infra/codestorage/hg-ssh
infra/codestorage/hg-ssh/Dockerfile
This time with bonus host key pinning. You know what's _super obnoxious_? Getting a MITM warning just because a Docker container restarted. So, basically, every time you set up an SSH server, it generated its own public/private keypair. And the first time you connect, you'd get that public key from it, and store it locally. Then if you tried connecting later, and a different public key was used, OpenSSH would vomit an error in your face and stop the connection, because it thought you were running into a man-in-the-middle attack. Which is generally a Good Thing. But when we apply this to Docker, it becomes problematic. I'm not subject to a MITM attack, my container just restarted, you silly machine. The correct way around this problem was to reuse the public/private key pair as part of the image. So I put the public keys in the image itself, and used Kubernetes secrets to mount the private keys at /data/ssh/, and then a script to copy them all over into the /etc/ssh directory, where they'd override the generated ones. This means that every instance of this container has the same public/private key combo, meaning no more warning. That solves the problem in a reasonably secure (I think) way when the image is only used by us, but if anyone else wants to use the image, suddenly they need to edit it. They need to change the public keys, because they don't have our private keys.
| paddy@1 | 1 FROM secondbit/hg-repo-sync |
| paddy@1 | 2 MAINTAINER Paddy "<paddy@secondbit.org>" |
| paddy@0 | 3 |
| paddy@0 | 4 ADD create_user.sh /usr/local/bin/helpers/create_user.sh |
| paddy@0 | 5 RUN chmod +x /usr/local/bin/helpers/create_user.sh |
| paddy@1 | 6 ADD run.sh /usr/local/bin/helpers/run-ssh.sh |
| paddy@1 | 7 RUN chmod +x /usr/local/bin/helpers/run-ssh.sh |
| paddy@1 | 8 ADD pullkeys.sh /usr/local/bin/helpers/pullkeys.sh |
| paddy@1 | 9 RUN chmod +x /usr/local/bin/helpers/pullkeys.sh |
| paddy@2 | 10 ADD post-commit-broadcast.sh /usr/local/bin/helpers/broadcast-to-frontends.sh |
| paddy@2 | 11 RUN chmod +x /usr/local/bin/helpers/broadcast-to-frontends.sh |
| paddy@2 | 12 |
| paddy@2 | 13 ADD hgrc /etc/mercurial/hgrc |
| paddy@5 | 14 ADD hostkeys/* /tmp/sshpubkeys/ |
| paddy@0 | 15 |
| paddy@0 | 16 RUN mkdir /var/run/sshd |
| paddy@0 | 17 |
| paddy@0 | 18 # install required packages |
| paddy@0 | 19 RUN apt-get -y update |
| paddy@2 | 20 RUN apt-get -y install openssh-server dnsutils |
| paddy@0 | 21 |
| paddy@0 | 22 #ADD sshd_config /etc/ssh/sshd_config |
| paddy@0 | 23 RUN sed -ri 's/session required pam_loginuid.so/session optional pam_loginuid.so/g' /etc/pam.d/sshd |
| paddy@0 | 24 RUN sed -ri 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config |
| paddy@0 | 25 RUN sed -ri 's/PermitRootLogin without-password/PermitRootLogin no/g' /etc/ssh/sshd_config |
| paddy@0 | 26 |
| paddy@0 | 27 EXPOSE 22 |
| paddy@0 | 28 |
| paddy@1 | 29 CMD ["/usr/local/bin/helpers/run-ssh.sh"] |