Home Explore Help
Register Sign In
fphammerle
/
docker-ssh-bastion
mirror of https://github.com/fphammerle/docker-ssh-bastion/
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

allow tcp forwarding; disable shell access; remove rsync

Fabian Peter Hammerle 4 years ago
parent
24da724e56
commit
becd50df02
6 changed files with 48 additions and 56 deletions
Split View Show Diff Stats
  1. 2 2
      Dockerfile
  2. 23 20
      README.md
  3. 18 0
      docker-compose.yml
  4. 1 0
      entrypoint.sh
  5. 0 32
      rsnapshot.conf.example
  6. 4 2
      sshd_config

+ 2 - 2
Dockerfile
View File 

@@ -1,6 +1,6 @@
 
-FROM alpine:3.8
 
+FROM alpine:3.9
 
 
-RUN apk add --no-cache rsync rrsync openssh-server
 
+RUN apk add --no-cache openssh-server
 
 
 ENV SSHD_HOST_KEYS_DIR /etc/ssh/host_keys
 
 VOLUME $SSHD_HOST_KEYS_DIR

+ 23 - 20
README.md
View File 

@@ -1,31 +1,34 @@
 
-# docker: openssh-server restricted to rsync 🐳
 
+# Docker: OpenSSH-Server Restricted to TCP Forwarding 🐳
 
 
-repo: https://github.com/fphammerle/docker-rsync-sshd
 
+Docker Hub: https://hub.docker.com/r/fphammerle/ssh-bastion
 
 
-docker hub: https://hub.docker.com/r/fphammerle/rsync-sshd
 
-
 
-SSH clients are restricted to `rsync --server` commands via [rrsync](https://download.samba.org/pub/unpacked/rsync/support/rrsync).
 
-
 
-rrsync prefixes `/data` to all paths (e.g., `rsync ... host:/src /backup` downloads `/data/src`).
 
-
 
-## example 1
 
+## Example: Share Web Server
 
 
 ```sh
 
-$ docker run --name=rsync-sshd -p 2022:22 -e USERS=alice,bob -v rsync-data:/data:ro fphammerle/rsync-sshd
 
-$ docker cp alice-keys rsync-sshd:/home/alice/.ssh/authorized_keys
 
-$ docker cp bob-keys rsync-sshd:/home/bob/.ssh/authorized_keys
 
+bastion $ docker run --name ssh-bastion -p 2222:22 -e USERS=alice,bob fphammerle/ssh-bastion
 
+bastion $ docker cp alice-keys ssh-bastion:/home/alice/.ssh/authorized_keys
 
+bastion $ docker cp bob-keys ssh-bastion:/home/bob/.ssh/authorized_keys
 
+alice $ ssh -N -R 28080:localhost:8080 -p 2222 bastion
 
+bob $ ssh -N -L 8081:localhost:28080 -p 2222 bastion
 
+bob $ curl http://localhost:8081/hello_bob.html
 
 ```
 
 
-## example 2
 
+## Example: SSH Jump Host
 
 
 ```
 
-$ docker run --name rsync-sshd \
 
+$ docker run --name ssh-bastion \
 
     --publish 2022:22 --env USERS=alice,bob \
 
-    --volume accessible-data:/data:ro \
 
-    --volume host-keys:/etc/ssh/host_keys \
 
-    --volume alice-ssh-config:/home/alice/.ssh:ro \ 
-    --volume bob-ssh-config:/home/bob/.ssh:ro \ 
+    --volume bastion-host-keys:/etc/ssh/host_keys \
 
+    --volume alice-ssh-config:/home/alice/.ssh:ro \
 
+    --volume bob-ssh-config:/home/bob/.ssh:ro \
 
     --init --rm \
 
-    fphammerle/rsync-sshd
 
-$ rsync -av --rsh='ssh -p 2022' alice@localhost:/source /target
 
+    fphammerle/ssh-bastion
 
+$ ssh -N -R 20221:localhost:22 -p 2022 alice@bastion
 
+$ ssh -J bob@bastion:2022 -p 20221 localhost
 
 ```
 
+
 
+### Docker Compose 🐙
 
+
 
+1. `git clone https://github.com/fphammerle/docker-ssh-bastion`
 
+2. Adapt `$USERS` and paths in [docker-compose.yml](docker-compose.yml)
 
+3. `docker-compose up`

+ 18 - 0
docker-compose.yml
View File 

@@ -0,0 +1,18 @@
 
+version: '2'
 
+
 
+volumes:
 
+  host_keys:
 
+
 
+services:
 
+  ssh_bastion:
 
+    build: .
 
+    image: fphammerle/ssh-bastion
 
+    environment:
 
+      USERS: alice,bob
 
+    volumes:
 
+    - host_keys:/etc/ssh/host_keys:rw
 
+    ports:
 
+    - '0.0.0.0:2222:22'
 
+    restart: unless-stopped
 
+
 
+# https://docs.docker.com/compose/compose-file/compose-file-v2/

+ 1 - 0
entrypoint.sh
View File 

@@ -14,6 +14,7 @@ IFS=','
 
 for USER in $USERS; do
 
     if ! id "$USER" 2>/dev/null >/dev/null ; then
 
         (set -x; adduser -D "$USER")
 
+        # TODO remove:
 
         passwd -u "$USER" 2>/dev/null
 
     fi
 
 done

+ 0 - 32
rsnapshot.conf.example
View File 

@@ -1,32 +0,0 @@
 
-config_version	1.2
 
-
 
-snapshot_root	/tmp/rsnapshot/
 
-
 
-# do not create $snapshot_root
 
-#no_create_root	1
 
-
 
-cmd_cp		/bin/cp
 
-cmd_rsync	/usr/bin/rsync
 
-cmd_ssh	/usr/bin/ssh
 
-
 
-retain	alpha	16
 
-retain	beta	8
 
-retain	gamma	8
 
-retain	delta	8	
-
 
-# 1     Quiet           Print fatal errors only
 
-# 2     Default         Print errors and warnings only
 
-# 3     Verbose         Show equivalent shell commands being executed
 
-# 4     Extra Verbose   Show extra verbose information
 
-# 5     Debug mode      Everything
 
-verbose		3
 
-
 
-# prevent two instances from running simultaneously and
 
-# potentially messing up $snapshot_root
 
-lockfile	/tmp/rsnapshot.pid
 
-
 
-ssh_args	-p 2022
 
-
 
-sync_first	1
 
-
 
-backup	alice@localhost:/		data-volume

+ 4 - 2
sshd_config
View File 

@@ -10,15 +10,17 @@ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.
 
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 
 
 PermitRootLogin no
 
+PubkeyAuthentication yes
 
 PasswordAuthentication no
 
 StrictModes no
 
 # separated by spaces
 
 AllowUsers _
 
 
-ForceCommand /usr/bin/rrsync /data
 
+ForceCommand /bin/false
 
 AllowAgentForwarding no
 
-AllowTcpForwarding no
 
+AllowTcpForwarding all
 
 GatewayPorts no
 
+PermitTunnel no
 
 X11Forwarding no
 
 PermitUserEnvironment no
 
 PermitTTY no