Update for new openssh versions

2025-04-05 16:24:05 +02:00 · 2025-04-05 16:24:05 +02:00 · 0cf6dd8730
commit 0cf6dd8730
parent c3392bb97f
4 changed files with 20 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -14,6 +14,9 @@ Ex:

 `SSH_USERS=myuser:1000:1000,anotheruser:1001:1001`

+### ENV variables `YUBICO_API_ID`, `YUBICO_API_KEY`
+Get API ID and Key from here: [here](https://upgrade.yubico.com/getapikey/)
+
 ### Key files

 The directory mapped to `/conf.d/authorized_keys` contain files for authorized_keys, authorized yubikeys and ssh config.
@ -28,4 +31,4 @@ The format of the `.yubi` file is your username followed by a list of the first
 myuser:cccccccgklgc:ccccccclabca:
 ```

-# [The rest of my docker-compose setup](/thomas/docker-server/)
+# [The rest of my docker-compose setup](/thomas/docker-server/)
--- a/build/Dockerfile
+++ b/build/Dockerfile
@ -1,10 +1,11 @@
 FROM hermsi/alpine-sshd:latest

-RUN apk add --no-cache \
+RUN apk add --upgrade --no-cache \
+        openssh \
        openssh-server-pam \
        yubico-pam \
        google-authenticator \
    && \
    rm -rf /var/cache/apk/*

-COPY entrypoint.sh /
+COPY entrypoint.sh /
--- a/build/entrypoint.sh
+++ b/build/entrypoint.sh
@ -43,7 +43,7 @@ ensure_mod() {
    G_ID="${4}"

    chmod "${MOD}" "${FILE}"
-    chown "${U_ID}"."${G_ID}" "${FILE}"
+    chown "${U_ID}":"${G_ID}" "${FILE}"
 }

 generate_passwd() {
@ -212,10 +212,15 @@ fi
 # ADDED
 #############################################

-sed -i "s/#ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
-sed -i "s/#UsePAM.*/UsePAM yes/" /etc/ssh/sshd_config
+if [[ -n "${YUBICO_API_ID}" ]]; then
+  sed -i "s/#ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
+  sed -i "s/#UsePAM.*/UsePAM yes/" /etc/ssh/sshd_config
+
+  if ! grep -Fxq "auth sufficient pam_yubico.sh" /etc/pam.d/sshd; then
+    echo "auth [success=done default=bad] pam_yubico.so id=${YUBICO_API_ID} key=${YUBICO_API_KEY}" >> /etc/pam.d/sshd
+  fi
+fi

-echo "auth sufficient pam_yubico.so id=16 debug" >> /etc/pam.d/sshd

 #############################################
 # END OF ADDITION
@ -224,4 +229,4 @@ echo "auth sufficient pam_yubico.so id=16 debug" >> /etc/pam.d/sshd
 echo ""

 # do not detach (-D), log to stderr (-e), passthrough other arguments
-exec /usr/sbin/sshd -D -e "$@"
+exec /usr/sbin/sshd.pam -D -e "$@"
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -1,5 +1,3 @@
-version: "3"
-
 networks:
  web:
    external: true
@ -12,6 +10,8 @@ services:
      web:
    environment:
      SSH_USERS:
+      YUBICO_API_ID:
+      YUBICO_API_KEY:
    volumes:
      - ./authorized_keys:/conf.d/authorized_keys
      - ./ssh:/etc/ssh
@ -19,4 +19,4 @@ services:
      traefik.enable: true
      traefik.tcp.services.ssh.loadbalancer.server.port: 22
      traefik.tcp.routers.ssh.rule: HostSNI(`*`)
-      traefik.tcp.routers.ssh.entrypoints: websecure
+      traefik.tcp.routers.ssh.entrypoints: websecure