Store authorized_keys in /config

As sshd refused to use /tmp because it has too open permissions
2024-02-28 13:59:01 +01:00 · 2024-02-28 13:59:01 +01:00 · e2fb9fc75d
parent ffc78f7d6b
commit e2fb9fc75d
6 changed files with 16 additions and 8 deletions
--- a/example/images/rsync-ssh/root/entrypoint.d/ssh.sh
+++ b/example/images/rsync-ssh/root/entrypoint.d/ssh.sh
@ -2,19 +2,23 @@

 set -euo pipefail

+# Else, sshd will refuse using authorized_keys
+chmod 700 /config
+
 for TYPE in rsa ecdsa ed25519; do
  [ -e "/config/ssh_host_${TYPE}_key" ] || ssh-keygen -q -N "" -t ${TYPE} -f /config/ssh_host_${TYPE}_key
  chmod 600 /config/ssh_host_${TYPE}_key
  chmod 644 /config/ssh_host_${TYPE}_key.pub
 done

+rm -f /config/authorized_keys
 OLD_IFS=${IFS}
 IFS=$'\n'
 for VAR in $(env | grep -E '^SSH_AUTH_KEY'); do
  echo "Adding ssh key ${VAR}"
-  echo "${VAR}" | sed -E 's/^SSH_AUTH_KEY[^=]*=//' >> /tmp/authorized_keys
+  echo "${VAR}" | sed -E 's/^SSH_AUTH_KEY[^=]*=//' >> /config/authorized_keys
 done
 IFS=${OLD_IFS}
-chmod 600 /tmp/authorized_keys
+chmod 600 /config/authorized_keys

 envsubst < /home/ssh/sshd_config.template > /tmp/sshd_config
--- a/example/images/rsync-ssh/root/home/ssh/sshd_config.template
+++ b/example/images/rsync-ssh/root/home/ssh/sshd_config.template
@ -4,7 +4,7 @@ HostKey /config/ssh_host_rsa_key
 HostKey /config/ssh_host_ecdsa_key
 HostKey /config/ssh_host_ed25519_key
 PermitRootLogin no
-AuthorizedKeysFile /tmp/authorized_keys
+AuthorizedKeysFile /config/authorized_keys
 PasswordAuthentication no
 AllowTcpForwarding no
 GatewayPorts no
--- a/example/repo.nomad.hcl
+++ b/example/repo.nomad.hcl
@ -165,7 +165,7 @@ _EOF
      driver = "docker"

      config {
-        image           = "danielberteaud/rsync-ssh:24.1-3"
+        image           = "danielberteaud/rsync-ssh:24.2-2"
        pids_limit      = 100
        readonly_rootfs = true
        mount {
--- a/images/rsync-ssh/root/entrypoint.d/ssh.sh
+++ b/images/rsync-ssh/root/entrypoint.d/ssh.sh
@ -2,19 +2,23 @@

 set -euo pipefail

+# Else, sshd will refuse using authorized_keys
+chmod 700 /config
+
 for TYPE in rsa ecdsa ed25519; do
  [ -e "/config/ssh_host_${TYPE}_key" ] || ssh-keygen -q -N "" -t ${TYPE} -f /config/ssh_host_${TYPE}_key
  chmod 600 /config/ssh_host_${TYPE}_key
  chmod 644 /config/ssh_host_${TYPE}_key.pub
 done

+rm -f /config/authorized_keys
 OLD_IFS=${IFS}
 IFS=$'\n'
 for VAR in $(env | grep -E '^SSH_AUTH_KEY'); do
  echo "Adding ssh key ${VAR}"
-  echo "${VAR}" | sed -E 's/^SSH_AUTH_KEY[^=]*=//' >> /tmp/authorized_keys
+  echo "${VAR}" | sed -E 's/^SSH_AUTH_KEY[^=]*=//' >> /config/authorized_keys
 done
 IFS=${OLD_IFS}
-chmod 600 /tmp/authorized_keys
+chmod 600 /config/authorized_keys

 envsubst < /home/ssh/sshd_config.template > /tmp/sshd_config
--- a/images/rsync-ssh/root/home/ssh/sshd_config.template
+++ b/images/rsync-ssh/root/home/ssh/sshd_config.template
@ -4,7 +4,7 @@ HostKey /config/ssh_host_rsa_key
 HostKey /config/ssh_host_ecdsa_key
 HostKey /config/ssh_host_ed25519_key
 PermitRootLogin no
-AuthorizedKeysFile /tmp/authorized_keys
+AuthorizedKeysFile /config/authorized_keys
 PasswordAuthentication no
 AllowTcpForwarding no
 GatewayPorts no
--- a/variables.yml
+++ b/variables.yml
@ -31,7 +31,7 @@ repo:

  rsync:
    # Image to use
-    image: '[[ .docker.repo ]]rsync-ssh:24.1-3'
+    image: '[[ .docker.repo ]]rsync-ssh:24.2-2'

    # Resources to allocate
    resources: