Improved security

2024-11-17 12:51:33 -05:00 · 2016-06-02 14:56:30 +02:00 · 2016-06-02 14:56:30 +02:00 · 3042075111
commit 3042075111
parent 0c772ad04e
4 changed files with 39 additions and 13 deletions
--- a/12
+++ b/12
@ -1,15 +1,15 @@
 FROM debian:jessie
 MAINTAINER Adrian Dvergsdal [atmoz.net]

+# - Install packages
+# - OpenSSH needs /var/run/sshd to run
+# - Remove generic host keys, entrypoint generates unique keys
 RUN apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get -y install openssh-server && \
+    apt-get -y install openssh-server && \
+    mkdir -p /var/run/sshd && \
+    rm -f /etc/ssh/ssh_host_*key* && \
    rm -rf /var/lib/apt/lists/*

-# Step 1: sshd needs /var/run/sshd/ to run
-# Step 2: Remove keys, they will be generated later by entrypoint
-#         (unique keys for each container)
-RUN mkdir -p /var/run/sshd && \
-    rm /etc/ssh/ssh_host_*key*

 COPY sshd_config /etc/ssh/sshd_config
 COPY entrypoint /
--- a/9
+++ b/9
@ -116,8 +116,13 @@ if [ ! -f "$userConfFinalPath" ]; then
        createUser "$user"
    done < "$userConfFinalPath"

-    # Generate unique ssh keys for this container
-    dpkg-reconfigure openssh-server
+    # Generate unique ssh keys for this container, if needed
+    if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
+        ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key < /dev/null
+    fi
+    if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
+        ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key < /dev/null
+    fi
 fi

 # Source custom scripts, if any
--- a/19
+++ b/19
@ -1,7 +1,22 @@
+# Secure defaults
+# See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
+Protocol 2
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+
+# Faster connection
+# See: https://github.com/atmoz/sftp/issues/11
 UseDNS no
+
+# Limited access
 PermitRootLogin no
-Subsystem sftp internal-sftp
-ChrootDirectory %h
 X11Forwarding no
 AllowTcpForwarding no
+
+# Force sftp and chroot jail
+Subsystem sftp internal-sftp
 ForceCommand internal-sftp
+ChrootDirectory %h
+
+# Enable this for more logs
+#LogLevel VERBOSE
--- a/tests/run
+++ b/tests/run
@ -24,6 +24,10 @@ fi
 function beforeTest() {
    if [ "$build" == "build" ]; then
        docker build --pull=true --tag "$sftpImageName" "$buildDir"
+        if [ $? -gt 0 ]; then
+            echo "Build failed"
+            exit 1
+        fi
    fi

    # Private key can not be read by others
@ -41,7 +45,7 @@ function beforeTest() {
        --expose 22 \
        -d "$sftpImageName" \
        > "$redirect"
-    sleep 1 # wait for sftp server to get ready
+    sleep 2 # wait for sftp server to get ready
 }

 function afterTest() {
@ -76,6 +80,8 @@ function runSftpCommands() {
        -oUserKnownHostsFile=/dev/null \
        -b - $user@$ip \
        > "$redirect" 2>&1
+
+    sleep 1 # wait for command to finish
 }

 ##############################################################################
@ -90,7 +96,7 @@ function testMinimalContainerStart() {
        -d "$sftpImageName" \
        minimal \
        > "$redirect"
-    sleep 1
+    sleep 2

    ps="$(docker ps -q -f name="$tmpContainerName")"
    assertNotEqual "$ps" ""
@ -157,7 +163,7 @@ function testCustomContainerStart() {
        -d "$sftpImageName" \
        custom:123 \
        > "$redirect"
-    sleep 1
+    sleep 2

    ps="$(docker ps -q -f name="$tmpContainerName")"
    assertNotEqual "$ps" ""