diff --git a/example/images/rsync-ssh/root/entrypoint.d/ssh.sh b/example/images/rsync-ssh/root/entrypoint.d/ssh.sh index 8d00d2b..5f3f24a 100755 --- a/example/images/rsync-ssh/root/entrypoint.d/ssh.sh +++ b/example/images/rsync-ssh/root/entrypoint.d/ssh.sh @@ -2,19 +2,23 @@ set -euo pipefail +# Else, sshd will refuse using authorized_keys +chmod 700 /config + for TYPE in rsa ecdsa ed25519; do [ -e "/config/ssh_host_${TYPE}_key" ] || ssh-keygen -q -N "" -t ${TYPE} -f /config/ssh_host_${TYPE}_key chmod 600 /config/ssh_host_${TYPE}_key chmod 644 /config/ssh_host_${TYPE}_key.pub done +rm -f /config/authorized_keys OLD_IFS=${IFS} IFS=$'\n' for VAR in $(env | grep -E '^SSH_AUTH_KEY'); do echo "Adding ssh key ${VAR}" - echo "${VAR}" | sed -E 's/^SSH_AUTH_KEY[^=]*=//' >> /tmp/authorized_keys + echo "${VAR}" | sed -E 's/^SSH_AUTH_KEY[^=]*=//' >> /config/authorized_keys done IFS=${OLD_IFS} -chmod 600 /tmp/authorized_keys +chmod 600 /config/authorized_keys envsubst < /home/ssh/sshd_config.template > /tmp/sshd_config diff --git a/example/images/rsync-ssh/root/home/ssh/sshd_config.template b/example/images/rsync-ssh/root/home/ssh/sshd_config.template index 057816d..af1b6c9 100644 --- a/example/images/rsync-ssh/root/home/ssh/sshd_config.template +++ b/example/images/rsync-ssh/root/home/ssh/sshd_config.template @@ -4,7 +4,7 @@ HostKey /config/ssh_host_rsa_key HostKey /config/ssh_host_ecdsa_key HostKey /config/ssh_host_ed25519_key PermitRootLogin no -AuthorizedKeysFile /tmp/authorized_keys +AuthorizedKeysFile /config/authorized_keys PasswordAuthentication no AllowTcpForwarding no GatewayPorts no diff --git a/example/repo.nomad.hcl b/example/repo.nomad.hcl index 0f41039..6833422 100644 --- a/example/repo.nomad.hcl +++ b/example/repo.nomad.hcl @@ -165,7 +165,7 @@ _EOF driver = "docker" config { - image = "danielberteaud/rsync-ssh:24.1-3" + image = "danielberteaud/rsync-ssh:24.2-2" pids_limit = 100 readonly_rootfs = true mount { diff --git a/images/rsync-ssh/root/entrypoint.d/ssh.sh b/images/rsync-ssh/root/entrypoint.d/ssh.sh index 8d00d2b..5f3f24a 100755 --- a/images/rsync-ssh/root/entrypoint.d/ssh.sh +++ b/images/rsync-ssh/root/entrypoint.d/ssh.sh @@ -2,19 +2,23 @@ set -euo pipefail +# Else, sshd will refuse using authorized_keys +chmod 700 /config + for TYPE in rsa ecdsa ed25519; do [ -e "/config/ssh_host_${TYPE}_key" ] || ssh-keygen -q -N "" -t ${TYPE} -f /config/ssh_host_${TYPE}_key chmod 600 /config/ssh_host_${TYPE}_key chmod 644 /config/ssh_host_${TYPE}_key.pub done +rm -f /config/authorized_keys OLD_IFS=${IFS} IFS=$'\n' for VAR in $(env | grep -E '^SSH_AUTH_KEY'); do echo "Adding ssh key ${VAR}" - echo "${VAR}" | sed -E 's/^SSH_AUTH_KEY[^=]*=//' >> /tmp/authorized_keys + echo "${VAR}" | sed -E 's/^SSH_AUTH_KEY[^=]*=//' >> /config/authorized_keys done IFS=${OLD_IFS} -chmod 600 /tmp/authorized_keys +chmod 600 /config/authorized_keys envsubst < /home/ssh/sshd_config.template > /tmp/sshd_config diff --git a/images/rsync-ssh/root/home/ssh/sshd_config.template b/images/rsync-ssh/root/home/ssh/sshd_config.template index 057816d..af1b6c9 100644 --- a/images/rsync-ssh/root/home/ssh/sshd_config.template +++ b/images/rsync-ssh/root/home/ssh/sshd_config.template @@ -4,7 +4,7 @@ HostKey /config/ssh_host_rsa_key HostKey /config/ssh_host_ecdsa_key HostKey /config/ssh_host_ed25519_key PermitRootLogin no -AuthorizedKeysFile /tmp/authorized_keys +AuthorizedKeysFile /config/authorized_keys PasswordAuthentication no AllowTcpForwarding no GatewayPorts no diff --git a/variables.yml b/variables.yml index a299d68..441228a 100644 --- a/variables.yml +++ b/variables.yml @@ -31,7 +31,7 @@ repo: rsync: # Image to use - image: '[[ .docker.repo ]]rsync-ssh:24.1-3' + image: '[[ .docker.repo ]]rsync-ssh:24.2-2' # Resources to allocate resources: