From e02ba195a64f4b0df17145188e5560e2c1ea3c01 Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 24 Nov 2024 19:26:15 +0000 Subject: [PATCH] Move everything out of the container filesystem into its own directories --- README.md | 1 + readme-vars.yml | 1 + .../s6-rc.d/init-openssh-server-config/run | 49 +++++++++++-------- .../s6-overlay/s6-rc.d/svc-openssh-server/run | 6 ++- 4 files changed, 35 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 2de9ec2..e4bd09a 100644 --- a/README.md +++ b/README.md @@ -338,6 +338,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **24.11.24:** - Move sshd_config to /config/sshd/sshd_config. * **31.05.24:** - Rebase to Alpine 3.20. * **04.05.24:** - Display the SSH host public keys every time the container starts. * **09.03.24:** - Rebase to Alpine 3.19. diff --git a/readme-vars.yml b/readme-vars.yml index 240df5b..f568a43 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -72,6 +72,7 @@ app_setup_block: | The keys generated by this script are only displayed on your console output, so make sure to save them somewhere after generation. # changelog changelogs: + - {date: "24.11.24:", desc: "Move sshd_config to /config/sshd/sshd_config."} - {date: "31.05.24:", desc: "Rebase to Alpine 3.20."} - {date: "04.05.24:", desc: "Display the SSH host public keys every time the container starts."} - {date: "09.03.24:", desc: "Rebase to Alpine 3.19."} diff --git a/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run index 6288289..fd80244 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run @@ -3,7 +3,7 @@ # create folders mkdir -p \ - /config/{.ssh,ssh_host_keys,logs/openssh} + /config/{.ssh,logs/openssh,sshd} USER_NAME=${USER_NAME:-linuxserver.io} echo "User name is set to $USER_NAME" @@ -30,15 +30,23 @@ fi USER_PASSWORD=${USER_PASSWORD:-$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c"${1:-8}";echo;)} echo "${USER_NAME}:${USER_PASSWORD}" | chpasswd -# symlink out ssh config directory -if [[ ! -L /etc/ssh ]]; then - if [[ ! -f /config/ssh_host_keys/sshd_config ]]; then - sed -i '/#PidFile/c\PidFile \/config\/sshd.pid' /etc/ssh/sshd_config - cp -a /etc/ssh/sshd_config /config/ssh_host_keys/ - fi - rm -Rf /etc/ssh - ln -s /config/ssh_host_keys /etc/ssh +# Migration +if [[ -f /config/ssh_host_keys/sshd_config ]]; then + mv /config/ssh_host_keys/sshd_config /config/sshd/sshd_config + sed -i 's/Include \/etc\/ssh\/sshd_config.d\/\*.conf/#Include \/etc\/ssh\/sshd_config.d\/\*.conf/' /config/sshd/sshd_config + echo "This file has been moved to /config/sshd/sshd_config" > /config/ssh_host_keys/sshd_config_README +fi + +if [[ ! -f /config/sshd/sshd_config ]]; then + sed -i '/#PidFile/c\PidFile \/config\/sshd.pid' /etc/ssh/sshd_config + sed -i 's/Include \/etc\/ssh\/sshd_config.d\/\*.conf/#Include \/etc\/ssh\/sshd_config.d\/\*.conf/' /etc/ssh/sshd_config + cp -a /etc/ssh/sshd_config /config/sshd/sshd_config +fi + +if [[ ! -d /config/ssh_host_keys ]]; then + mkdir -p /config/ssh_host_keys ssh-keygen -A + cp /etc/ssh/ssh_host_* /config/ssh_host_keys fi # display SSH host public key(s) @@ -47,24 +55,24 @@ cat /config/ssh_host_keys/ssh_host_*.pub # custom port if [[ -n "${LISTEN_PORT}" ]]; then - sed -i "s/^#Port [[:digit:]]\+/Port ${LISTEN_PORT}"/ /etc/ssh/sshd_config - sed -i "s/^Port [[:digit:]]\+/Port ${LISTEN_PORT}"/ /etc/ssh/sshd_config + sed -i "s/^#Port [[:digit:]]\+/Port ${LISTEN_PORT}"/ /config/sshd/sshd_config + sed -i "s/^Port [[:digit:]]\+/Port ${LISTEN_PORT}"/ /config/sshd/sshd_config echo "sshd is listening on port ${LISTEN_PORT}" else - sed -i "s/^#Port [[:digit:]]\+/Port 2222"/ /etc/ssh/sshd_config - sed -i "s/^Port [[:digit:]]\+/Port 2222"/ /etc/ssh/sshd_config + sed -i "s/^#Port [[:digit:]]\+/Port 2222"/ /config/sshd/sshd_config + sed -i "s/^Port [[:digit:]]\+/Port 2222"/ /config/sshd/sshd_config echo "sshd is listening on port 2222" fi # password access if [[ "$PASSWORD_ACCESS" == "true" ]]; then - sed -i '/^#PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config - sed -i '/^PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config + sed -i '/^#PasswordAuthentication/c\PasswordAuthentication yes' /config/sshd/sshd_config + sed -i '/^PasswordAuthentication/c\PasswordAuthentication yes' /config/sshd/sshd_config chown root:"${USER_NAME}" \ /etc/shadow echo "User/password ssh access is enabled." else - sed -i '/^PasswordAuthentication/c\PasswordAuthentication no' /etc/ssh/sshd_config + sed -i '/^PasswordAuthentication/c\PasswordAuthentication no' /config/sshd/sshd_config chown root:root \ /etc/shadow echo "User/password ssh access is disabled." @@ -72,7 +80,7 @@ fi # set umask for sftp UMASK=${UMASK:-022} -sed -i "s|/usr/lib/ssh/sftp-server$|/usr/lib/ssh/sftp-server -u ${UMASK}|g" /etc/ssh/sshd_config +sed -i "s|/usr/lib/ssh/sftp-server$|/usr/lib/ssh/sftp-server -u ${UMASK}|g" /config/sshd/sshd_config # set key auth in file if [[ ! -f /config/.ssh/authorized_keys ]]; then @@ -133,10 +141,9 @@ chmod 700 \ chmod 600 \ /config/.ssh/authorized_keys -# ssh_host_keys permissions lsiown -R root:"${USER_NAME}" \ - /config/ssh_host_keys + /config/sshd chmod 750 \ - /config/ssh_host_keys + /config/sshd chmod 640 \ - /config/ssh_host_keys/* + /config/sshd/sshd_config diff --git a/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/run b/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/run index 6a3a7f8..0af0a30 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/run @@ -3,6 +3,10 @@ USER_NAME=${USER_NAME:-linuxserver.io} +for i in /config/ssh_host_keys/ssh_host_*_key; do + SSH_HOST_KEYS="${SSH_HOST_KEYS} -h ${i}" +done + exec 2>&1 \ s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost ${LISTEN_PORT:-2222}" \ - s6-setuidgid "${USER_NAME}" /usr/sbin/sshd.pam -D -e + s6-setuidgid "${USER_NAME}" /usr/sbin/sshd.pam -D -e -f /config/sshd/sshd_config ${SSH_HOST_KEYS}