diff --git a/Dockerfile b/Dockerfile index c8174e9..d626067 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ FROM alpine:"${ALPINE_VERSION}" LABEL maintainer="https://github.com/hermsi1337" -ARG OPENSSH_VERSION="${OPENSSH_VERSION:-8.3_p1-r0}" +ARG OPENSSH_VERSION="${OPENSSH_VERSION:-8.3_p1-r2}" ENV CONF_VOLUME="/conf.d" ENV OPENSSH_VERSION="${OPENSSH_VERSION}" \ CACHED_SSH_DIRECTORY="${CONF_VOLUME}/ssh" \ @@ -18,6 +18,8 @@ RUN apk add --upgrade --no-cache \ bash-completion \ rsync \ openssh=${OPENSSH_VERSION} \ + openssh-server-pam \ + yubico-pam \ && \ mkdir -p /root/.ssh "${CONF_VOLUME}" "${AUTHORIZED_KEYS_VOLUME}" \ && \ diff --git a/entrypoint.sh b/entrypoint.sh index 8a76954..ec04899 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -157,6 +157,18 @@ if [[ -n "${SSH_USERS}" ]]; then log " set mod 0600 on ${LOCAL_AUTHORIZED_KEYS}" fi + mkdir -p "/home/${USER_NAME}/.yubico" + MOUNTED_AUTHORIZED_YUBI="${AUTHORIZED_KEYS_VOLUME}/${USER_NAME}.yubi" + LOCAL_AUTHORIZED_YUBI="/home/${USER_NAME}/.yubico/authorized_yubikeys" + + if [[ -e "${MOUNTED_AUTHORIZED_YUBI}" ]]; then + cp "${MOUNTED_AUTHORIZED_YUBI}" "${LOCAL_AUTHORIZED_YUBI}" + log " copied ${MOUNTED_AUTHORIZED_YUBI} to ${LOCAL_AUTHORIZED_YUBI}" + ensure_mod "${LOCAL_AUTHORIZED_YUBI}" "0600" "${USER_NAME}" "${USER_GID}" + log " set mod 0600 on ${LOCAL_AUTHORIZED_YUBI}" + fi + + printf "\n" done @@ -168,6 +180,11 @@ else fi +sed -i "s/#ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config +sed -i "s/#UsePAM.*/UsePAM yes/" /etc/ssh/sshd_config + +echo "auth required pam_yubico.so id=16 debug" > /etc/pam.d/sshd + echo "" # do not detach (-D), log to stderr (-e), passthrough other arguments