From 84b291e801261ef54526b5f53d13edbac61c249c Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Mon, 24 Jun 2019 19:13:04 -0700
Subject: [PATCH] Update documentation to explain safe usage

---
 Makefile                  | 27 +++++++++++++++++++++++++--
 Readme.md                 | 12 ++++++++++++
 docker-compose-remote.yml |  3 ++-
 3 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index ad25cd2..3417296 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,27 @@
 .PHONY: default
 default: remote client
 
+.PHONY: all
+all: remote client
+
+.PHONY: stop
+stop:
+	docker-compose -f ./docker-compose-remote.yml stop
+	docker-compose -f ./docker-compose-client.yml stop
+
+.PHONY: restart
+restart:
+	docker-compose -f ./docker-compose-remote.yml restart
+	docker-compose -f ./docker-compose-client.yml restart
+
+.PHONY: down
+down:
+	docker-compose -f ./docker-compose-remote.yml down
+	docker-compose -f ./docker-compose-client.yml down
+
 .PHONY: remote
 remote:
+	docker-compose -f ./docker-compose-remote.yml build
 	docker-compose -f ./docker-compose-remote.yml up -d
 
 .PHONY: client
@@ -10,6 +29,10 @@ client:
 	docker-compose -f ./docker-compose-client.yml build
 	docker-compose -f ./docker-compose-client.yml up -d
 
-.PHONY: logs
-logs:
+.PHONY: remote-logs
+remote-logs:
+	docker-compose -f ./docker-compose-remote.yml logs -f
+
+.PHONY: client-logs
+client-logs:
 	docker-compose -f ./docker-compose-client.yml logs -f
diff --git a/Readme.md b/Readme.md
index 859fe18..6bac401 100644
--- a/Readme.md
+++ b/Readme.md
@@ -49,3 +49,15 @@ Dockamole is configured using environment variables:
     # Optional
     MAX_TUNNELS         number of tunnels allowed (default 10)
     SSH_KEY             path to ssh private key that should be used (default ~/.ssh/id_rsa)
+
+## Use in production
+
+This example uses [panubo/sshd](https://github.com/panubo/docker-sshd), which seems well maintained enough. I would advise caution though as this is likely something that will have access to sensitive information.
+
+To be safe you should take precautions from someone logging into your server directly.  In my example, I'm using the following as my `authorized_keys` file:
+
+    no-pty,no-X11-forwarding,command="/bin/echo do-not-send-commands" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeG0iBsd5P9ZwDlav7mWaMGiq4SH5XvYGEGoZPgC3PjKgiEpe5lxH9p5lOFicqG7nNBaTwJwDPnJJaIIeHeCcpKF9f5RhTA5rwLkPcVIwZTh2GL7PD/yDmnsB1L8v04yTzjvJxHAi+xx+yN0fcxw2IOJ4k4FC1mNJKNwHZZHvzEyvRbC0GUB1K32dKSDUAWQHKx7xJqgtpkZ0DV78GzBfNUZcucImRwjQTBlJFumTjB5k0xUt0NRDLEkHwUMyiAeXB13tfjZipEHCWPxIrQnuwmV4Lb3VFbh8UqeObsarxG9t+SMoxnrKxQCAntcS0do1VjfiGr6usGVsV56ua8Tyj ifij@C02V7083HV2V
+
+This prevents getting a shell if my key is ever leaked.
+
+Additionally, if you are actually planning on doing this in production, do not use the `-insecure` flag in ./mole/start.sh`. Instead you should provide pre generated server keys and add those as known hosts for `mole`.
diff --git a/docker-compose-remote.yml b/docker-compose-remote.yml
index 4aa62bb..5aa5b4b 100644
--- a/docker-compose-remote.yml
+++ b/docker-compose-remote.yml
@@ -7,7 +7,8 @@ services:
       - "2222:22"
     volumes:
       # This key must be provided
-      - ./id_rsa_proxy.pub:/etc/authorized_keys/mole
+      # - ./id_rsa_proxy.pub:/etc/authorized_keys/mole
+      - ./authorized_keys:/etc/authorized_keys/mole
     environment:
       - SSH_USERS=mole:101:101