blax-software/docker-bastion

Commit Graph

Author	SHA1	Message	Date
Fabian @ Blax Software	0262f677c1	A users.d/ drop-in directory for live-read authorized keys sshd now consults /etc/bastion/users.d/.pub on every authentication attempt via AuthorizedKeysCommand, so adding or removing a user takes effect immediately without restarting the container — just drop `alice.pub` (or any .pub file) into the host-bound dir, sshd picks it up on the next login. Implementation: - /usr/local/bin/bastion-list-keys: minimal POSIX-sh script that cats $AUTHORIZED_KEYS_DIR/*.pub. Runs as the agent user (per AuthorizedKeysCommandUser), reads world-readable pubkeys. - sshd_config: AuthorizedKeysCommand alongside the existing AuthorizedKeysFile — both checked, so the boot-merged file (AUTHORIZED_KEYS_HOST/_REPO) still works for single-file UX. - start-container: 'zero key sources' is now a WARN, not a fatal. Bastion comes up empty; SSH attempts fail with 'publickey denied' until you drop a key. Lets users `docker compose up` first and add keys later. Bug fix on the way through: `grep -c` exits non-zero when no lines match, which under `set -eu` killed the boot script silently after '[2/5] Authorized keys...'. Switched to `awk … \| wc -l` which exits 0 cleanly on empty input. README updated with the new source priority and env var.	2026-05-28 12:31:51 +02:00
Fabian @ Blax Software	86b8966130	A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.	2026-05-28 10:50:06 +02:00

Author

SHA1

Message

Date

Fabian @ Blax Software

0262f677c1

A users.d/ drop-in directory for live-read authorized keys

sshd now consults /etc/bastion/users.d/*.pub on every authentication
attempt via AuthorizedKeysCommand, so adding or removing a user
takes effect immediately without restarting the container — just
drop `alice.pub` (or any *.pub file) into the host-bound dir,
sshd picks it up on the next login.

Implementation:
- /usr/local/bin/bastion-list-keys: minimal POSIX-sh script that
  cats $AUTHORIZED_KEYS_DIR/*.pub. Runs as the agent user (per
  AuthorizedKeysCommandUser), reads world-readable pubkeys.
- sshd_config: AuthorizedKeysCommand alongside the existing
  AuthorizedKeysFile — both checked, so the boot-merged
  file (AUTHORIZED_KEYS_HOST/_REPO) still works for single-file UX.
- start-container: 'zero key sources' is now a WARN, not a fatal.
  Bastion comes up empty; SSH attempts fail with 'publickey denied'
  until you drop a key. Lets users `docker compose up` first and
  add keys later.

Bug fix on the way through: `grep -c` exits non-zero when no
lines match, which under `set -eu` killed the boot script
silently after '[2/5] Authorized keys...'. Switched to
`awk … | wc -l` which exits 0 cleanly on empty input.

README updated with the new source priority and env var.

2026-05-28 12:31:51 +02:00

Fabian @ Blax Software

86b8966130

A initial docker-bastion image

Minimal SSH bastion (alpine + openssh-server + docker-cli) that
authenticates by key and runs exactly one preconfigured command
(FORCE_COMMAND) per session. authorized_keys can be merged from
both a host-mounted source and a repo-mounted source. Host keys
persist via /etc/ssh/keys volume; docker socket group membership
is aligned at boot.

2026-05-28 10:50:06 +02:00

2 Commits