Add yubikey support

Dockerfile

@@ -3,7 +3,7 @@ FROM        alpine:"${ALPINE_VERSION}"
 
 LABEL       maintainer="https://github.com/hermsi1337"
 
-ARG         OPENSSH_VERSION="${OPENSSH_VERSION:-8.3_p1-r0}"
+ARG         OPENSSH_VERSION="${OPENSSH_VERSION:-8.3_p1-r2}"
 ENV         CONF_VOLUME="/conf.d"
 ENV         OPENSSH_VERSION="${OPENSSH_VERSION}" \
             CACHED_SSH_DIRECTORY="${CONF_VOLUME}/ssh" \
@@ -18,6 +18,8 @@ RUN         apk add --upgrade --no-cache \
                     bash-completion \
                     rsync \
                     openssh=${OPENSSH_VERSION} \
+                    openssh-server-pam \
+                    yubico-pam \
             && \
             mkdir -p /root/.ssh "${CONF_VOLUME}" "${AUTHORIZED_KEYS_VOLUME}" \
             && \

entrypoint.sh

@@ -157,6 +157,18 @@ if [[ -n "${SSH_USERS}" ]]; then
             log "        set mod 0600 on ${LOCAL_AUTHORIZED_KEYS}"
         fi
 
+        mkdir -p "/home/${USER_NAME}/.yubico"
+        MOUNTED_AUTHORIZED_YUBI="${AUTHORIZED_KEYS_VOLUME}/${USER_NAME}.yubi"
+        LOCAL_AUTHORIZED_YUBI="/home/${USER_NAME}/.yubico/authorized_yubikeys"
+
+        if [[ -e "${MOUNTED_AUTHORIZED_YUBI}" ]]; then
+            cp "${MOUNTED_AUTHORIZED_YUBI}" "${LOCAL_AUTHORIZED_YUBI}"
+            log "        copied ${MOUNTED_AUTHORIZED_YUBI} to ${LOCAL_AUTHORIZED_YUBI}"
+            ensure_mod "${LOCAL_AUTHORIZED_YUBI}" "0600" "${USER_NAME}" "${USER_GID}"
+            log "        set mod 0600 on ${LOCAL_AUTHORIZED_YUBI}"
+        fi
+
+
         printf "\n"
 
     done
@@ -168,6 +180,11 @@ else
 
 fi
 
+sed -i "s/#ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
+sed -i "s/#UsePAM.*/UsePAM yes/" /etc/ssh/sshd_config
+
+echo "auth required pam_yubico.so id=16 debug" > /etc/pam.d/sshd
+
 echo ""
 
 # do not detach (-D), log to stderr (-e), passthrough other arguments