-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsshjumphost
executable file
·205 lines (175 loc) · 6.85 KB
/
sshjumphost
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
#!/usr/bin/env sh
DATA_PATH="/data"
USER_PATH="${DATA_PATH}/home"
USER_SHELL="/bin/dd"
USER_USERNAME="sshjumphost"
USER_UID=4095
USER_GID=4095
USER_AUTHORIZED_KEYS_FILE="${DATA_PATH}/userkeys/authorized_keys"
SERVER_TRUSTED_USER_CA_KEYS_FILE="${DATA_PATH}/cakeys/trusted_keys"
SERVER_AUTHORIZED_PRINCIPALS_FILE="${DATA_PATH}/cakeys/authorized_principals"
# =============================================================================
if [ -n "${SSH_USERNAME}" ]; then
USER_USERNAME=$(echo "${SSH_USERNAME}" | tr -cd '0-9A-Za-z' | head -c32 | tr '[:upper:]' '[:lower:]')
fi
if [ -n "${SSH_AUTHORIZED_KEYS}" ]; then
if [ -f "${SSH_AUTHORIZED_KEYS}" ]; then
USER_AUTHORIZED_KEYS_FILE="${SSH_AUTHORIZED_KEYS}"
else
echo "${SSH_AUTHORIZED_KEYS}" > "${USER_AUTHORIZED_KEYS_FILE}"
fi
fi
if [ -n "${SSH_SHELL}" ]; then
if [ -f "${SSH_SHELL}" ]; then
USER_SHELL="${SSH_SHELL}"
else
echo "WARNING: SSH_SHELL supplied but ${SSH_SHELL} is not available!"
fi
fi
# =============================================================================
# https://man.openbsd.org/sshd_config#TrustedUserCAKeys
if [ -n "${SSHD_TRUSTED_USER_CA_KEYS}" ]; then
if [ -f "${SSHD_TRUSTED_USER_CA_KEYS}" ]; then
SERVER_TRUSTED_USER_CA_KEYS_FILE="${SSHD_TRUSTED_USER_CA_KEYS}"
else
echo "${SSHD_TRUSTED_USER_CA_KEYS}" > "${SERVER_TRUSTED_USER_CA_KEYS_FILE}"
fi
fi
# https://man.openbsd.org/sshd_config#PubkeyAuthentication
if [ "$SSHD_PUBKEY_AUTHENTICATION" = "no" ]; then
CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=no"
else
CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=yes"
fi
# https://man.openbsd.org/sshd_config#GatewayPorts
if [ "$SSHD_GATEWAY_PORTS" = "yes" ]; then
CONFIG_GATEWAY_PORTS="-o GatewayPorts=yes"
else
CONFIG_GATEWAY_PORTS="-o GatewayPorts=no"
fi
# https://man.openbsd.org/sshd_config#PermitTunnel
if [ "$SSHD_PERMIT_TUNNEL" = "yes" ]; then
CONFIG_PERMIT_TUNNEL="-o PermitTunnel=yes"
else
CONFIG_PERMIT_TUNNEL="-o PermitTunnel=no"
fi
# https://man.openbsd.org/sshd_config#X11Forwarding
if [ "$SSHD_X11_FORWARDING" = "yes" ]; then
CONFIG_X11_FORWARDING="-o X11Forwarding=yes"
else
CONFIG_X11_FORWARDING="-o X11Forwarding=no"
fi
# https://man.openbsd.org/sshd_config#AllowTcpForwarding
if [ "$SSHD_ALLOW_TCP_FORWARDING" = "no" ]; then
CONFIG_ALLOW_TCP_FORWARDING="-o AllowTcpForwarding=no"
else
CONFIG_ALLOW_TCP_FORWARDING="-o AllowTcpForwarding=yes"
fi
# https://man.openbsd.org/sshd_config#AllowAgentForwarding
if [ "$SSHD_ALLOW_AGENT_FORWARDING" = "no" ]; then
CONFIG_ALLOW_AGENT_FORWARDING="-o AllowAgentForwarding=no"
else
CONFIG_ALLOW_AGENT_FORWARDING="-o AllowAgentForwarding=yes"
fi
# https://man.openbsd.org/sshd_config#PermitRootLogin
if [ "$SSHD_PERMIT_ROOT_LOGIN" = "yes" ]; then
CONFIG_PERMIT_ROOT_LOGIN="-o PermitRootLogin=yes"
else
CONFIG_PERMIT_ROOT_LOGIN="-o PermitRootLogin=no"
fi
# https://man.openbsd.org/sshd_config#ListenAddress
if [ -n "$SSHD_LISTEN_ADDRESS" ]; then
CONFIG_LISTEN_ADDRESS="-o ListenAddress=$(echo "${SSHD_LISTEN_ADDRESS}" | tr -cd '.:0-9' | head -c32)"
else
CONFIG_LISTEN_ADDRESS="-o ListenAddress=0.0.0.0"
fi
# https://man.openbsd.org/sshd_config#Port
if [ -n "$SSHD_LISTEN_PORT" ]; then
CONFIG_LISTEN_PORT="-o Port=$(echo "${SSHD_LISTEN_PORT}" | tr -cd '0-9' | head -c8)"
else
CONFIG_LISTEN_PORT="-o Port=22"
fi
# https://man.openbsd.org/sshd_config#LogLevel
if [ -n "$SSHD_LOGLEVEL" ]; then
CONFIG_LOGLEVEL="-o LogLevel=$(echo "${SSHD_LOGLEVEL}" | tr -cd '0-9A-Za-z' | head -c32)"
else
CONFIG_LOGLEVEL="-o LogLevel=INFO"
fi
# =============================================================================
# create user if not already exists
if [ "$(id -u ${USER_USERNAME} 1>dev/null 2>/dev/null; echo $?)" -gt 0 ]; then
addgroup --quiet --gid "${USER_GID}" "${USER_USERNAME}"
adduser --quiet --gecos "" --disabled-password --home "${USER_PATH}" --shell "${USER_SHELL}" --ingroup "${USER_USERNAME}" --uid "${USER_UID}" "${USER_USERNAME}"
sed -i "s/${USER_USERNAME}:!/${USER_USERNAME}:*/g" /etc/shadow
fi
# establish user authorized_keys file
if [ -f "${USER_AUTHORIZED_KEYS_FILE}" ]; then
mkdir -p "${USER_PATH}/.ssh"
cp "${USER_AUTHORIZED_KEYS_FILE}" "${USER_PATH}/.ssh/authorized_keys"
chmod 600 "${USER_PATH}/.ssh/authorized_keys"
USER_AUTHORIZED_KEYS_FINGERPRINTS="$(ssh-keygen -lf ${USER_PATH}/.ssh/authorized_keys)"
else
echo "WARNING: authorized_keys is not available at ${USER_AUTHORIZED_KEYS_FILE}"
fi
# set user ownership
chown -R "${USER_USERNAME}":"${USER_USERNAME}" "${USER_PATH}"
# configure the trusted-user-CA-keys-file and the authorized-principals-file if the CA file exists
if [ -f "${SERVER_TRUSTED_USER_CA_KEYS_FILE}" ]; then
CONFIG_TRUSTED_USER_CA_KEYS="-o TrustedUserCAKeys=$SERVER_TRUSTED_USER_CA_KEYS_FILE"
if [ ! -f "${SERVER_AUTHORIZED_PRINCIPALS_FILE}" ]; then
echo "${USER_USERNAME}" > "${SERVER_AUTHORIZED_PRINCIPALS_FILE}"
fi
CONFIG_AUTHORIZED_PRINCIPALS_FILE="-o AuthorizedPrincipalsFile=${SERVER_AUTHORIZED_PRINCIPALS_FILE}"
fi
# generate the hostkeys if nothing exists
if [ "$(ls -1 ${DATA_PATH}/hostkeys/ | wc -l)" -lt 1 ]; then
mkdir -p "${DATA_PATH}/tmp/etc/ssh"
/usr/bin/ssh-keygen -A -f "${DATA_PATH}/tmp"
mv ${DATA_PATH}/tmp/etc/ssh/* ${DATA_PATH}/hostkeys
rm -Rf "${DATA_PATH}/tmp"
fi
# configure the hostkeys and collect the hostkey fingerprints
CONFIG_HOSTKEYS=""
rm -f "${DATA_PATH}/hostkeys/hostkey.fingerprints"
for hostkey_file in ${DATA_PATH}/hostkeys/ssh_host_*
do
if [ "$(echo ${hostkey_file} | grep -c 'pub$')" -eq 1 ]; then
ssh-keygen -l -f "${hostkey_file}" >> "${DATA_PATH}/hostkeys/hostkey.fingerprints"
else
CONFIG_HOSTKEYS="${CONFIG_HOSTKEYS} -o HostKey=${hostkey_file}"
fi
done
# =============================================================================
# display information about the sshd making
echo "hostname: $(hostname)"
echo "ip addr: $(ip addr | grep 'inet ' | grep -v ' lo$' | xargs)"
echo "username: ${USER_USERNAME}"
echo "ssh-version: $(ssh -V 2>&1)"
echo "sshkey-fingerprints:"
if [ -n "${USER_AUTHORIZED_KEYS_FINGERPRINTS}" ]; then
echo "${USER_AUTHORIZED_KEYS_FINGERPRINTS}"
fi
echo "hostkey-fingerprints:"
echo "$(cat ${DATA_PATH}/hostkeys/hostkey.fingerprints)"
# create the command_line used to invoke the sshd
sshd_command="/usr/sbin/sshd -D -e -4 \
-o PasswordAuthentication=no \
-o KbdInteractiveAuthentication=no \
-o PermitEmptyPasswords=no \
-o AuthorizedKeysFile=${USER_PATH}/.ssh/authorized_keys \
${CONFIG_HOSTKEYS} \
${CONFIG_PUBKEY_AUTHENTICATION} \
${CONFIG_TRUSTED_USER_CA_KEYS} \
${CONFIG_AUTHORIZED_PRINCIPALS_FILE} \
${CONFIG_GATEWAY_PORTS} \
${CONFIG_PERMIT_TUNNEL} \
${CONFIG_X11_FORWARDING} \
${CONFIG_ALLOW_TCP_FORWARDING} \
${CONFIG_ALLOW_AGENT_FORWARDING} \
${CONFIG_PERMIT_ROOT_LOGIN} \
${CONFIG_LISTEN_ADDRESS} \
${CONFIG_LISTEN_PORT} \
${CONFIG_LOGLEVEL}
"
echo "sshd_command: $(echo ${sshd_command} | xargs)"
${sshd_command}