From 6f1544c7f0a99b5f055baf5473c35ce401b31690 Mon Sep 17 00:00:00 2001
From: Dennis Hermsmeier <dennis.hermsmeier@gmail.com>
Date: Sat, 1 Dec 2018 15:31:55 +0100
Subject: [PATCH 1/3] enable keypair auth and some refactoring

---
 .travis.yml   | 36 ++++++++++++++++++++++++++++++++++++
 Dockerfile    | 27 +++++++++++++++------------
 README.md     | 14 +++++++++++++-
 entrypoint.sh | 16 +++++++++++++---
 4 files changed, 77 insertions(+), 16 deletions(-)
 create mode 100644 .travis.yml

diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000..456a4ca
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,36 @@
+sudo: required
+
+language: bash
+
+addons:
+  apt:
+    packages:
+      - docker-ce
+      - w3m
+
+env:
+  global:
+    - IMAGE="alpine-sshd"
+    - IMAGE_NAME="${DOCKER_USER}/${IMAGE}"
+
+before_script:
+  - sudo sysctl -w net.ipv4.ip_forward=1
+  - docker login -u "${DOCKER_USER}" -p "${DOCKER_PASSWORD}"
+  - export ALPINE_VERSION="3.8"
+  - export OPENSSH_VERSION="$(w3m -dump "https://pkgs.alpinelinux.org/packages?name=openssh&branch=v${ALPINE_VERSION}" | grep -m 1 "x86" | awk '{print $2}')"
+
+script: |
+  docker build \
+          --no-cache \
+          --pull \
+          --quiet \
+          --build-arg ALPINE_VERSION="${ALPINE_VERSION}" \
+          --build-arg OPENSSH_VERSION="${OPENSSH_VERSION}" \
+          --tag "${IMAGE_NAME}:${OPENSSH_VERSION}-alpine{ALPINE_VERSION}" \
+          --tag "${IMAGE_NAME}:latest" \
+          --file "${TRAVIS_BUILD_DIR}/Dockerfile" \
+          "${TRAVIS_BUILD_DIR}"
+  if [[ "${TRAVIS_BRANCH}" == "master" ]] && [[ "${TRAVIS_PULL_REQUEST}" == "false" ]]; then
+    docker push "${IMAGE_NAME}:${OPENSSH_VERSION}-alpine{ALPINE_VERSION}"
+    docker push "${IMAGE_NAME}:latest"
+  fi
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index 8475f63..18d23c7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,16 +1,19 @@
-FROM alpine:latest
+ARG         ALPINE_VERSION=${ALPINE_VERSION:-3.8}
+FROM        alpine:${ALPINE_VERSION}
 
-LABEL maintainer="https://github.com/hermsi1337"
+LABEL       maintainer="https://github.com/hermsi1337"
 
-ENV ROOT_PASSWORD root
+ARG         OPENSSH_VERSION=${OPENSSH_VERSION:-7.7_p1-r3}
+ENV         OPENSSH_VERSION=${OPENSSH_VERSION} \
+            ROOT_PASSWORD=root \
+            KEYPAIR_LOGIN=false
 
-RUN apk update	&& apk upgrade && apk add openssh \
-		&& sed -i s/#PermitRootLogin.*/PermitRootLogin\ yes/ /etc/ssh/sshd_config \
-		&& echo "root:${ROOT_PASSWORD}" | chpasswd \
-		&& rm -rf /var/cache/apk/* /tmp/*
+ADD         entrypoint.sh /
+RUN         apk update && apk upgrade && apk add openssh=${OPENSSH_VERSION} \
+		        && chmod +x /entrypoint.sh \
+		        && mkdir -p /root/.ssh \
+		        && rm -rf /var/cache/apk/* /tmp/*
 
-COPY entrypoint.sh /usr/local/bin/
-
-EXPOSE 22
-
-ENTRYPOINT ["entrypoint.sh"]
+EXPOSE      22
+VOLUME      ["/etc/ssh"]
+ENTRYPOINT  ["/entrypoint.sh"]
diff --git a/README.md b/README.md
index fb81f48..1538b6f 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,7 @@ Use this Dockerfile / -image to start a sshd-server upon a lightweight Alpine co
 * Password of "root"-user can be changed when starting the container using --env
 
 ### Basic Usage
+#### Authentication by password
 ```
 $ docker run --rm \
 --publish=1337:22 \
@@ -19,7 +20,18 @@ After the container is up you are able to ssh in it as root with the in --env pr
 ```
 $ ssh root@mydomain.tld -p 1337
 ```
-
+#### Authentication by ssh-keypair
+```
+$ docker run --rm \
+--publish=1337:22 \
+--env KEYPAIR_LOGIN=true \
+--volume /path/to/authorized_keys:/root/.ssh/authorized_keys \
+hermsi/alpine-sshd
+```
+After the container is up you are able to ssh in it as root by a keypair which matches the provided public-key in authorized_keys for "root"-user.
+```
+$ ssh root@mydomain.tld -p 1337 -i /path/to/private_key
+```
 ### Use with docker-compose
 I built this image in order to use it along with a nginx and fpm-php container for transferring files via sftp.
 If you are interested in a Dockerfile which fulfills this need: [this way](https://github.com/Hermsi1337/docker-compose/blob/master/full_php_dev_stack/docker-compose.yml)
\ No newline at end of file
diff --git a/entrypoint.sh b/entrypoint.sh
index 1717a7a..72650b4 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -3,9 +3,19 @@
 # generate host keys if not present
 ssh-keygen -A
 
-# check wether a random root-password is provided
-if [ ! -z "${ROOT_PASSWORD}" ] && [ "${ROOT_PASSWORD}" != "root" ]; then
-    echo "root:${ROOT_PASSWORD}" | chpasswd
+# set root login mode by password or keypair
+if [ "${KEYPAIR_LOGIN}" = "true" ] && [ -f "${HOME}/.ssh/authorized_keys" ] ; then
+    sed -i "s/#PermitRootLogin.*/PermitRootLogin without-password/" /etc/ssh/sshd_config
+    sed -i "s/#PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config
+    echo "Enabled root-login by keypair and disabled password-login"
+else
+    sed -i s/#PermitRootLogin.*/PermitRootLogin\ yes/ /etc/ssh/sshd_config
+    set +x
+    if [ -n "${ROOT_PASSWORD}" ] && [ "${ROOT_PASSWORD}" != "root" ]; then
+        echo "root:${ROOT_PASSWORD}" | chpasswd
+    fi
+    set -x
+    echo "Enabled root-login by password"
 fi
 
 # do not detach (-D), log to stderr (-e), passthrough other arguments

From 33a3f888cb228f452a587bb620cfe99fd8cdfbec Mon Sep 17 00:00:00 2001
From: Dennis Hermsmeier <dennis.hermsmeier@gmail.com>
Date: Sat, 1 Dec 2018 15:34:44 +0100
Subject: [PATCH 2/3] remove debug mode

---
 entrypoint.sh | 2 --
 1 file changed, 2 deletions(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index 72650b4..b6482f6 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -10,11 +10,9 @@ if [ "${KEYPAIR_LOGIN}" = "true" ] && [ -f "${HOME}/.ssh/authorized_keys" ] ; th
     echo "Enabled root-login by keypair and disabled password-login"
 else
     sed -i s/#PermitRootLogin.*/PermitRootLogin\ yes/ /etc/ssh/sshd_config
-    set +x
     if [ -n "${ROOT_PASSWORD}" ] && [ "${ROOT_PASSWORD}" != "root" ]; then
         echo "root:${ROOT_PASSWORD}" | chpasswd
     fi
-    set -x
     echo "Enabled root-login by password"
 fi
 

From d3595bc61169c82d83d3d6e0d95e0a81ae08e97b Mon Sep 17 00:00:00 2001
From: Dennis Hermsmeier <dennis.hermsmeier@gmail.com>
Date: Sat, 1 Dec 2018 15:36:31 +0100
Subject: [PATCH 3/3] do not docker login on prs or similiar

---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 456a4ca..62212aa 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,7 +15,6 @@ env:
 
 before_script:
   - sudo sysctl -w net.ipv4.ip_forward=1
-  - docker login -u "${DOCKER_USER}" -p "${DOCKER_PASSWORD}"
   - export ALPINE_VERSION="3.8"
   - export OPENSSH_VERSION="$(w3m -dump "https://pkgs.alpinelinux.org/packages?name=openssh&branch=v${ALPINE_VERSION}" | grep -m 1 "x86" | awk '{print $2}')"
 
@@ -31,6 +30,7 @@ script: |
           --file "${TRAVIS_BUILD_DIR}/Dockerfile" \
           "${TRAVIS_BUILD_DIR}"
   if [[ "${TRAVIS_BRANCH}" == "master" ]] && [[ "${TRAVIS_PULL_REQUEST}" == "false" ]]; then
+    docker login -u "${DOCKER_USER}" -p "${DOCKER_PASSWORD}"
     docker push "${IMAGE_NAME}:${OPENSSH_VERSION}-alpine{ALPINE_VERSION}"
     docker push "${IMAGE_NAME}:latest"
   fi
\ No newline at end of file