Add server image
This commit is contained in:
parent
7f207c712f
commit
e377ab4586
4
Makefile
4
Makefile
@ -16,8 +16,8 @@ restart:
|
|||||||
|
|
||||||
.PHONY: down
|
.PHONY: down
|
||||||
down:
|
down:
|
||||||
docker-compose -f ./docker-compose-client.yml down
|
docker-compose -f ./docker-compose-client.yml down -v
|
||||||
docker-compose -f ./docker-compose-server.yml down
|
docker-compose -f ./docker-compose-server.yml down -v
|
||||||
|
|
||||||
.PHONY: server
|
.PHONY: server
|
||||||
server: keys
|
server: keys
|
||||||
|
@ -53,12 +53,12 @@ Dockamole is configured using environment variables:
|
|||||||
|
|
||||||
## Use in production
|
## Use in production
|
||||||
|
|
||||||
This example uses [panubo/sshd](https://github.com/panubo/docker-sshd), which seems well maintained enough. I would advise caution though as this is likely something that will have access to sensitive information.
|
This example provides a somewhat restricted sshd server as well. I would advise caution though as this is likely something that will have access to sensitive information.
|
||||||
|
|
||||||
To be safe you should take precautions from someone logging into your server directly. In my example, I'm using the following as my `authorized_keys` file:
|
The server should already be rejecting attempts at a getting a pty, but to be safe you should take precautions from someone logging into your server directly. In my example, I'm using the following as my `authorized_keys` file:
|
||||||
|
|
||||||
no-pty,no-X11-forwarding,command="/bin/echo do-not-send-commands" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeG0iBsd5P9ZwDlav7mWaMGiq4SH5XvYGEGoZPgC3PjKgiEpe5lxH9p5lOFicqG7nNBaTwJwDPnJJaIIeHeCcpKF9f5RhTA5rwLkPcVIwZTh2GL7PD/yDmnsB1L8v04yTzjvJxHAi+xx+yN0fcxw2IOJ4k4FC1mNJKNwHZZHvzEyvRbC0GUB1K32dKSDUAWQHKx7xJqgtpkZ0DV78GzBfNUZcucImRwjQTBlJFumTjB5k0xUt0NRDLEkHwUMyiAeXB13tfjZipEHCWPxIrQnuwmV4Lb3VFbh8UqeObsarxG9t+SMoxnrKxQCAntcS0do1VjfiGr6usGVsV56ua8Tyj ifij@C02V7083HV2V
|
no-pty,no-X11-forwarding,command="/bin/echo do-not-send-commands" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeG0iBsd5P9ZwDlav7mWaMGiq4SH5XvYGEGoZPgC3PjKgiEpe5lxH9p5lOFicqG7nNBaTwJwDPnJJaIIeHeCcpKF9f5RhTA5rwLkPcVIwZTh2GL7PD/yDmnsB1L8v04yTzjvJxHAi+xx+yN0fcxw2IOJ4k4FC1mNJKNwHZZHvzEyvRbC0GUB1K32dKSDUAWQHKx7xJqgtpkZ0DV78GzBfNUZcucImRwjQTBlJFumTjB5k0xUt0NRDLEkHwUMyiAeXB13tfjZipEHCWPxIrQnuwmV4Lb3VFbh8UqeObsarxG9t+SMoxnrKxQCAntcS0do1VjfiGr6usGVsV56ua8Tyj ifij@C02V7083HV2V
|
||||||
|
|
||||||
This prevents getting a shell if my key is ever leaked.
|
This prevents getting a shell if my key is ever leaked.
|
||||||
|
|
||||||
Additionally, if you are actually planning on doing this in production, do not use the `-insecure` flag in `./mole/start.sh`. Instead you should provide pre generated server keys and add those as known hosts for `mole`.
|
Additionally, if you are actually planning on doing this in production, take care when distributing or adding `authorized_keys` or `known_hosts`. By default, this client will auto generate a `known_hosts` file for servers it hasn't connected to before, but it'd be best to validate this yourself.
|
||||||
|
@ -2,7 +2,7 @@ version: '2.2'
|
|||||||
|
|
||||||
services:
|
services:
|
||||||
mole:
|
mole:
|
||||||
build: mole
|
build: client
|
||||||
ports:
|
ports:
|
||||||
# This is the port you will use to view the service: http://localhost:8880
|
# This is the port you will use to view the service: http://localhost:8880
|
||||||
- 8880:8080
|
- 8880:8080
|
||||||
@ -13,4 +13,4 @@ services:
|
|||||||
- MOLE_LOCAL_1=0.0.0.0:8080
|
- MOLE_LOCAL_1=0.0.0.0:8080
|
||||||
- MOLE_REMOTE_1=web:8080
|
- MOLE_REMOTE_1=web:8080
|
||||||
# IP address is the local address of the server. This is to show that it's connecting outside the bridge network
|
# IP address is the local address of the server. This is to show that it's connecting outside the bridge network
|
||||||
- MOLE_SERVER=mole@10.255.52.39:2222
|
- MOLE_SERVER=mole@10.255.55.226:2222
|
||||||
|
@ -2,9 +2,9 @@ version: '2.2'
|
|||||||
|
|
||||||
services:
|
services:
|
||||||
proxy:
|
proxy:
|
||||||
image: panubo/sshd
|
build: server
|
||||||
ports:
|
ports:
|
||||||
- "2222:22"
|
- "2222:2222"
|
||||||
volumes:
|
volumes:
|
||||||
# This key must be provided
|
# This key must be provided
|
||||||
# - ./id_rsa_proxy.pub:/etc/authorized_keys/mole
|
# - ./id_rsa_proxy.pub:/etc/authorized_keys/mole
|
||||||
|
28
server/Dockerfile
Normal file
28
server/Dockerfile
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
FROM alpine
|
||||||
|
|
||||||
|
# Install SSH and set up basic config
|
||||||
|
RUN apk add openssh-server augeas
|
||||||
|
|
||||||
|
# Create sshd configs
|
||||||
|
RUN mkdir /var/run/sshd
|
||||||
|
# Allow providing authorized_keys to ~/mole/.ssh/authorized_keys or to /etc/authorized_keys/<user>
|
||||||
|
RUN augtool 'set /files/etc/ssh/sshd_config/AuthorizedKeysFile ".ssh/authorized_keys /etc/authorized_keys/%u"'
|
||||||
|
# Prevent running commands or getting an X11 session
|
||||||
|
RUN augtool 'set /files/etc/ssh/sshd_config/ForceCommand echo no-commands-allowed'
|
||||||
|
RUN augtool 'set /files/etc/ssh/sshd_config/X11Forwarding no'
|
||||||
|
# Prevent logging in as root user or with a password
|
||||||
|
RUN augtool 'set /files/etc/ssh/sshd_config/PermitRootLogin no'
|
||||||
|
RUN augtool 'set /files/etc/ssh/sshd_config/PasswordAuthentication no'
|
||||||
|
# Use a non-reserved port so we can run as a non-root user
|
||||||
|
RUN augtool 'set /files/etc/ssh/sshd_config/Port 2222'
|
||||||
|
# Ensure we can forward TCP
|
||||||
|
RUN augtool 'set /files/etc/ssh/sshd_config/AllowTcpForwarding yes'
|
||||||
|
|
||||||
|
EXPOSE 2222
|
||||||
|
|
||||||
|
# Create mole user
|
||||||
|
RUN adduser --system --home /mole mole
|
||||||
|
USER mole
|
||||||
|
RUN mkdir -p /mole/.ssh
|
||||||
|
|
||||||
|
CMD ["/usr/sbin/sshd", "-D"]
|
Loading…
Reference in New Issue
Block a user