From e377ab4586bf9aa61a54e49e5aa5c55d358f02ac Mon Sep 17 00:00:00 2001 From: Ian Fijolek Date: Thu, 8 Aug 2019 14:35:17 -0700 Subject: [PATCH] Add server image --- Makefile | 4 ++-- Readme.md | 6 +++--- {mole => client}/Dockerfile | 0 {mole => client}/start.sh | 0 docker-compose-client.yml | 4 ++-- docker-compose-server.yml | 4 ++-- server/Dockerfile | 28 ++++++++++++++++++++++++++++ 7 files changed, 37 insertions(+), 9 deletions(-) rename {mole => client}/Dockerfile (100%) rename {mole => client}/start.sh (100%) create mode 100644 server/Dockerfile diff --git a/Makefile b/Makefile index 399d661..4ca5a21 100644 --- a/Makefile +++ b/Makefile @@ -16,8 +16,8 @@ restart: .PHONY: down down: - docker-compose -f ./docker-compose-client.yml down - docker-compose -f ./docker-compose-server.yml down + docker-compose -f ./docker-compose-client.yml down -v + docker-compose -f ./docker-compose-server.yml down -v .PHONY: server server: keys diff --git a/Readme.md b/Readme.md index 18c5501..c343f05 100644 --- a/Readme.md +++ b/Readme.md @@ -53,12 +53,12 @@ Dockamole is configured using environment variables: ## Use in production -This example uses [panubo/sshd](https://github.com/panubo/docker-sshd), which seems well maintained enough. I would advise caution though as this is likely something that will have access to sensitive information. +This example provides a somewhat restricted sshd server as well. I would advise caution though as this is likely something that will have access to sensitive information. -To be safe you should take precautions from someone logging into your server directly. In my example, I'm using the following as my `authorized_keys` file: +The server should already be rejecting attempts at a getting a pty, but to be safe you should take precautions from someone logging into your server directly. In my example, I'm using the following as my `authorized_keys` file: no-pty,no-X11-forwarding,command="/bin/echo do-not-send-commands" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeG0iBsd5P9ZwDlav7mWaMGiq4SH5XvYGEGoZPgC3PjKgiEpe5lxH9p5lOFicqG7nNBaTwJwDPnJJaIIeHeCcpKF9f5RhTA5rwLkPcVIwZTh2GL7PD/yDmnsB1L8v04yTzjvJxHAi+xx+yN0fcxw2IOJ4k4FC1mNJKNwHZZHvzEyvRbC0GUB1K32dKSDUAWQHKx7xJqgtpkZ0DV78GzBfNUZcucImRwjQTBlJFumTjB5k0xUt0NRDLEkHwUMyiAeXB13tfjZipEHCWPxIrQnuwmV4Lb3VFbh8UqeObsarxG9t+SMoxnrKxQCAntcS0do1VjfiGr6usGVsV56ua8Tyj ifij@C02V7083HV2V This prevents getting a shell if my key is ever leaked. -Additionally, if you are actually planning on doing this in production, do not use the `-insecure` flag in `./mole/start.sh`. Instead you should provide pre generated server keys and add those as known hosts for `mole`. +Additionally, if you are actually planning on doing this in production, take care when distributing or adding `authorized_keys` or `known_hosts`. By default, this client will auto generate a `known_hosts` file for servers it hasn't connected to before, but it'd be best to validate this yourself. diff --git a/mole/Dockerfile b/client/Dockerfile similarity index 100% rename from mole/Dockerfile rename to client/Dockerfile diff --git a/mole/start.sh b/client/start.sh similarity index 100% rename from mole/start.sh rename to client/start.sh diff --git a/docker-compose-client.yml b/docker-compose-client.yml index 083b608..6700174 100644 --- a/docker-compose-client.yml +++ b/docker-compose-client.yml @@ -2,7 +2,7 @@ version: '2.2' services: mole: - build: mole + build: client ports: # This is the port you will use to view the service: http://localhost:8880 - 8880:8080 @@ -13,4 +13,4 @@ services: - MOLE_LOCAL_1=0.0.0.0:8080 - MOLE_REMOTE_1=web:8080 # IP address is the local address of the server. This is to show that it's connecting outside the bridge network - - MOLE_SERVER=mole@10.255.52.39:2222 + - MOLE_SERVER=mole@10.255.55.226:2222 diff --git a/docker-compose-server.yml b/docker-compose-server.yml index 7aca95d..6f14329 100644 --- a/docker-compose-server.yml +++ b/docker-compose-server.yml @@ -2,9 +2,9 @@ version: '2.2' services: proxy: - image: panubo/sshd + build: server ports: - - "2222:22" + - "2222:2222" volumes: # This key must be provided # - ./id_rsa_proxy.pub:/etc/authorized_keys/mole diff --git a/server/Dockerfile b/server/Dockerfile new file mode 100644 index 0000000..68c8062 --- /dev/null +++ b/server/Dockerfile @@ -0,0 +1,28 @@ +FROM alpine + +# Install SSH and set up basic config +RUN apk add openssh-server augeas + +# Create sshd configs +RUN mkdir /var/run/sshd +# Allow providing authorized_keys to ~/mole/.ssh/authorized_keys or to /etc/authorized_keys/ +RUN augtool 'set /files/etc/ssh/sshd_config/AuthorizedKeysFile ".ssh/authorized_keys /etc/authorized_keys/%u"' +# Prevent running commands or getting an X11 session +RUN augtool 'set /files/etc/ssh/sshd_config/ForceCommand echo no-commands-allowed' +RUN augtool 'set /files/etc/ssh/sshd_config/X11Forwarding no' +# Prevent logging in as root user or with a password +RUN augtool 'set /files/etc/ssh/sshd_config/PermitRootLogin no' +RUN augtool 'set /files/etc/ssh/sshd_config/PasswordAuthentication no' +# Use a non-reserved port so we can run as a non-root user +RUN augtool 'set /files/etc/ssh/sshd_config/Port 2222' +# Ensure we can forward TCP +RUN augtool 'set /files/etc/ssh/sshd_config/AllowTcpForwarding yes' + +EXPOSE 2222 + +# Create mole user +RUN adduser --system --home /mole mole +USER mole +RUN mkdir -p /mole/.ssh + +CMD ["/usr/sbin/sshd", "-D"]