Browse Source

authorize public keys in env var SSH_CLIENT_PUBLIC_KEYS (instead of mounting /home/dump/.ssh/authorized_keys)

https://github.com/fphammerle/docker-borgbackup-sshd/blob/63445c524ad9471e1208666fb041c5d0623406db/entrypoint.sh
https://github.com/fphammerle/docker-sftpd/blob/b755c340f510f0843574b4df103ec285f3459d67/entrypoint.sh
Fabian Peter Hammerle 3 years ago
parent
commit
938ea0f6aa
5 changed files with 29 additions and 11 deletions
  1. 4 1
      CHANGELOG.md
  2. 5 3
      README.md
  3. 16 6
      docker-compose.yml
  4. 3 0
      entrypoint.sh
  5. 1 1
      sshd_config

+ 4 - 1
CHANGELOG.md

@@ -10,9 +10,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `docker-compose`: added cpu & memory resource limits
 
 ### Changed
+- authorize public keys in env var `SSH_CLIENT_PUBLIC_KEYS`
+  (instead of mounting `/home/dump/.ssh/authorized_keys`)
+- fail early when env var `MYSQLDUMP_ARGS` is not set
 - `openssh-server`: listen on port `2200` (previously `2222`)
 - `docker-compose`: read-only container root filesystem
-- fail early when env var `MYSQLDUMP_ARGS` is not set
+- `docker-compose`: require version `2.3`
 
 ### Fixed
 - `Dockerfile` & `docker-compose`: add registry to base image specifiers for `podman`

+ 5 - 3
README.md

@@ -8,11 +8,13 @@ Useful to fetch backups via [rsnapshot](https://rsnapshot.org/).
 See [rsnapshot.conf.example](rsnapshot.conf.example).
 
 ```sh
-$ sudo docker run --rm \
+$ sudo docker run --rm --name mysqldump_ssh \
     -p 2200:2200 \
-    -v /some/path/authorized_keys:/home/dump/.ssh/authorized_keys:ro \
+    -e SSH_CLIENT_PUBLIC_KEYS="$(cat ~/.ssh/id_*.pub)" \
+    --tmpfs /home/dump/.ssh:mode=1777,size=16k \
     -e MYSQLDUMP_ARGS='--host=dbhost --user=dbuser --password=dbpass --all-databases' \
-    fphammerle/mysqldump-sshd
+    --read-only --security-opt=no-new-privileges --cap-drop=ALL \
+    docker.io/fphammerle/mysqldump-sshd
 $ ssh -p 2200 -T dump@localhost
 -- MariaDB dump 10.17  Distrib 10.4.10-MariaDB, for Linux (x86_64)
 --

+ 16 - 6
docker-compose.yml

@@ -1,9 +1,8 @@
-version: '2.2'
+version: '2.3'
 
 volumes:
   database:
-  host_keys:
-  authorized_keys:
+  ssh_host_keys:
 
 services:
   sample_database:
@@ -22,6 +21,9 @@ services:
     build: .
     image: docker.io/fphammerle/mysqldump-sshd
     environment:
+      SSH_CLIENT_PUBLIC_KEYS: |
+        ssh-rsa ...
+        ssh-rsa ...
       MYSQLDUMP_ARGS: >-
         --host=sample_database
         --user=someone
@@ -30,10 +32,18 @@ services:
         --skip-comments
         --skip-dump-date
         --databases demo
-    volumes:
-    - host_keys:/etc/ssh/host_keys:rw
-    - authorized_keys:/home/dump/.ssh:ro
     read_only: true
+    volumes:
+    - type: volume
+      source: ssh_host_keys
+      target: /etc/ssh/host_keys
+      read_only: false
+    - type: tmpfs
+      target: /home/dump/.ssh # authorized_keys
+      tmpfs:
+        # nosuid,nodev,noexec added by default
+        mode: '1777'
+        size: 16k
     ports: ['127.0.0.1:2200:2200']
     cap_drop: [ALL]
     # strace

+ 3 - 0
entrypoint.sh

@@ -11,6 +11,9 @@ if [ ! -f "$SSHD_HOST_KEYS_DIR/ed25519" ]; then
 fi
 unset SSHD_HOST_KEYS_DIR
 
+printenv SSH_CLIENT_PUBLIC_KEYS > ~/.ssh/authorized_keys
+unset SSH_CLIENT_PUBLIC_KEYS
+
 if [ -z "$MYSQLDUMP_ARGS" ]; then
     echo -e 'missing environment variable MYSQLDUMP_ARGS\n' >&2
     set -x

+ 1 - 1
sshd_config

@@ -32,11 +32,11 @@ AllowStreamLocalForwarding no
 AllowTcpForwarding no
 DisableForwarding yes
 GatewayPorts no
-PermitTTY no
 PermitTunnel no
 X11Forwarding no
 PermitUserEnvironment no
 PrintMotd no
+PermitTTY no
 
 # .* matches until \0
 ForceCommand exec mysqldump $(grep -o 'MYSQLDUMP_ARGS=.*' /proc/1/environ | cut -d = -f 2-)