blax-software
/
docker-bastion
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
docker-bastion/config/sshd_config

62 lines
2.4 KiB
Plaintext
Raw Permalink Normal View History

A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
# ===========================================================================
# docker-bastion — hardened sshd config
#
# Every authenticated session is routed through /etc/bastion/force-command,
feat(broker): allowlist-gated command broker mode Add a second operating mode alongside FORCE_COMMAND: the client supplies the command and it runs only if it matches a regex allowlist (ALLOWED_COMMANDS / mounted allowed-commands.list), optionally behind a trusted COMMAND_PREFIX. Matching is whole-line anchored (grep -Eqx) and multi-line requests are rejected; execution is shell-free word-split, so ; | & $() are literal args and a sloppy rule can't become injection. Works over SSH (SSH_ORIGINAL_COMMAND) and HTTP (X-Bastion-Command). FORCE_COMMAND mode is unchanged and remains the default when no allowlist is set; config is read from boot-written files since sshd does not pass the daemon env to a ForceCommand session. - scripts/bastion-broker: the allowlist gate + no-shell exec - scripts/start-container: mode detection, broker wrapper + CGI, banner - Dockerfile / config/sshd_config: wire in the broker, document env vars - examples/docker-mailserver: ready-to-run broker config + allowlist
2026-06-02 17:32:57 +00:00
# which is generated at container start. In FORCE_COMMAND mode it runs the
# fixed command; in broker mode it hands SSH_ORIGINAL_COMMAND to
# bastion-broker, which runs it only if it matches the regex allowlist.
# (The bastion user's shell is /bin/sh, not nologin — sshd invokes the
# ForceCommand as `shell -c "<cmd>"`, so nologin would break it. Security
# comes from ForceCommand + this config, not from the login shell.)
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
# ===========================================================================
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
# Host keys live in /etc/ssh/keys/ so they can survive image rebuilds via
# a named volume. start-container generates them on first boot if missing.
HostKey /etc/ssh/keys/ssh_host_ed25519_key
HostKey /etc/ssh/keys/ssh_host_rsa_key
# Privilege separation directory (Alpine default is /var/empty).
StrictModes yes
# Auth — public keys only, no passwords, no interactive prompts.
# (UsePAM is omitted: Alpine's openssh-server is built without PAM support
# and rejects the directive entirely. Without PAM compiled in, the no-PAM
# behavior is already the default — nothing to disable.)
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
A users.d/ drop-in directory for live-read authorized keys sshd now consults /etc/bastion/users.d/*.pub on every authentication attempt via AuthorizedKeysCommand, so adding or removing a user takes effect immediately without restarting the container — just drop `alice.pub` (or any *.pub file) into the host-bound dir, sshd picks it up on the next login. Implementation: - /usr/local/bin/bastion-list-keys: minimal POSIX-sh script that cats $AUTHORIZED_KEYS_DIR/*.pub. Runs as the agent user (per AuthorizedKeysCommandUser), reads world-readable pubkeys. - sshd_config: AuthorizedKeysCommand alongside the existing AuthorizedKeysFile — both checked, so the boot-merged file (AUTHORIZED_KEYS_HOST/_REPO) still works for single-file UX. - start-container: 'zero key sources' is now a WARN, not a fatal. Bastion comes up empty; SSH attempts fail with 'publickey denied' until you drop a key. Lets users `docker compose up` first and add keys later. Bug fix on the way through: `grep -c` exits non-zero when no lines match, which under `set -eu` killed the boot script silently after '[2/5] Authorized keys...'. Switched to `awk … | wc -l` which exits 0 cleanly on empty input. README updated with the new source priority and env var.
2026-05-28 10:31:51 +00:00
# Two key sources sshd consults on every auth attempt:
# 1. The boot-time merged file at /home/%u/.ssh/authorized_keys —
# populated from $AUTHORIZED_KEYS_HOST / $AUTHORIZED_KEYS_REPO file
# mounts. Static after container start.
# 2. AuthorizedKeysCommand /usr/local/bin/bastion-list-keys —
# enumerates *.pub files in $AUTHORIZED_KEYS_DIR (default
# /etc/bastion/users.d). Runs on every login, so adding or removing
# a pubkey file takes effect immediately without a container restart.
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
AuthorizedKeysFile /home/%u/.ssh/authorized_keys
A users.d/ drop-in directory for live-read authorized keys sshd now consults /etc/bastion/users.d/*.pub on every authentication attempt via AuthorizedKeysCommand, so adding or removing a user takes effect immediately without restarting the container — just drop `alice.pub` (or any *.pub file) into the host-bound dir, sshd picks it up on the next login. Implementation: - /usr/local/bin/bastion-list-keys: minimal POSIX-sh script that cats $AUTHORIZED_KEYS_DIR/*.pub. Runs as the agent user (per AuthorizedKeysCommandUser), reads world-readable pubkeys. - sshd_config: AuthorizedKeysCommand alongside the existing AuthorizedKeysFile — both checked, so the boot-merged file (AUTHORIZED_KEYS_HOST/_REPO) still works for single-file UX. - start-container: 'zero key sources' is now a WARN, not a fatal. Bastion comes up empty; SSH attempts fail with 'publickey denied' until you drop a key. Lets users `docker compose up` first and add keys later. Bug fix on the way through: `grep -c` exits non-zero when no lines match, which under `set -eu` killed the boot script silently after '[2/5] Authorized keys...'. Switched to `awk … | wc -l` which exits 0 cleanly on empty input. README updated with the new source priority and env var.
2026-05-28 10:31:51 +00:00
AuthorizedKeysCommand /usr/local/bin/bastion-list-keys
AuthorizedKeysCommandUser agent
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
# Surface reduction — no forwarding, no tunnels, no user env / rc files.
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
GatewayPorts no
PermitTunnel no
PermitUserEnvironment no
PermitUserRC no
# Logging.
LogLevel VERBOSE
SyslogFacility AUTH
# Belt + suspenders: applies even if per-key command="" is missing.
ForceCommand /etc/bastion/force-command