Update for new openssh versions

README.md

@@ -14,6 +14,9 @@ Ex:
 
 `SSH_USERS=myuser:1000:1000,anotheruser:1001:1001`
 
+### ENV variables `YUBICO_API_ID`, `YUBICO_API_KEY`
+Get API ID and Key from here: [here](https://upgrade.yubico.com/getapikey/)
+
 ### Key files
 
 The directory mapped to `/conf.d/authorized_keys` contain files for authorized_keys, authorized yubikeys and ssh config.

build/Dockerfile

@@ -1,6 +1,7 @@
 FROM hermsi/alpine-sshd:latest
 
-RUN apk add --no-cache \
+RUN apk add --upgrade --no-cache \
+        openssh \
         openssh-server-pam \
         yubico-pam \
         google-authenticator \

build/entrypoint.sh

@@ -43,7 +43,7 @@ ensure_mod() {
     G_ID="${4}"
 
     chmod "${MOD}" "${FILE}"
-    chown "${U_ID}"."${G_ID}" "${FILE}"
+    chown "${U_ID}":"${G_ID}" "${FILE}"
 }
 
 generate_passwd() {
@@ -212,10 +212,15 @@ fi
 # ADDED
 #############################################
 
+if [[ -n "${YUBICO_API_ID}" ]]; then
   sed -i "s/#ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
   sed -i "s/#UsePAM.*/UsePAM yes/" /etc/ssh/sshd_config
 
-echo "auth sufficient pam_yubico.so id=16 debug" >> /etc/pam.d/sshd
+  if ! grep -Fxq "auth sufficient pam_yubico.sh" /etc/pam.d/sshd; then
+    echo "auth [success=done default=bad] pam_yubico.so id=${YUBICO_API_ID} key=${YUBICO_API_KEY}" >> /etc/pam.d/sshd
+  fi
+fi
+
 
 #############################################
 # END OF ADDITION
@@ -224,4 +229,4 @@ echo "auth sufficient pam_yubico.so id=16 debug" >> /etc/pam.d/sshd
 echo ""
 
 # do not detach (-D), log to stderr (-e), passthrough other arguments
-exec /usr/sbin/sshd -D -e "$@"
+exec /usr/sbin/sshd.pam -D -e "$@"

docker-compose.yaml

@@ -1,5 +1,3 @@
-version: "3"
-
 networks:
   web:
     external: true
@@ -12,6 +10,8 @@ services:
       web:
     environment:
       SSH_USERS:
+      YUBICO_API_ID:
+      YUBICO_API_KEY:
     volumes:
       - ./authorized_keys:/conf.d/authorized_keys
       - ./ssh:/etc/ssh