forked from panubo/docker-sshd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
entry.sh
executable file
·129 lines (114 loc) · 3.71 KB
/
entry.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#!/usr/bin/env bash
set -e
[ "$DEBUG" == 'true' ] && set -x
DAEMON=sshd
# Copy default config from cache
if [ ! "$(ls -A /etc/ssh)" ]; then
cp -a /etc/ssh.cache/* /etc/ssh/
fi
set_hostkeys() {
printf '%s\n' \
'set /files/etc/ssh/sshd_config/HostKey[1] /etc/ssh/keys/ssh_host_rsa_key' \
'set /files/etc/ssh/sshd_config/HostKey[2] /etc/ssh/keys/ssh_host_dsa_key' \
'set /files/etc/ssh/sshd_config/HostKey[3] /etc/ssh/keys/ssh_host_ecdsa_key' \
'set /files/etc/ssh/sshd_config/HostKey[4] /etc/ssh/keys/ssh_host_ed25519_key' \
| augtool -s
}
print_fingerprints() {
local BASE_DIR=${1-'/etc/ssh'}
for item in dsa rsa ecdsa ed25519; do
echo ">>> Fingerprints for ${item} host key"
ssh-keygen -E md5 -lf ${BASE_DIR}/ssh_host_${item}_key
ssh-keygen -E sha256 -lf ${BASE_DIR}/ssh_host_${item}_key
ssh-keygen -E sha512 -lf ${BASE_DIR}/ssh_host_${item}_key
done
}
# Generate Host keys, if required
if ls /etc/ssh/keys/ssh_host_* 1> /dev/null 2>&1; then
echo ">> Host keys in keys directory"
set_hostkeys
print_fingerprints /etc/ssh/keys
elif ls /etc/ssh/ssh_host_* 1> /dev/null 2>&1; then
echo ">> Host keys exist in default location"
# Don't do anything
print_fingerprints
else
echo ">> Generating new host keys"
mkdir -p /etc/ssh/keys
ssh-keygen -A
mv /etc/ssh/ssh_host_* /etc/ssh/keys/
set_hostkeys
print_fingerprints /etc/ssh/keys
fi
# Fix permissions, if writable
if [ -w ~/.ssh ]; then
chown root:root ~/.ssh && chmod 700 ~/.ssh/
fi
if [ -w ~/.ssh/authorized_keys ]; then
chown root:root ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
fi
if [ -w /etc/authorized_keys ]; then
chown root:root /etc/authorized_keys
chmod 755 /etc/authorized_keys
find /etc/authorized_keys/ -type f -exec chmod 644 {} \;
fi
# Add users if SSH_USERS=user:uid:gid set
if [ -n "${SSH_USERS}" ]; then
USERS=$(echo $SSH_USERS | tr "," "\n")
for U in $USERS; do
IFS=':' read -ra UA <<< "$U"
_NAME=${UA[0]}
_UID=${UA[1]}
_GID=${UA[2]}
echo ">> Adding user ${_NAME} with uid: ${_UID}, gid: ${_GID}."
if [ ! -e "/etc/authorized_keys/${_NAME}" ]; then
echo "WARNING: No SSH authorized_keys found for ${_NAME}!"
fi
getent group ${_NAME} >/dev/null 2>&1 || addgroup -g ${_GID} ${_NAME}
getent passwd ${_NAME} >/dev/null 2>&1 || adduser -D -u ${_UID} -G ${_NAME} -s '' ${_NAME}
passwd -u ${_NAME} || true
done
else
# Warn if no authorized_keys
if [ ! -e ~/.ssh/authorized_keys ] && [ ! $(ls -A /etc/authorized_keys) ]; then
echo "WARNING: No SSH authorized_keys found!"
fi
fi
# Update MOTD
if [ -v MOTD ]; then
echo -e "$MOTD" > /etc/motd
fi
if [[ "${SFTP_MODE}" == "true" ]]; then
: ${SFTP_CHROOT:='/data'}
chown 0:0 ${SFTP_CHROOT}
chmod 755 ${SFTP_CHROOT}
printf '%s\n' \
'set /files/etc/ssh/sshd_config/Subsystem/sftp "internal-sftp"' \
'set /files/etc/ssh/sshd_config/AllowTCPForwarding no' \
'set /files/etc/ssh/sshd_config/X11Forwarding no' \
'set /files/etc/ssh/sshd_config/ForceCommand internal-sftp' \
'set /files/etc/ssh/sshd_config/ChrootDirectory /data' \
| augtool -s
fi
stop() {
echo "Received SIGINT or SIGTERM. Shutting down $DAEMON"
# Get PID
pid=$(cat /var/run/$DAEMON/$DAEMON.pid)
# Set TERM
kill -SIGTERM "${pid}"
# Wait for exit
wait "${pid}"
# All done.
echo "Done."
}
echo "Running $@"
if [ "$(basename $1)" == "$DAEMON" ]; then
trap stop SIGINT SIGTERM
$@ &
pid="$!"
mkdir -p /var/run/$DAEMON && echo "${pid}" > /var/run/$DAEMON/$DAEMON.pid
wait "${pid}" && exit $?
else
exec "$@"
fi