mirror of
https://github.com/atmoz/sftp.git
synced 2024-12-22 13:14:42 -05:00
Improved security
This commit is contained in:
parent
0c772ad04e
commit
3042075111
4 changed files with 39 additions and 13 deletions
12
Dockerfile
12
Dockerfile
|
@ -1,15 +1,15 @@
|
|||
FROM debian:jessie
|
||||
MAINTAINER Adrian Dvergsdal [atmoz.net]
|
||||
|
||||
# - Install packages
|
||||
# - OpenSSH needs /var/run/sshd to run
|
||||
# - Remove generic host keys, entrypoint generates unique keys
|
||||
RUN apt-get update && \
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y install openssh-server && \
|
||||
apt-get -y install openssh-server && \
|
||||
mkdir -p /var/run/sshd && \
|
||||
rm -f /etc/ssh/ssh_host_*key* && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Step 1: sshd needs /var/run/sshd/ to run
|
||||
# Step 2: Remove keys, they will be generated later by entrypoint
|
||||
# (unique keys for each container)
|
||||
RUN mkdir -p /var/run/sshd && \
|
||||
rm /etc/ssh/ssh_host_*key*
|
||||
|
||||
COPY sshd_config /etc/ssh/sshd_config
|
||||
COPY entrypoint /
|
||||
|
|
|
@ -116,8 +116,13 @@ if [ ! -f "$userConfFinalPath" ]; then
|
|||
createUser "$user"
|
||||
done < "$userConfFinalPath"
|
||||
|
||||
# Generate unique ssh keys for this container
|
||||
dpkg-reconfigure openssh-server
|
||||
# Generate unique ssh keys for this container, if needed
|
||||
if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
|
||||
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key < /dev/null
|
||||
fi
|
||||
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
|
||||
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key < /dev/null
|
||||
fi
|
||||
fi
|
||||
|
||||
# Source custom scripts, if any
|
||||
|
|
19
sshd_config
19
sshd_config
|
@ -1,7 +1,22 @@
|
|||
# Secure defaults
|
||||
# See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||
Protocol 2
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
|
||||
# Faster connection
|
||||
# See: https://github.com/atmoz/sftp/issues/11
|
||||
UseDNS no
|
||||
|
||||
# Limited access
|
||||
PermitRootLogin no
|
||||
Subsystem sftp internal-sftp
|
||||
ChrootDirectory %h
|
||||
X11Forwarding no
|
||||
AllowTcpForwarding no
|
||||
|
||||
# Force sftp and chroot jail
|
||||
Subsystem sftp internal-sftp
|
||||
ForceCommand internal-sftp
|
||||
ChrootDirectory %h
|
||||
|
||||
# Enable this for more logs
|
||||
#LogLevel VERBOSE
|
||||
|
|
12
tests/run
12
tests/run
|
@ -24,6 +24,10 @@ fi
|
|||
function beforeTest() {
|
||||
if [ "$build" == "build" ]; then
|
||||
docker build --pull=true --tag "$sftpImageName" "$buildDir"
|
||||
if [ $? -gt 0 ]; then
|
||||
echo "Build failed"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Private key can not be read by others
|
||||
|
@ -41,7 +45,7 @@ function beforeTest() {
|
|||
--expose 22 \
|
||||
-d "$sftpImageName" \
|
||||
> "$redirect"
|
||||
sleep 1 # wait for sftp server to get ready
|
||||
sleep 2 # wait for sftp server to get ready
|
||||
}
|
||||
|
||||
function afterTest() {
|
||||
|
@ -76,6 +80,8 @@ function runSftpCommands() {
|
|||
-oUserKnownHostsFile=/dev/null \
|
||||
-b - $user@$ip \
|
||||
> "$redirect" 2>&1
|
||||
|
||||
sleep 1 # wait for command to finish
|
||||
}
|
||||
|
||||
##############################################################################
|
||||
|
@ -90,7 +96,7 @@ function testMinimalContainerStart() {
|
|||
-d "$sftpImageName" \
|
||||
minimal \
|
||||
> "$redirect"
|
||||
sleep 1
|
||||
sleep 2
|
||||
|
||||
ps="$(docker ps -q -f name="$tmpContainerName")"
|
||||
assertNotEqual "$ps" ""
|
||||
|
@ -157,7 +163,7 @@ function testCustomContainerStart() {
|
|||
-d "$sftpImageName" \
|
||||
custom:123 \
|
||||
> "$redirect"
|
||||
sleep 1
|
||||
sleep 2
|
||||
|
||||
ps="$(docker ps -q -f name="$tmpContainerName")"
|
||||
assertNotEqual "$ps" ""
|
||||
|
|
Loading…
Reference in a new issue