From 863bb1ef738a09ea8142a66cfe0e9e93d800e96e Mon Sep 17 00:00:00 2001 From: Bertrand Roussel Date: Tue, 1 Dec 2020 08:54:48 -0800 Subject: [PATCH 1/2] Provide OPEN_ACCESS option to make an open SSH proxy When OPEN_ACCESS=true, the server accepts all connections. It is therefore not a bastion anymore, but acts more like an anonymous proxy. --- Dockerfile | 4 +++- bastion | 10 +++++++++- test.sh | 9 +++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) create mode 100755 test.sh diff --git a/Dockerfile b/Dockerfile index 4922e49..5145bcc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,6 +20,8 @@ RUN addgroup -S -g ${GID} ${GROUP} \ && sed -i "s/${USER}:!/${USER}:*/g" /etc/shadow \ && set -x \ && apk add --no-cache openssh-server \ + openssh-server-pam \ + linux-pam \ && echo "Welcome to Bastion!" > /etc/motd \ && chmod +x /usr/sbin/bastion \ && mkdir -p ${HOST_KEYS_PATH} \ @@ -30,4 +32,4 @@ EXPOSE 22/tcp VOLUME ${HOST_KEYS_PATH} -ENTRYPOINT ["bastion"] \ No newline at end of file +ENTRYPOINT ["bastion"] diff --git a/bastion b/bastion index e3ab8bb..327f2c4 100644 --- a/bastion +++ b/bastion @@ -66,6 +66,13 @@ else CONFIG_LISTEN_PORT="-o Port=22" fi +if [ "x$OPEN_ACCESS" = "xtrue" ]; then + echo "Warning: server will accept all incoming connections!!!" + CONFIG_ACCESS="-o UsePAM=yes" + echo "bastion" >/etc/sshd_allowed_users + echo "auth sufficient pam_listfile.so item=user sense=allow file=/etc/sshd_allowed_users onerr=fail" > /etc/pam.d/sshd +fi + /usr/sbin/sshd -D -e -4 \ -o "HostKey=$HOST_KEYS_PATH/ssh_host_rsa_key" \ -o "HostKey=$HOST_KEYS_PATH/ssh_host_dsa_key" \ @@ -84,4 +91,5 @@ fi $CONFIG_TRUSTED_USER_CA_KEYS \ $CONFIG_AUTHORIZED_PRINCIPALS_FILE \ $CONFIG_LISTEN_ADDRESS \ - $CONFIG_LISTEN_PORT + $CONFIG_LISTEN_PORT \ + $CONFIG_ACCESS diff --git a/test.sh b/test.sh new file mode 100755 index 0000000..73aee71 --- /dev/null +++ b/test.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +docker build -t bastion . + + +docker run --rm --name bastion \ + -p 2222:22 \ + -e OPEN_ACCESS=true \ + bastion From bbb407c0ff870ae2794c0935efbefb8d97eb3a3e Mon Sep 17 00:00:00 2001 From: Bertrand Roussel Date: Tue, 1 Dec 2020 09:13:23 -0800 Subject: [PATCH 2/2] Upgrade to alpine 3.12.1 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5145bcc..70b960f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.11.6 +FROM alpine:3.12.1 LABEL maintainer="Mark "