commit 40486809cafcc0d87fac544a26a90e2875cd23bf Author: Knut Ahlers Date: Sun Nov 16 16:42:55 2014 +0100 Initial version diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..0a43a8b --- /dev/null +++ b/Dockerfile @@ -0,0 +1,16 @@ +FROM ubuntu:14.04 +MAINTAINER Knut Ahlers + +ENV USER share +ENV PASS changeme + +RUN apt-get update && \ + apt-get install -y openssh-server mcrypt + +ADD start.sh /usr/local/bin/start.sh +ADD sshd_config /etc/ssh/sshd_config + +VOLUME ["/data"] +EXPOSE 22 + +ENTRYPOINT ["/bin/bash", "/usr/local/bin/start.sh"] diff --git a/sshd_config b/sshd_config new file mode 100644 index 0000000..5a821d8 --- /dev/null +++ b/sshd_config @@ -0,0 +1,75 @@ +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 1024 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin no +StrictModes yes + +RSAAuthentication no +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication yes + +X11Forwarding no +X11DisplayOffset 10 +PrintMotd no +PrintLastLog no +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes diff --git a/start.sh b/start.sh new file mode 100644 index 0000000..3e2522b --- /dev/null +++ b/start.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +ENC_PASS=$(perl -e 'print crypt($ARGV[0], "password")' ${PASS}) + +if ( id ${USER} ); then + echo "FATAL: User ${USER} already exists" + exit 1 +fi + +useradd -d /data -m -p ${ENC_PASS} -s /bin/false ${USER} + +exec /usr/sbin/sshd