Add server image

Makefile

@@ -16,8 +16,8 @@ restart:
 
 .PHONY: down
 down:
-	docker-compose -f ./docker-compose-client.yml down
-	docker-compose -f ./docker-compose-server.yml down
+	docker-compose -f ./docker-compose-client.yml down -v
+	docker-compose -f ./docker-compose-server.yml down -v
 
 .PHONY: server
 server: keys

Readme.md

@@ -53,12 +53,12 @@ Dockamole is configured using environment variables:
 
 ## Use in production
 
-This example uses [panubo/sshd](https://github.com/panubo/docker-sshd), which seems well maintained enough. I would advise caution though as this is likely something that will have access to sensitive information.
+This example provides a somewhat restricted sshd server as well. I would advise caution though as this is likely something that will have access to sensitive information. 
 
-To be safe you should take precautions from someone logging into your server directly.  In my example, I'm using the following as my `authorized_keys` file:
+The server should already be rejecting attempts at a getting a pty, but to be safe you should take precautions from someone logging into your server directly. In my example, I'm using the following as my `authorized_keys` file:
 
     no-pty,no-X11-forwarding,command="/bin/echo do-not-send-commands" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeG0iBsd5P9ZwDlav7mWaMGiq4SH5XvYGEGoZPgC3PjKgiEpe5lxH9p5lOFicqG7nNBaTwJwDPnJJaIIeHeCcpKF9f5RhTA5rwLkPcVIwZTh2GL7PD/yDmnsB1L8v04yTzjvJxHAi+xx+yN0fcxw2IOJ4k4FC1mNJKNwHZZHvzEyvRbC0GUB1K32dKSDUAWQHKx7xJqgtpkZ0DV78GzBfNUZcucImRwjQTBlJFumTjB5k0xUt0NRDLEkHwUMyiAeXB13tfjZipEHCWPxIrQnuwmV4Lb3VFbh8UqeObsarxG9t+SMoxnrKxQCAntcS0do1VjfiGr6usGVsV56ua8Tyj ifij@C02V7083HV2V
 
 This prevents getting a shell if my key is ever leaked.
 
-Additionally, if you are actually planning on doing this in production, do not use the `-insecure` flag in `./mole/start.sh`. Instead you should provide pre generated server keys and add those as known hosts for `mole`.
+Additionally, if you are actually planning on doing this in production, take care when distributing or adding `authorized_keys` or `known_hosts`. By default, this client will auto generate a `known_hosts` file for servers it hasn't connected to before, but it'd be best to validate this yourself.

docker-compose-client.yml

@@ -2,7 +2,7 @@ version: '2.2'
 
 services:
   mole:
-    build: mole
+    build: client
     ports:
       # This is the port you will use to view the service: http://localhost:8880
       - 8880:8080
@@ -13,4 +13,4 @@ services:
       - MOLE_LOCAL_1=0.0.0.0:8080
       - MOLE_REMOTE_1=web:8080
         # IP address is the local address of the server. This is to show that it's connecting outside the bridge network
-      - MOLE_SERVER=mole@10.255.52.39:2222
+      - MOLE_SERVER=mole@10.255.55.226:2222

docker-compose-server.yml

@@ -2,9 +2,9 @@ version: '2.2'
 
 services:
   proxy:
-    image: panubo/sshd
+    build: server
     ports:
-      - "2222:22"
+      - "2222:2222"
     volumes:
       # This key must be provided
       # - ./id_rsa_proxy.pub:/etc/authorized_keys/mole

server/Dockerfile

@@ -0,0 +1,28 @@
+FROM alpine
+
+# Install SSH and set up basic config
+RUN apk add openssh-server augeas
+
+# Create sshd configs
+RUN mkdir /var/run/sshd
+# Allow providing authorized_keys to ~/mole/.ssh/authorized_keys or to /etc/authorized_keys/<user>
+RUN augtool 'set /files/etc/ssh/sshd_config/AuthorizedKeysFile ".ssh/authorized_keys /etc/authorized_keys/%u"'
+# Prevent running commands or getting an X11 session
+RUN augtool 'set /files/etc/ssh/sshd_config/ForceCommand echo no-commands-allowed'
+RUN augtool 'set /files/etc/ssh/sshd_config/X11Forwarding no'
+# Prevent logging in as root user or with a password
+RUN augtool 'set /files/etc/ssh/sshd_config/PermitRootLogin no'
+RUN augtool 'set /files/etc/ssh/sshd_config/PasswordAuthentication no'
+# Use a non-reserved port so we can run as a non-root user
+RUN augtool 'set /files/etc/ssh/sshd_config/Port 2222'
+# Ensure we can forward TCP
+RUN augtool 'set /files/etc/ssh/sshd_config/AllowTcpForwarding yes'
+
+EXPOSE 2222
+
+# Create mole user
+RUN adduser --system --home /mole mole
+USER mole
+RUN mkdir -p /mole/.ssh
+
+CMD ["/usr/sbin/sshd", "-D"]