enable keypair auth and some refactoring

.travis.yml

@@ -0,0 +1,36 @@
+sudo: required
+
+language: bash
+
+addons:
+  apt:
+    packages:
+      - docker-ce
+      - w3m
+
+env:
+  global:
+    - IMAGE="alpine-sshd"
+    - IMAGE_NAME="${DOCKER_USER}/${IMAGE}"
+
+before_script:
+  - sudo sysctl -w net.ipv4.ip_forward=1
+  - docker login -u "${DOCKER_USER}" -p "${DOCKER_PASSWORD}"
+  - export ALPINE_VERSION="3.8"
+  - export OPENSSH_VERSION="$(w3m -dump "https://pkgs.alpinelinux.org/packages?name=openssh&branch=v${ALPINE_VERSION}" | grep -m 1 "x86" | awk '{print $2}')"
+
+script: |
+  docker build \
+          --no-cache \
+          --pull \
+          --quiet \
+          --build-arg ALPINE_VERSION="${ALPINE_VERSION}" \
+          --build-arg OPENSSH_VERSION="${OPENSSH_VERSION}" \
+          --tag "${IMAGE_NAME}:${OPENSSH_VERSION}-alpine{ALPINE_VERSION}" \
+          --tag "${IMAGE_NAME}:latest" \
+          --file "${TRAVIS_BUILD_DIR}/Dockerfile" \
+          "${TRAVIS_BUILD_DIR}"
+  if [[ "${TRAVIS_BRANCH}" == "master" ]] && [[ "${TRAVIS_PULL_REQUEST}" == "false" ]]; then
+    docker push "${IMAGE_NAME}:${OPENSSH_VERSION}-alpine{ALPINE_VERSION}"
+    docker push "${IMAGE_NAME}:latest"
+  fi

Dockerfile

@@ -1,16 +1,19 @@
-FROM alpine:latest
+ARG         ALPINE_VERSION=${ALPINE_VERSION:-3.8}
+FROM        alpine:${ALPINE_VERSION}
 
-LABEL maintainer="https://github.com/hermsi1337"
+LABEL       maintainer="https://github.com/hermsi1337"
 
-ENV ROOT_PASSWORD root
+ARG         OPENSSH_VERSION=${OPENSSH_VERSION:-7.7_p1-r3}
+ENV         OPENSSH_VERSION=${OPENSSH_VERSION} \
+            ROOT_PASSWORD=root \
+            KEYPAIR_LOGIN=false
 
-RUN apk update	&& apk upgrade && apk add openssh \
-		&& sed -i s/#PermitRootLogin.*/PermitRootLogin\ yes/ /etc/ssh/sshd_config \
-		&& echo "root:${ROOT_PASSWORD}" | chpasswd \
-		&& rm -rf /var/cache/apk/* /tmp/*
+ADD         entrypoint.sh /
+RUN         apk update && apk upgrade && apk add openssh=${OPENSSH_VERSION} \
+		        && chmod +x /entrypoint.sh \
+		        && mkdir -p /root/.ssh \
+		        && rm -rf /var/cache/apk/* /tmp/*
 
-COPY entrypoint.sh /usr/local/bin/
-
-EXPOSE 22
-
-ENTRYPOINT ["entrypoint.sh"]
+EXPOSE      22
+VOLUME      ["/etc/ssh"]
+ENTRYPOINT  ["/entrypoint.sh"]

README.md

@@ -8,6 +8,7 @@ Use this Dockerfile / -image to start a sshd-server upon a lightweight Alpine co
 * Password of "root"-user can be changed when starting the container using --env
 
 ### Basic Usage
+#### Authentication by password
 ```
 $ docker run --rm \
 --publish=1337:22 \
@@ -19,7 +20,18 @@ After the container is up you are able to ssh in it as root with the in --env pr
 ```
 $ ssh root@mydomain.tld -p 1337
 ```
-
+#### Authentication by ssh-keypair
+```
+$ docker run --rm \
+--publish=1337:22 \
+--env KEYPAIR_LOGIN=true \
+--volume /path/to/authorized_keys:/root/.ssh/authorized_keys \
+hermsi/alpine-sshd
+```
+After the container is up you are able to ssh in it as root by a keypair which matches the provided public-key in authorized_keys for "root"-user.
+```
+$ ssh root@mydomain.tld -p 1337 -i /path/to/private_key
+```
 ### Use with docker-compose
 I built this image in order to use it along with a nginx and fpm-php container for transferring files via sftp.
 If you are interested in a Dockerfile which fulfills this need: [this way](https://github.com/Hermsi1337/docker-compose/blob/master/full_php_dev_stack/docker-compose.yml)

entrypoint.sh

@@ -3,9 +3,19 @@
 # generate host keys if not present
 ssh-keygen -A
 
-# check wether a random root-password is provided
-if [ ! -z "${ROOT_PASSWORD}" ] && [ "${ROOT_PASSWORD}" != "root" ]; then
-    echo "root:${ROOT_PASSWORD}" | chpasswd
+# set root login mode by password or keypair
+if [ "${KEYPAIR_LOGIN}" = "true" ] && [ -f "${HOME}/.ssh/authorized_keys" ] ; then
+    sed -i "s/#PermitRootLogin.*/PermitRootLogin without-password/" /etc/ssh/sshd_config
+    sed -i "s/#PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config
+    echo "Enabled root-login by keypair and disabled password-login"
+else
+    sed -i s/#PermitRootLogin.*/PermitRootLogin\ yes/ /etc/ssh/sshd_config
+    set +x
+    if [ -n "${ROOT_PASSWORD}" ] && [ "${ROOT_PASSWORD}" != "root" ]; then
+        echo "root:${ROOT_PASSWORD}" | chpasswd
+    fi
+    set -x
+    echo "Enabled root-login by password"
 fi
 
 # do not detach (-D), log to stderr (-e), passthrough other arguments