file. - `my-ubuntu-sshd:latest` should be replaced with your Docker image's name and tag. ### SSH Access @@ -55,6 +61,7 @@ ssh -p host-port myuser@localhost ### Note - If the `AUTHORIZED_KEYS` environment variable is empty when starting the container, it will still launch the SSH server, but no authorized keys will be configured. You have to mount your own authorized keys file or manually configure the keys in the container. +- If `AUTHORIZED_KEYS` is provided, password authentication will be disabled for enhanced security. ## License diff --git a/configure-ssh-user.sh b/configure-ssh-user.sh index 9da7368..d3fa284 100644 --- a/configure-ssh-user.sh +++ b/configure-ssh-user.sh @@ -1,15 +1,16 @@ #!/bin/bash -# Set default values for SSH_USERNAME and PASSWORD if not provided +# Set default values for SSH_USERNAME and SSH_PASSWORD if not provided : ${SSH_USERNAME:=ubuntu} -: ${PASSWORD:=changeme} +: ${SSH_PASSWORD:?"Error: SSH_PASSWORD environment variable is not set."} +: ${SSHD_CONFIG_ADDITIONAL:=""} # Create the user with the provided username and set the password if id "$SSH_USERNAME" &>/dev/null; then echo "User $SSH_USERNAME already exists" else useradd -ms /bin/bash "$SSH_USERNAME" - echo "$SSH_USERNAME:$PASSWORD" | chpasswd + echo "$SSH_USERNAME:$SSH_PASSWORD" | chpasswd echo "User $SSH_USERNAME created with the provided password" fi @@ -21,7 +22,22 @@ if [ -n "$AUTHORIZED_KEYS" ]; then chmod 700 /home/$SSH_USERNAME/.ssh chmod 600 /home/$SSH_USERNAME/.ssh/authorized_keys echo "Authorized keys set for user $SSH_USERNAME" + # Disable password authentication if authorized keys are provided + sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config +fi + +# Apply additional SSHD configuration if provided +if [ -n "$SSHD_CONFIG_ADDITIONAL" ]; then + echo "$SSHD_CONFIG_ADDITIONAL" >> /etc/ssh/sshd_config + echo "Additional SSHD configuration applied" +fi + +# Apply additional SSHD configuration from a file if provided +if [ -n "$SSHD_CONFIG_FILE" ] && [ -f "$SSHD_CONFIG_FILE" ]; then + cat "$SSHD_CONFIG_FILE" >> /etc/ssh/sshd_config + echo "Additional SSHD configuration from file applied" fi # Start the SSH server +echo "Starting SSH server..." exec /usr/sbin/sshd -D