Browse Source

authorize public keys in env var SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY in append-only mode

Fabian Peter Hammerle 3 years ago
parent
commit
a57c633cdd
4 changed files with 20 additions and 3 deletions
  1. 2 1
      Dockerfile
  2. 3 0
      docker-compose.yml
  3. 14 1
      entrypoint.sh
  4. 1 1
      sshd_config

+ 2 - 1
Dockerfile

@@ -4,7 +4,7 @@ ARG BORGBACKUP_PACKAGE_VERSION=1.1.15-r0
 ARG OPENSSH_SERVER_PACKAGE_VERSION=8.4_p1-r3
 ARG USER=borg
 ENV SSHD_HOST_KEYS_DIR=/etc/ssh/host_keys
-ARG REPO_PATH=/repository
+ENV REPO_PATH=/repository
 RUN apk add --no-cache \
         borgbackup="$BORGBACKUP_PACKAGE_VERSION" \
         openssh-server="$OPENSSH_SERVER_PACKAGE_VERSION" \
@@ -20,6 +20,7 @@ COPY sshd_config /etc/ssh/sshd_config
 EXPOSE 2200/tcp
 
 ENV SSH_CLIENT_PUBLIC_KEYS=
+ENV SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY=
 COPY entrypoint.sh /
 ENTRYPOINT ["/entrypoint.sh"]
 

+ 3 - 0
docker-compose.yml

@@ -13,6 +13,9 @@ services:
       SSH_CLIENT_PUBLIC_KEYS: |
         ssh-rsa ...
         ssh-rsa ...
+      SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY: |
+        ssh-rsa ...
+        ssh-rsa ...
     read_only: true
     volumes:
     - type: volume

+ 14 - 1
entrypoint.sh

@@ -11,8 +11,21 @@ if [ ! -f "$SSHD_HOST_KEYS_DIR/ed25519" ]; then
 fi
 unset SSHD_HOST_KEYS_DIR
 
-printenv SSH_CLIENT_PUBLIC_KEYS > ~/.ssh/authorized_keys
+authorize_key() {
+    if echo -E "$1" | grep -q '^[a-z]'; then
+        echo "command=\"/usr/bin/borg serve --restrict-to-repository '$REPO_PATH'$2\" $1" >> ~/.ssh/authorized_keys
+    fi
+}
+printenv SSH_CLIENT_PUBLIC_KEYS | while IFS=$'\n' read -r key; do
+    authorize_key "$key" ""
+done
 unset SSH_CLIENT_PUBLIC_KEYS
+# https://borgbackup.readthedocs.io/en/stable/usage/notes.html#append-only-mode
+printenv SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY | while IFS=$'\n' read -r key; do
+    authorize_key "$key" " --append-only"
+done
+unset SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY
+unset REPO_PATH
 
 set -x
 

+ 1 - 1
sshd_config

@@ -33,4 +33,4 @@ PermitUserEnvironment no
 PrintMotd no
 PermitTTY no
 
-ForceCommand /usr/bin/borg serve --restrict-to-repository /repository
+# ForceCommand via command= in ~/.ssh/authorized_keys