Update documentation to explain safe usage

This commit is contained in:
IamTheFij 2019-06-24 19:13:04 -07:00
parent 9ba9a71a55
commit 84b291e801
3 changed files with 39 additions and 3 deletions

View File

@ -1,8 +1,27 @@
.PHONY: default .PHONY: default
default: remote client default: remote client
.PHONY: all
all: remote client
.PHONY: stop
stop:
docker-compose -f ./docker-compose-remote.yml stop
docker-compose -f ./docker-compose-client.yml stop
.PHONY: restart
restart:
docker-compose -f ./docker-compose-remote.yml restart
docker-compose -f ./docker-compose-client.yml restart
.PHONY: down
down:
docker-compose -f ./docker-compose-remote.yml down
docker-compose -f ./docker-compose-client.yml down
.PHONY: remote .PHONY: remote
remote: remote:
docker-compose -f ./docker-compose-remote.yml build
docker-compose -f ./docker-compose-remote.yml up -d docker-compose -f ./docker-compose-remote.yml up -d
.PHONY: client .PHONY: client
@ -10,6 +29,10 @@ client:
docker-compose -f ./docker-compose-client.yml build docker-compose -f ./docker-compose-client.yml build
docker-compose -f ./docker-compose-client.yml up -d docker-compose -f ./docker-compose-client.yml up -d
.PHONY: logs .PHONY: remote-logs
logs: remote-logs:
docker-compose -f ./docker-compose-remote.yml logs -f
.PHONY: client-logs
client-logs:
docker-compose -f ./docker-compose-client.yml logs -f docker-compose -f ./docker-compose-client.yml logs -f

View File

@ -49,3 +49,15 @@ Dockamole is configured using environment variables:
# Optional # Optional
MAX_TUNNELS number of tunnels allowed (default 10) MAX_TUNNELS number of tunnels allowed (default 10)
SSH_KEY path to ssh private key that should be used (default ~/.ssh/id_rsa) SSH_KEY path to ssh private key that should be used (default ~/.ssh/id_rsa)
## Use in production
This example uses [panubo/sshd](https://github.com/panubo/docker-sshd), which seems well maintained enough. I would advise caution though as this is likely something that will have access to sensitive information.
To be safe you should take precautions from someone logging into your server directly. In my example, I'm using the following as my `authorized_keys` file:
no-pty,no-X11-forwarding,command="/bin/echo do-not-send-commands" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeG0iBsd5P9ZwDlav7mWaMGiq4SH5XvYGEGoZPgC3PjKgiEpe5lxH9p5lOFicqG7nNBaTwJwDPnJJaIIeHeCcpKF9f5RhTA5rwLkPcVIwZTh2GL7PD/yDmnsB1L8v04yTzjvJxHAi+xx+yN0fcxw2IOJ4k4FC1mNJKNwHZZHvzEyvRbC0GUB1K32dKSDUAWQHKx7xJqgtpkZ0DV78GzBfNUZcucImRwjQTBlJFumTjB5k0xUt0NRDLEkHwUMyiAeXB13tfjZipEHCWPxIrQnuwmV4Lb3VFbh8UqeObsarxG9t+SMoxnrKxQCAntcS0do1VjfiGr6usGVsV56ua8Tyj ifij@C02V7083HV2V
This prevents getting a shell if my key is ever leaked.
Additionally, if you are actually planning on doing this in production, do not use the `-insecure` flag in ./mole/start.sh`. Instead you should provide pre generated server keys and add those as known hosts for `mole`.

View File

@ -7,7 +7,8 @@ services:
- "2222:22" - "2222:22"
volumes: volumes:
# This key must be provided # This key must be provided
- ./id_rsa_proxy.pub:/etc/authorized_keys/mole # - ./id_rsa_proxy.pub:/etc/authorized_keys/mole
- ./authorized_keys:/etc/authorized_keys/mole
environment: environment:
- SSH_USERS=mole:101:101 - SSH_USERS=mole:101:101