From 0cf6dd873068c3c63856ce884528e86fd465e4d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Lov=C3=A9n?= Date: Sat, 5 Apr 2025 16:24:05 +0200 Subject: [PATCH] Update for new openssh versions --- README.md | 5 ++++- build/Dockerfile | 5 +++-- build/entrypoint.sh | 15 ++++++++++----- docker-compose.yaml | 6 +++--- 4 files changed, 20 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index e20ba07..e10dc1d 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,9 @@ Ex: `SSH_USERS=myuser:1000:1000,anotheruser:1001:1001` +### ENV variables `YUBICO_API_ID`, `YUBICO_API_KEY` +Get API ID and Key from here: [here](https://upgrade.yubico.com/getapikey/) + ### Key files The directory mapped to `/conf.d/authorized_keys` contain files for authorized_keys, authorized yubikeys and ssh config. @@ -28,4 +31,4 @@ The format of the `.yubi` file is your username followed by a list of the first myuser:cccccccgklgc:ccccccclabca: ``` -# [The rest of my docker-compose setup](/thomas/docker-server/) \ No newline at end of file +# [The rest of my docker-compose setup](/thomas/docker-server/) diff --git a/build/Dockerfile b/build/Dockerfile index e9e2d8f..feb73c4 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,10 +1,11 @@ FROM hermsi/alpine-sshd:latest -RUN apk add --no-cache \ +RUN apk add --upgrade --no-cache \ + openssh \ openssh-server-pam \ yubico-pam \ google-authenticator \ && \ rm -rf /var/cache/apk/* -COPY entrypoint.sh / \ No newline at end of file +COPY entrypoint.sh / diff --git a/build/entrypoint.sh b/build/entrypoint.sh index b64b36d..8448c32 100755 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -43,7 +43,7 @@ ensure_mod() { G_ID="${4}" chmod "${MOD}" "${FILE}" - chown "${U_ID}"."${G_ID}" "${FILE}" + chown "${U_ID}":"${G_ID}" "${FILE}" } generate_passwd() { @@ -212,10 +212,15 @@ fi # ADDED ############################################# -sed -i "s/#ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config -sed -i "s/#UsePAM.*/UsePAM yes/" /etc/ssh/sshd_config +if [[ -n "${YUBICO_API_ID}" ]]; then + sed -i "s/#ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config + sed -i "s/#UsePAM.*/UsePAM yes/" /etc/ssh/sshd_config + + if ! grep -Fxq "auth sufficient pam_yubico.sh" /etc/pam.d/sshd; then + echo "auth [success=done default=bad] pam_yubico.so id=${YUBICO_API_ID} key=${YUBICO_API_KEY}" >> /etc/pam.d/sshd + fi +fi -echo "auth sufficient pam_yubico.so id=16 debug" >> /etc/pam.d/sshd ############################################# # END OF ADDITION @@ -224,4 +229,4 @@ echo "auth sufficient pam_yubico.so id=16 debug" >> /etc/pam.d/sshd echo "" # do not detach (-D), log to stderr (-e), passthrough other arguments -exec /usr/sbin/sshd -D -e "$@" \ No newline at end of file +exec /usr/sbin/sshd.pam -D -e "$@" diff --git a/docker-compose.yaml b/docker-compose.yaml index 6853e29..867c828 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,5 +1,3 @@ -version: "3" - networks: web: external: true @@ -12,6 +10,8 @@ services: web: environment: SSH_USERS: + YUBICO_API_ID: + YUBICO_API_KEY: volumes: - ./authorized_keys:/conf.d/authorized_keys - ./ssh:/etc/ssh @@ -19,4 +19,4 @@ services: traefik.enable: true traefik.tcp.services.ssh.loadbalancer.server.port: 22 traefik.tcp.routers.ssh.rule: HostSNI(`*`) - traefik.tcp.routers.ssh.entrypoints: websecure \ No newline at end of file + traefik.tcp.routers.ssh.entrypoints: websecure