mirror of
https://github.com/atmoz/sftp.git
synced 2024-11-17 12:51:33 -05:00
Improved security
This commit is contained in:
parent
0c772ad04e
commit
3042075111
4 changed files with 39 additions and 13 deletions
12
Dockerfile
12
Dockerfile
|
@ -1,15 +1,15 @@
|
||||||
FROM debian:jessie
|
FROM debian:jessie
|
||||||
MAINTAINER Adrian Dvergsdal [atmoz.net]
|
MAINTAINER Adrian Dvergsdal [atmoz.net]
|
||||||
|
|
||||||
|
# - Install packages
|
||||||
|
# - OpenSSH needs /var/run/sshd to run
|
||||||
|
# - Remove generic host keys, entrypoint generates unique keys
|
||||||
RUN apt-get update && \
|
RUN apt-get update && \
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get -y install openssh-server && \
|
apt-get -y install openssh-server && \
|
||||||
|
mkdir -p /var/run/sshd && \
|
||||||
|
rm -f /etc/ssh/ssh_host_*key* && \
|
||||||
rm -rf /var/lib/apt/lists/*
|
rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# Step 1: sshd needs /var/run/sshd/ to run
|
|
||||||
# Step 2: Remove keys, they will be generated later by entrypoint
|
|
||||||
# (unique keys for each container)
|
|
||||||
RUN mkdir -p /var/run/sshd && \
|
|
||||||
rm /etc/ssh/ssh_host_*key*
|
|
||||||
|
|
||||||
COPY sshd_config /etc/ssh/sshd_config
|
COPY sshd_config /etc/ssh/sshd_config
|
||||||
COPY entrypoint /
|
COPY entrypoint /
|
||||||
|
|
|
@ -116,8 +116,13 @@ if [ ! -f "$userConfFinalPath" ]; then
|
||||||
createUser "$user"
|
createUser "$user"
|
||||||
done < "$userConfFinalPath"
|
done < "$userConfFinalPath"
|
||||||
|
|
||||||
# Generate unique ssh keys for this container
|
# Generate unique ssh keys for this container, if needed
|
||||||
dpkg-reconfigure openssh-server
|
if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
|
||||||
|
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key < /dev/null
|
||||||
|
fi
|
||||||
|
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
|
||||||
|
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key < /dev/null
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Source custom scripts, if any
|
# Source custom scripts, if any
|
||||||
|
|
19
sshd_config
19
sshd_config
|
@ -1,7 +1,22 @@
|
||||||
|
# Secure defaults
|
||||||
|
# See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||||
|
Protocol 2
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
|
||||||
|
# Faster connection
|
||||||
|
# See: https://github.com/atmoz/sftp/issues/11
|
||||||
UseDNS no
|
UseDNS no
|
||||||
|
|
||||||
|
# Limited access
|
||||||
PermitRootLogin no
|
PermitRootLogin no
|
||||||
Subsystem sftp internal-sftp
|
|
||||||
ChrootDirectory %h
|
|
||||||
X11Forwarding no
|
X11Forwarding no
|
||||||
AllowTcpForwarding no
|
AllowTcpForwarding no
|
||||||
|
|
||||||
|
# Force sftp and chroot jail
|
||||||
|
Subsystem sftp internal-sftp
|
||||||
ForceCommand internal-sftp
|
ForceCommand internal-sftp
|
||||||
|
ChrootDirectory %h
|
||||||
|
|
||||||
|
# Enable this for more logs
|
||||||
|
#LogLevel VERBOSE
|
||||||
|
|
12
tests/run
12
tests/run
|
@ -24,6 +24,10 @@ fi
|
||||||
function beforeTest() {
|
function beforeTest() {
|
||||||
if [ "$build" == "build" ]; then
|
if [ "$build" == "build" ]; then
|
||||||
docker build --pull=true --tag "$sftpImageName" "$buildDir"
|
docker build --pull=true --tag "$sftpImageName" "$buildDir"
|
||||||
|
if [ $? -gt 0 ]; then
|
||||||
|
echo "Build failed"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Private key can not be read by others
|
# Private key can not be read by others
|
||||||
|
@ -41,7 +45,7 @@ function beforeTest() {
|
||||||
--expose 22 \
|
--expose 22 \
|
||||||
-d "$sftpImageName" \
|
-d "$sftpImageName" \
|
||||||
> "$redirect"
|
> "$redirect"
|
||||||
sleep 1 # wait for sftp server to get ready
|
sleep 2 # wait for sftp server to get ready
|
||||||
}
|
}
|
||||||
|
|
||||||
function afterTest() {
|
function afterTest() {
|
||||||
|
@ -76,6 +80,8 @@ function runSftpCommands() {
|
||||||
-oUserKnownHostsFile=/dev/null \
|
-oUserKnownHostsFile=/dev/null \
|
||||||
-b - $user@$ip \
|
-b - $user@$ip \
|
||||||
> "$redirect" 2>&1
|
> "$redirect" 2>&1
|
||||||
|
|
||||||
|
sleep 1 # wait for command to finish
|
||||||
}
|
}
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
@ -90,7 +96,7 @@ function testMinimalContainerStart() {
|
||||||
-d "$sftpImageName" \
|
-d "$sftpImageName" \
|
||||||
minimal \
|
minimal \
|
||||||
> "$redirect"
|
> "$redirect"
|
||||||
sleep 1
|
sleep 2
|
||||||
|
|
||||||
ps="$(docker ps -q -f name="$tmpContainerName")"
|
ps="$(docker ps -q -f name="$tmpContainerName")"
|
||||||
assertNotEqual "$ps" ""
|
assertNotEqual "$ps" ""
|
||||||
|
@ -157,7 +163,7 @@ function testCustomContainerStart() {
|
||||||
-d "$sftpImageName" \
|
-d "$sftpImageName" \
|
||||||
custom:123 \
|
custom:123 \
|
||||||
> "$redirect"
|
> "$redirect"
|
||||||
sleep 1
|
sleep 2
|
||||||
|
|
||||||
ps="$(docker ps -q -f name="$tmpContainerName")"
|
ps="$(docker ps -q -f name="$tmpContainerName")"
|
||||||
assertNotEqual "$ps" ""
|
assertNotEqual "$ps" ""
|
||||||
|
|
Loading…
Reference in a new issue