From 30420751110533b4853c1e13da1bcd4814a3453c Mon Sep 17 00:00:00 2001 From: Adrian Dvergsdal Date: Thu, 2 Jun 2016 14:56:30 +0200 Subject: [PATCH] Improved security --- Dockerfile | 12 ++++++------ entrypoint | 9 +++++++-- sshd_config | 19 +++++++++++++++++-- tests/run | 12 +++++++++--- 4 files changed, 39 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index c8777b4..478c439 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,15 @@ FROM debian:jessie MAINTAINER Adrian Dvergsdal [atmoz.net] +# - Install packages +# - OpenSSH needs /var/run/sshd to run +# - Remove generic host keys, entrypoint generates unique keys RUN apt-get update && \ - DEBIAN_FRONTEND=noninteractive apt-get -y install openssh-server && \ + apt-get -y install openssh-server && \ + mkdir -p /var/run/sshd && \ + rm -f /etc/ssh/ssh_host_*key* && \ rm -rf /var/lib/apt/lists/* -# Step 1: sshd needs /var/run/sshd/ to run -# Step 2: Remove keys, they will be generated later by entrypoint -# (unique keys for each container) -RUN mkdir -p /var/run/sshd && \ - rm /etc/ssh/ssh_host_*key* COPY sshd_config /etc/ssh/sshd_config COPY entrypoint / diff --git a/entrypoint b/entrypoint index aed1b12..5d5f81d 100755 --- a/entrypoint +++ b/entrypoint @@ -116,8 +116,13 @@ if [ ! -f "$userConfFinalPath" ]; then createUser "$user" done < "$userConfFinalPath" - # Generate unique ssh keys for this container - dpkg-reconfigure openssh-server + # Generate unique ssh keys for this container, if needed + if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then + ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key < /dev/null + fi + if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then + ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key < /dev/null + fi fi # Source custom scripts, if any diff --git a/sshd_config b/sshd_config index 9519289..1308c8b 100644 --- a/sshd_config +++ b/sshd_config @@ -1,7 +1,22 @@ +# Secure defaults +# See: https://stribika.github.io/2015/01/04/secure-secure-shell.html +Protocol 2 +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key + +# Faster connection +# See: https://github.com/atmoz/sftp/issues/11 UseDNS no + +# Limited access PermitRootLogin no -Subsystem sftp internal-sftp -ChrootDirectory %h X11Forwarding no AllowTcpForwarding no + +# Force sftp and chroot jail +Subsystem sftp internal-sftp ForceCommand internal-sftp +ChrootDirectory %h + +# Enable this for more logs +#LogLevel VERBOSE diff --git a/tests/run b/tests/run index 2caa06e..44b74bf 100755 --- a/tests/run +++ b/tests/run @@ -24,6 +24,10 @@ fi function beforeTest() { if [ "$build" == "build" ]; then docker build --pull=true --tag "$sftpImageName" "$buildDir" + if [ $? -gt 0 ]; then + echo "Build failed" + exit 1 + fi fi # Private key can not be read by others @@ -41,7 +45,7 @@ function beforeTest() { --expose 22 \ -d "$sftpImageName" \ > "$redirect" - sleep 1 # wait for sftp server to get ready + sleep 2 # wait for sftp server to get ready } function afterTest() { @@ -76,6 +80,8 @@ function runSftpCommands() { -oUserKnownHostsFile=/dev/null \ -b - $user@$ip \ > "$redirect" 2>&1 + + sleep 1 # wait for command to finish } ############################################################################## @@ -90,7 +96,7 @@ function testMinimalContainerStart() { -d "$sftpImageName" \ minimal \ > "$redirect" - sleep 1 + sleep 2 ps="$(docker ps -q -f name="$tmpContainerName")" assertNotEqual "$ps" "" @@ -157,7 +163,7 @@ function testCustomContainerStart() { -d "$sftpImageName" \ custom:123 \ > "$redirect" - sleep 1 + sleep 2 ps="$(docker ps -q -f name="$tmpContainerName")" assertNotEqual "$ps" ""