3 years ago · 281ba35f98
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,15 +6,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
				 
			
 
				 ## [Unreleased]
			
 
				 ### Added
			
 
				+- `openssh-server`: added `ed25519` host key
			
 
				 - `docker-compose`: added cpu & memory resource limits
			
 
				 
			
 
				 ### Changed
			
 
				-- listen on port `2200` (previously `2222`)
			
 
				+- `openssh-server`: listen on port `2200` (previously `2222`)
			
 
				 - `docker-compose`: read-only container root filesystem
			
 
				 
			
 
				 ### Fixed
			
 
				 - `docker-compose`: drop capabilities, disallow gaining new privileges
			
 
				 
			
 
				+### Removed
			
 
				+- `openssh-server`: disabled message authentication code algorithms
			
 
				+  `hmac-sha2-512`, `hmac-sha2-256` & `umac-128@openssh.com`
			
 
				+  (as recommended by `ssh-audit.com`)
			
 
				+
			
 
				 ## [1.0.0] - 2020-01-10
			
 
				 ### Added
			
 
				 - openssh server invoking `mysqldump` when client connects
			
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,9 +1,15 @@
 
				 #!/bin/sh
			
 
				-set -e
			
 
				 
			
 
				+set -eu
			
 
				+
			
 
				+# sync with https://github.com/fphammerle/docker-gitolite/blob/master/entrypoint.sh
			
 
				 if [ ! -f "$SSHD_HOST_KEYS_DIR/rsa" ]; then
			
 
				-    ssh-keygen -t rsa -b 4096 -N '' -C '' -f "$SSHD_HOST_KEYS_DIR/rsa"
			
 
				+    ssh-keygen -t rsa -b 4096 -N '' -f "$SSHD_HOST_KEYS_DIR/rsa"
			
 
				+fi
			
 
				+if [ ! -f "$SSHD_HOST_KEYS_DIR/ed25519" ]; then
			
 
				+    ssh-keygen -t ed25519 -N '' -f "$SSHD_HOST_KEYS_DIR/ed25519"
			
 
				 fi
			
 
				+unset SSHD_HOST_KEYS_DIR
			
 
				 
			
 
				 echo -e "#!/bin/sh\nexec mysqldump $MYSQLDUMP_ARGS" > /tmp/mysqldump.sh
			
 
				 chmod u+x /tmp/mysqldump.sh
			
--- a/sshd_config
+++ b/sshd_config
@@ -1,3 +1,5 @@
 
				+# sync with https://github.com/fphammerle/docker-gitolite/blob/master/sshd_config
			
 
				+
			
 
				 LogLevel INFO
			
 
				 #LogLevel DEBUG
			
 
				 
			
@@ -7,12 +9,16 @@ Port 2200
 
				 Protocol 2
			
 
				 
			
 
				 HostKey /etc/ssh/host_keys/rsa
			
 
				+HostKey /etc/ssh/host_keys/ed25519
			
 
				 
			
 
				-# https://cipherli.st/
			
 
				-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
			
 
				+# https://www.ssh-audit.com/hardening_guides.html#ubuntu_20_04_lts
			
 
				+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
			
 
				 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
			
 
				-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
			
 
				+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
			
 
				+HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
			
 
				 
			
 
				+#UsePAM no
			
 
				+#PermitRootLogin no
			
 
				 AllowUsers dump
			
 
				 AuthenticationMethods publickey
			
 
				 PubkeyAuthentication yes
			
@@ -28,9 +34,9 @@ DisableForwarding yes
 
				 GatewayPorts no
			
 
				 PermitTTY no
			
 
				 PermitTunnel no
			
 
				+X11Forwarding no
			
 
				 PermitUserEnvironment no
			
 
				 PrintMotd no
			
 
				-X11Forwarding no
			
 
				 
			
 
				 # sshd invokes shell set in /etc/passwd
			
 
				 ForceCommand exit 1