-
Notifications
You must be signed in to change notification settings - Fork 0
/
entry.sh
executable file
·155 lines (136 loc) · 4.87 KB
/
entry.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
#!/usr/bin/env bash
set -e
[ "$DEBUG" == 'true' ] && set -x
DAEMON=sshd
# Copy default config from cache, if required
if [ ! "$(ls -A /etc/ssh)" ]; then
cp -a /etc/ssh.cache/* /etc/ssh/
fi
set_hostkeys() {
printf '%s\n' \
'set /files/etc/ssh/sshd_config/HostKey[1] /etc/ssh/keys/ssh_host_rsa_key' \
'set /files/etc/ssh/sshd_config/HostKey[2] /etc/ssh/keys/ssh_host_dsa_key' \
'set /files/etc/ssh/sshd_config/HostKey[3] /etc/ssh/keys/ssh_host_ecdsa_key' \
'set /files/etc/ssh/sshd_config/HostKey[4] /etc/ssh/keys/ssh_host_ed25519_key' \
| augtool -s 1> /dev/null
}
print_fingerprints() {
local BASE_DIR=${1-'/etc/ssh'}
for item in dsa rsa ecdsa ed25519; do
echo ">>> Fingerprints for ${item} host key"
ssh-keygen -E md5 -lf ${BASE_DIR}/ssh_host_${item}_key
ssh-keygen -E sha256 -lf ${BASE_DIR}/ssh_host_${item}_key
ssh-keygen -E sha512 -lf ${BASE_DIR}/ssh_host_${item}_key
done
}
check_authorized_key_ownership() {
local file="$1"
local _uid="$2"
local _gid="$3"
local uid_found="$(stat -c %u ${file})"
local gid_found="$(stat -c %g ${file})"
if ! ( [[ ( "$uid_found" == "$_uid" ) && ( "$gid_found" == "$_gid" ) ]] || [[ ( "$uid_found" == "0" ) && ( "$gid_found" == "0" ) ]] ); then
echo "WARNING: Incorrect ownership for ${file}. Expected uid/gid: ${_uid}/${_gid}, found uid/gid: ${uid_found}/${gid_found}. File uid/gid must match SSH_USERS or be root owned."
fi
}
# Generate Host keys, if required
if ls /etc/ssh/keys/ssh_host_* 1> /dev/null 2>&1; then
echo ">> Found host keys in keys directory"
set_hostkeys
print_fingerprints /etc/ssh/keys
elif ls /etc/ssh/ssh_host_* 1> /dev/null 2>&1; then
echo ">> Found Host keys in default location"
# Don't do anything
print_fingerprints
else
echo ">> Generating new host keys"
mkdir -p /etc/ssh/keys
ssh-keygen -A
mv /etc/ssh/ssh_host_* /etc/ssh/keys/
set_hostkeys
print_fingerprints /etc/ssh/keys
fi
# Fix permissions, if writable.
# NB ownership of /etc/authorized_keys are not changed
if [ -w ~/.ssh ]; then
chown root:root ~/.ssh && chmod 700 ~/.ssh/
fi
if [ -w ~/.ssh/authorized_keys ]; then
chown root:root ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
fi
if [ -w /etc/authorized_keys ]; then
chown root:root /etc/authorized_keys
chmod 755 /etc/authorized_keys
# test for writability before attempting chmod
for f in $(find /etc/authorized_keys/ -type f -maxdepth 1); do
[ -w "${f}" ] && chmod 644 "${f}"
done
fi
# Add users if SSH_USERS=user:uid:gid set
if [ -n "${SSH_USERS}" ]; then
USERS=$(echo $SSH_USERS | tr "," "\n")
for U in $USERS; do
IFS=':' read -ra UA <<< "$U"
_NAME=${UA[0]}
_UID=${UA[1]}
_GID=${UA[2]}
if [ ${#UA[*]} -ge 4 ]; then
_SHELL=${UA[3]}
else
_SHELL=''
fi
echo ">> Adding user ${_NAME} with uid: ${_UID}, gid: ${_GID}, shell: ${_SHELL:-<default>}."
if [ ! -e "/etc/authorized_keys/${_NAME}" ]; then
echo "WARNING: No SSH authorized_keys found for ${_NAME}!"
else
check_authorized_key_ownership /etc/authorized_keys/${_NAME} ${_UID} ${_GID}
fi
getent group ${_NAME} >/dev/null 2>&1 || groupadd -g ${_GID} ${_NAME}
getent passwd ${_NAME} >/dev/null 2>&1 || useradd -r -m -p '' -u ${_UID} -g ${_GID} -s ${_SHELL:-""} -c 'SSHD User' ${_NAME}
done
else
# Warn if no authorized_keys
if [ ! -e ~/.ssh/authorized_keys ] && [ ! "$(ls -A /etc/authorized_keys)" ]; then
echo "WARNING: No SSH authorized_keys found!"
fi
fi
# Unlock root account, if enabled
if [[ "${SSH_ENABLE_ROOT}" == "true" ]]; then
echo ">> Unlocking root account"
usermod -p '' root
else
echo "INFO: root account is now locked by default. Set SSH_ENABLE_ROOT to unlock the account."
fi
# Update MOTD
if [ -v MOTD ]; then
echo -e "$MOTD" > /etc/motd
fi
# Enable password authentication by default
echo 'set /files/etc/ssh/sshd_config/PasswordAuthentication yes' | augtool -s 1> /dev/null
# Enable TCP forwarding
echo 'set /files/etc/ssh/sshd_config/AllowTcpForwarding yes' | augtool -s 1> /dev/null
# Run scripts in /etc/entrypoint.d
for f in /etc/entrypoint.d/*; do
if [[ -x ${f} ]]; then
echo ">> Running: ${f}"
${f}
fi
done
python3 main.py &
/usr/sbin/sshd -D -e -f /etc/ssh/sshd_config &
while sleep 60; do
ps aux |grep sshd |grep -q -v grep
PROCESS_1_STATUS=$?
ps aux |grep python3 |grep -q -v grep
PROCESS_2_STATUS=$?
# If the greps above find anything, they exit with 0 status
# If they are not both 0, then something is wrong
if [ $PROCESS_1_STATUS -ne 0 -o $PROCESS_2_STATUS -ne 0 ]; then
echo "One of the processes has already exited."
exit 1
else
echo "INFO: sshd status: $PROCESS_1_STATUS"
echo "INFO: python status: $PROCESS_2_STATUS"
fi
done