From f06a55875b92ad604f6d00fc5f45ffae240212bf Mon Sep 17 00:00:00 2001 From: nold Date: Fri, 20 Oct 2017 06:45:14 +0200 Subject: [PATCH] Add: Ciphers/Cryptoparams to sshd_config --- Dockerfile | 2 +- data/run.sh | 27 ++++++++++++++++++--------- data/sshd_config | 10 +++++++--- 3 files changed, 26 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2d15312..e45666b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,7 +18,7 @@ RUN mkdir /run/sshd COPY ./data/run.sh /run.sh COPY ./data/sshd_config /etc/ssh/sshd_config -CMD /bin/bash -x /run.sh +CMD /bin/bash /run.sh # Default SSH-Port for clients EXPOSE 22 diff --git a/data/run.sh b/data/run.sh index f1e26dc..3763c20 100644 --- a/data/run.sh +++ b/data/run.sh @@ -9,25 +9,34 @@ SSH_KEY_DIR=/sshkeys echo "########################################################" for dir in BORG_DATA_DIR SSH_KEY_DIR ; do dirpath=$(eval echo '$'$dir) - echo "Testing Volume $dir: $dirpath" + echo " * Testing Volume $dir: $dirpath" if [ ! -d "$dirpath" ] ; then - echo " ERROR: $dirpath is no directory!" + echo "ERROR: $dirpath is no directory!" exit 1 fi - if [ $(find $SSH_KEY_DIR -type f | wc -l) == 0 ] ; then + if [ $(find "${SSH_KEY_DIR}/clients" -type f | wc -l) == 0 ] ; then echo "ERROR: No SSH-Pubkey file found in $SSH_KEY_DIR" exit 1 fi done + +# Copy SSH-Host-Keys to persistent storage +mkdir -p ${SSH_KEY_DIR}/host 2>/dev/null +echo " * Checking / Preparing SSH Host-Keys..." +for keyfile in ssh_host_rsa_key ssh_host_ed25519_key ; do + if [ ! -f "${SSH_KEY_DIR}/host/${keyfile}" ] ; then + cp /etc/ssh/${keyfile} "${SSH_KEY_DIR}/host/${keyfile}" + fi +done echo "########################################################" -echo "Starting SSH-Key import..." -for keyfile in $(find $SSH_KEY_DIR -type f); do +echo " * Starting SSH-Key import..." +for keyfile in $(find "${SSH_KEY_DIR}/clients" -type f); do client_name=$(basename $keyfile) - echo "Adding client ${client_name} with repo path ${BORG_DATA_DIR}/${client_name}" + echo " ** Adding client ${client_name} with repo path ${BORG_DATA_DIR}/${client_name}" mkdir ${BORG_DATA_DIR}/${client_name} 2>/dev/null - echo -n "command=\"$(eval echo -n \"$BORG_CMD\")\" " >> /home/borg/.ssh/authorized_keys + echo -n "command=\"$(eval echo -n \"${BORG_CMD}\")\" " >> /home/borg/.ssh/authorized_keys cat $keyfile >> /home/borg/.ssh/authorized_keys done @@ -35,8 +44,8 @@ chown -R borg: /backup chown borg: /home/borg/.ssh/authorized_keys chmod 600 /home/borg/.ssh/authorized_keys -echo "Init done!" +echo " * Init done!" echo "########################################################" -echo "Starting SSH-Daemon" +echo " * Starting SSH-Daemon" /usr/sbin/sshd -D -e diff --git a/data/sshd_config b/data/sshd_config index 7fe5a52..1ebbda7 100644 --- a/data/sshd_config +++ b/data/sshd_config @@ -3,9 +3,8 @@ AddressFamily any ListenAddress 0.0.0.0 ListenAddress :: -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /sshkeys/host/ssh_host_rsa_key +HostKey /sshkeys/host/ssh_host_ed25519_key PermitRootLogin no StrictModes yes @@ -17,6 +16,11 @@ AuthorizedKeysFile .ssh/authorized_keys LogLevel INFO #LogLevel DEBUG +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 + + PasswordAuthentication no ChallengeResponseAuthentication no UsePAM yes