feat: sshd: allow shell optional

.github/workflows/pkgs-build.yaml

@@ -15,6 +15,6 @@ jobs:
         uses: docker/setup-buildx-action@v1
       - name: Build Packages
         run: |
-           build/linuxkit pkg build -network -org jclab pkg/securekit-sftpd
+           build/linuxkit pkg build -network -org jclab pkg/securekit-sshd
            build/linuxkit pkg build -network -org jclab pkg/securekit-disk
 

.github/workflows/pkgs-publish.yaml

@@ -23,6 +23,6 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build Packages
         run: |
-           build/linuxkit pkg push -disable-content-trust -network -org jclab pkg/securekit-sftpd
+           build/linuxkit pkg push -disable-content-trust -network -org jclab pkg/securekit-sshd
            build/linuxkit pkg push -disable-content-trust -network -org jclab pkg/securekit-disk
 

docs/quick-start.md

@@ -22,7 +22,7 @@ $ cp scripts/efi-sign.sh.in scripts/efi-sign.sh
 ### 4. Build linuxkit image
 
 ```bash
-$ linuxkit pkg build -network -org jclab pkg/securekit-sftpd
+$ linuxkit pkg build -network -org jclab pkg/securekit-sshd
 $ linuxkit pkg build -network -org jclab pkg/securekit-disk
 
 $ cd example

example/example.yml

@@ -30,12 +30,10 @@ onboot:
     binds:
       - /dev:/dev
       - /var:/var
-      - /root/.ssh/authorized_keys:/manager_authorized_keys:ro
       - /fs_protector_key.public.asc:/fs_protector_key.public.asc:ro
-      - /tpm-issuers.pem:/tpm-issuers.pem:ro
   # NEEDED FOR KEY BACKUP
-  - name: init-sftpd
-    image: jclab/securekit-sftpd:latest
+  - name: init-sshd
+    image: jclab/securekit-sshd:latest
     command: ["/usr/bin/init-ssh.sh", "/var/storage"]
     binds:
       - /var/storage:/var/storage
@@ -57,21 +55,16 @@ services:
     image: linuxkit/dhcpcd:1033f340e2d42f86a60aab70752346f0045ea388
 
   # NEEDED FOR KEY BACKUP
-  - name: sftpd
-    image: jclab/securekit-sftpd:latest
+  - name: sshd
+    image: jclab/securekit-sshd:latest
     binds:
       - /etc/resolv.conf:/etc/resolv.conf:ro
       - /var/storage/etc/ssh:/etc/ssh:ro
-      - /root/.ssh:/root/.ssh
-      - /var/log:/root/log:ro
-      - /var/boot:/root/boot:ro
-    capabilities:
-      - CAP_NET_BIND_SERVICE
-      - CAP_SYS_CHROOT
-      - CAP_SETGID
-      - CAP_SETUID
-      - CAP_CHOWN
-
+      - /home/manager/.ssh/authorized_keys:/home/manager/.ssh/authorized_keys
+      - /var/log:/home/manager/log:ro
+      - /var/boot:/home/manager/boot:ro
+    env:
+      - ONLY_SFTP=no
   - name: getty
     image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
     env:
@@ -92,19 +85,19 @@ services:
       - /var:/var
 files:
   # SSH PUBLIC KEY FOR KEY BACKUP TO REMOTE
-  - path: /root/.ssh/authorized_keys
+  - path: /home/manager/.ssh
+    directory: true
+  - path: /home/manager/.ssh/authorized_keys
     source: authorized_keys
     mode: "0400"
     optional: false
+    gid: 1002
+    uid: 1002
   # PGP FS_PROTECTOR_KEY FOR KEY BACKUP TO LOCAL
   - path: /fs_protector_key.public.asc
     source: fs_protector_key.public.asc
     mode: "0400"
     optional: false
-  - path: /tpm-issuers.pem
-    source: tpm-issuers.pem
-    mode: "0444"
-    optional: true
 #trust:
 #  org:
 #    - linuxkit

pkg/securekit-sftpd/Dockerfile → pkg/securekit-sshd/Dockerfile

@@ -7,7 +7,8 @@ RUN apk add --no-cache --initdb -p /out  \
     musl \
     tini \
     util-linux \
-    zlib openssl
+    zlib openssl \
+    bash
 
 # Remove apk residuals
 RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
@@ -62,7 +63,11 @@ COPY --from=mirror /out/ /
 COPY --from=builder /out/ /
 COPY etc/ /etc/
 COPY usr/ /usr/
-RUN mkdir -p /etc/ssh /root/.ssh /var/empty && \
-    chmod +x /usr/bin/*.sh && \
-    chmod 0700 /root/.ssh
+RUN adduser -u 1002 -s /bin/bash -D manager && \
+    mkdir -m 700 -p /home/manager/.ssh && \
+    chown manager:manager -R /home/manager && \
+    chmod 700 /home/manager && \
+    mkdir -p /etc/ssh /var/empty && \
+    chmod +x /usr/bin/*.sh
+
 CMD ["/sbin/tini", "/usr/bin/ssh.sh"]

pkg/securekit-sftpd/build.yml → pkg/securekit-sshd/build.yml

@@ -1,11 +1,13 @@
-image: securekit-sftpd
+image: securekit-sshd
 config:
   binds:
-    - /root/:/root/
     - /etc/resolv.conf:/etc/resolv.conf:ro
   capabilities:
     - CAP_NET_BIND_SERVICE
     - CAP_SYS_CHROOT
     - CAP_SETGID
     - CAP_SETUID
     - CAP_CHOWN
+    - CAP_DAC_OVERRIDE
+    - CAP_KILL
+

pkg/securekit-sftpd/etc/ssh/sshd_config → pkg/securekit-sshd/etc/ssh/sshd_config.in

@@ -112,7 +112,7 @@ X11Forwarding no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
-#UseDNS no
+UseDNS no
 #PidFile /run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
@@ -143,6 +143,5 @@ Subsystem	sftp	/usr/lib/ssh/sftp-server
 #	PermitTTY no
 #	ForceCommand cvs server
 
+AllowUsers manager
 
-ChrootDirectory %h
-ForceCommand internal-sftp

pkg/securekit-sftpd/usr/bin/init-ssh.sh → pkg/securekit-sshd/usr/bin/init-ssh.sh

@@ -8,7 +8,9 @@ KEYS=$(find ${PREFIX}/etc/ssh -name 'ssh_host_*_key')
 [ -z "$KEYS" ] && ssh-keygen -A -f ${PREFIX}/
 
 if [ -n "${PREFIX}" ]; then
-    [ ! -e "${PREFIX}/etc/ssh/sshd_config" ] && cp /etc/ssh/sshd_config ${PREFIX}/etc/ssh/sshd_config
+    if [ ! -e "${PREFIX}/etc/ssh/sshd_config.in" ]; then
+        cp /etc/ssh/sshd_config.in ${PREFIX}/etc/ssh/sshd_config.in
+    fi
 fi
 
 exit 0

pkg/securekit-sshd/usr/bin/ssh.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+KEYS=$(find /etc/ssh -name 'ssh_host_*_key')
+[ -z "$KEYS" ] && ssh-keygen -A >/dev/null
+
+cat /etc/ssh/sshd_config.in > /tmp/sshd_config
+[ "x${ONLY_SFTP:-yes}" = "xno" ] || echo -n $'\nForceCommand internal-sftp\nChrootDirectory %h\n' >> /tmp/sshd_config
+
+exec /usr/sbin/sshd -D -e -f /tmp/sshd_config
+