0
0
Fork 0
mirror of https://github.com/atmoz/sftp.git synced 2024-11-17 12:51:33 -05:00

Improved security

This commit is contained in:
Adrian Dvergsdal 2016-06-02 14:56:30 +02:00
parent 0c772ad04e
commit 3042075111
4 changed files with 39 additions and 13 deletions

View file

@ -1,15 +1,15 @@
FROM debian:jessie FROM debian:jessie
MAINTAINER Adrian Dvergsdal [atmoz.net] MAINTAINER Adrian Dvergsdal [atmoz.net]
# - Install packages
# - OpenSSH needs /var/run/sshd to run
# - Remove generic host keys, entrypoint generates unique keys
RUN apt-get update && \ RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get -y install openssh-server && \ apt-get -y install openssh-server && \
mkdir -p /var/run/sshd && \
rm -f /etc/ssh/ssh_host_*key* && \
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
# Step 1: sshd needs /var/run/sshd/ to run
# Step 2: Remove keys, they will be generated later by entrypoint
# (unique keys for each container)
RUN mkdir -p /var/run/sshd && \
rm /etc/ssh/ssh_host_*key*
COPY sshd_config /etc/ssh/sshd_config COPY sshd_config /etc/ssh/sshd_config
COPY entrypoint / COPY entrypoint /

View file

@ -116,8 +116,13 @@ if [ ! -f "$userConfFinalPath" ]; then
createUser "$user" createUser "$user"
done < "$userConfFinalPath" done < "$userConfFinalPath"
# Generate unique ssh keys for this container # Generate unique ssh keys for this container, if needed
dpkg-reconfigure openssh-server if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key < /dev/null
fi
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key < /dev/null
fi
fi fi
# Source custom scripts, if any # Source custom scripts, if any

View file

@ -1,7 +1,22 @@
# Secure defaults
# See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# Faster connection
# See: https://github.com/atmoz/sftp/issues/11
UseDNS no UseDNS no
# Limited access
PermitRootLogin no PermitRootLogin no
Subsystem sftp internal-sftp
ChrootDirectory %h
X11Forwarding no X11Forwarding no
AllowTcpForwarding no AllowTcpForwarding no
# Force sftp and chroot jail
Subsystem sftp internal-sftp
ForceCommand internal-sftp ForceCommand internal-sftp
ChrootDirectory %h
# Enable this for more logs
#LogLevel VERBOSE

View file

@ -24,6 +24,10 @@ fi
function beforeTest() { function beforeTest() {
if [ "$build" == "build" ]; then if [ "$build" == "build" ]; then
docker build --pull=true --tag "$sftpImageName" "$buildDir" docker build --pull=true --tag "$sftpImageName" "$buildDir"
if [ $? -gt 0 ]; then
echo "Build failed"
exit 1
fi
fi fi
# Private key can not be read by others # Private key can not be read by others
@ -41,7 +45,7 @@ function beforeTest() {
--expose 22 \ --expose 22 \
-d "$sftpImageName" \ -d "$sftpImageName" \
> "$redirect" > "$redirect"
sleep 1 # wait for sftp server to get ready sleep 2 # wait for sftp server to get ready
} }
function afterTest() { function afterTest() {
@ -76,6 +80,8 @@ function runSftpCommands() {
-oUserKnownHostsFile=/dev/null \ -oUserKnownHostsFile=/dev/null \
-b - $user@$ip \ -b - $user@$ip \
> "$redirect" 2>&1 > "$redirect" 2>&1
sleep 1 # wait for command to finish
} }
############################################################################## ##############################################################################
@ -90,7 +96,7 @@ function testMinimalContainerStart() {
-d "$sftpImageName" \ -d "$sftpImageName" \
minimal \ minimal \
> "$redirect" > "$redirect"
sleep 1 sleep 2
ps="$(docker ps -q -f name="$tmpContainerName")" ps="$(docker ps -q -f name="$tmpContainerName")"
assertNotEqual "$ps" "" assertNotEqual "$ps" ""
@ -157,7 +163,7 @@ function testCustomContainerStart() {
-d "$sftpImageName" \ -d "$sftpImageName" \
custom:123 \ custom:123 \
> "$redirect" > "$redirect"
sleep 1 sleep 2
ps="$(docker ps -q -f name="$tmpContainerName")" ps="$(docker ps -q -f name="$tmpContainerName")"
assertNotEqual "$ps" "" assertNotEqual "$ps" ""