Add server image

This commit is contained in:
IamTheFij 2019-08-08 14:35:17 -07:00
parent 7f207c712f
commit e377ab4586
7 changed files with 37 additions and 9 deletions

View File

@ -16,8 +16,8 @@ restart:
.PHONY: down .PHONY: down
down: down:
docker-compose -f ./docker-compose-client.yml down docker-compose -f ./docker-compose-client.yml down -v
docker-compose -f ./docker-compose-server.yml down docker-compose -f ./docker-compose-server.yml down -v
.PHONY: server .PHONY: server
server: keys server: keys

View File

@ -53,12 +53,12 @@ Dockamole is configured using environment variables:
## Use in production ## Use in production
This example uses [panubo/sshd](https://github.com/panubo/docker-sshd), which seems well maintained enough. I would advise caution though as this is likely something that will have access to sensitive information. This example provides a somewhat restricted sshd server as well. I would advise caution though as this is likely something that will have access to sensitive information.
To be safe you should take precautions from someone logging into your server directly. In my example, I'm using the following as my `authorized_keys` file: The server should already be rejecting attempts at a getting a pty, but to be safe you should take precautions from someone logging into your server directly. In my example, I'm using the following as my `authorized_keys` file:
no-pty,no-X11-forwarding,command="/bin/echo do-not-send-commands" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeG0iBsd5P9ZwDlav7mWaMGiq4SH5XvYGEGoZPgC3PjKgiEpe5lxH9p5lOFicqG7nNBaTwJwDPnJJaIIeHeCcpKF9f5RhTA5rwLkPcVIwZTh2GL7PD/yDmnsB1L8v04yTzjvJxHAi+xx+yN0fcxw2IOJ4k4FC1mNJKNwHZZHvzEyvRbC0GUB1K32dKSDUAWQHKx7xJqgtpkZ0DV78GzBfNUZcucImRwjQTBlJFumTjB5k0xUt0NRDLEkHwUMyiAeXB13tfjZipEHCWPxIrQnuwmV4Lb3VFbh8UqeObsarxG9t+SMoxnrKxQCAntcS0do1VjfiGr6usGVsV56ua8Tyj ifij@C02V7083HV2V no-pty,no-X11-forwarding,command="/bin/echo do-not-send-commands" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeG0iBsd5P9ZwDlav7mWaMGiq4SH5XvYGEGoZPgC3PjKgiEpe5lxH9p5lOFicqG7nNBaTwJwDPnJJaIIeHeCcpKF9f5RhTA5rwLkPcVIwZTh2GL7PD/yDmnsB1L8v04yTzjvJxHAi+xx+yN0fcxw2IOJ4k4FC1mNJKNwHZZHvzEyvRbC0GUB1K32dKSDUAWQHKx7xJqgtpkZ0DV78GzBfNUZcucImRwjQTBlJFumTjB5k0xUt0NRDLEkHwUMyiAeXB13tfjZipEHCWPxIrQnuwmV4Lb3VFbh8UqeObsarxG9t+SMoxnrKxQCAntcS0do1VjfiGr6usGVsV56ua8Tyj ifij@C02V7083HV2V
This prevents getting a shell if my key is ever leaked. This prevents getting a shell if my key is ever leaked.
Additionally, if you are actually planning on doing this in production, do not use the `-insecure` flag in `./mole/start.sh`. Instead you should provide pre generated server keys and add those as known hosts for `mole`. Additionally, if you are actually planning on doing this in production, take care when distributing or adding `authorized_keys` or `known_hosts`. By default, this client will auto generate a `known_hosts` file for servers it hasn't connected to before, but it'd be best to validate this yourself.

View File

@ -2,7 +2,7 @@ version: '2.2'
services: services:
mole: mole:
build: mole build: client
ports: ports:
# This is the port you will use to view the service: http://localhost:8880 # This is the port you will use to view the service: http://localhost:8880
- 8880:8080 - 8880:8080
@ -13,4 +13,4 @@ services:
- MOLE_LOCAL_1=0.0.0.0:8080 - MOLE_LOCAL_1=0.0.0.0:8080
- MOLE_REMOTE_1=web:8080 - MOLE_REMOTE_1=web:8080
# IP address is the local address of the server. This is to show that it's connecting outside the bridge network # IP address is the local address of the server. This is to show that it's connecting outside the bridge network
- MOLE_SERVER=mole@10.255.52.39:2222 - MOLE_SERVER=mole@10.255.55.226:2222

View File

@ -2,9 +2,9 @@ version: '2.2'
services: services:
proxy: proxy:
image: panubo/sshd build: server
ports: ports:
- "2222:22" - "2222:2222"
volumes: volumes:
# This key must be provided # This key must be provided
# - ./id_rsa_proxy.pub:/etc/authorized_keys/mole # - ./id_rsa_proxy.pub:/etc/authorized_keys/mole

28
server/Dockerfile Normal file
View File

@ -0,0 +1,28 @@
FROM alpine
# Install SSH and set up basic config
RUN apk add openssh-server augeas
# Create sshd configs
RUN mkdir /var/run/sshd
# Allow providing authorized_keys to ~/mole/.ssh/authorized_keys or to /etc/authorized_keys/<user>
RUN augtool 'set /files/etc/ssh/sshd_config/AuthorizedKeysFile ".ssh/authorized_keys /etc/authorized_keys/%u"'
# Prevent running commands or getting an X11 session
RUN augtool 'set /files/etc/ssh/sshd_config/ForceCommand echo no-commands-allowed'
RUN augtool 'set /files/etc/ssh/sshd_config/X11Forwarding no'
# Prevent logging in as root user or with a password
RUN augtool 'set /files/etc/ssh/sshd_config/PermitRootLogin no'
RUN augtool 'set /files/etc/ssh/sshd_config/PasswordAuthentication no'
# Use a non-reserved port so we can run as a non-root user
RUN augtool 'set /files/etc/ssh/sshd_config/Port 2222'
# Ensure we can forward TCP
RUN augtool 'set /files/etc/ssh/sshd_config/AllowTcpForwarding yes'
EXPOSE 2222
# Create mole user
RUN adduser --system --home /mole mole
USER mole
RUN mkdir -p /mole/.ssh
CMD ["/usr/sbin/sshd", "-D"]