summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMalfurious <m@lfurio.us>2022-08-16 13:53:29 -0400
committerMalfurious <m@lfurio.us>2022-08-16 13:53:29 -0400
commit41277398778f53584fd6277af6e71da06e307c42 (patch)
tree17260c9050a82334c3c4284f735de23cab7288bd
parentfa1482275535b0c9360ec80829132cbcd03c83d5 (diff)
downloadsrcnode-41277398778f53584fd6277af6e71da06e307c42.tar.gz
srcnode-41277398778f53584fd6277af6e71da06e307c42.zip
gitolite: Override default sshd_config
Provide a config file for the back-end SSH daemon. Primarily, this explicitly disables root login, password auth, and additional unnecessary frills. Additionally, the sftp subsystem is omitted. Now that this file is added, hostkey files (and the external volume containing them) are moved to a new dedicated location (/hostkeys/...). This allows us to bake sshd_config into the built gitolite image, instead of it also living in the external volume. This makes it easier for future changes to be incorporated by simply updating the image. Signed-off-by: Malfurious <m@lfurio.us>
-rw-r--r--docker/Dockerfile.gitolite6
-rw-r--r--docker/sshd_config22
2 files changed, 26 insertions, 2 deletions
diff --git a/docker/Dockerfile.gitolite b/docker/Dockerfile.gitolite
index f953c57..66367b5 100644
--- a/docker/Dockerfile.gitolite
+++ b/docker/Dockerfile.gitolite
@@ -22,8 +22,10 @@ VOLUME /var/lib/gitolite
# sshd host keys are stored in a volume so that rebuilding/updating the
# image doesn't break user trust
-RUN ssh-keygen -A
-VOLUME /etc/ssh
+COPY sshd_config /etc/ssh/
+RUN mkdir -p /hostkeys/etc/ssh/
+RUN ssh-keygen -A -f /hostkeys
+VOLUME /hostkeys
EXPOSE 22
CMD ["/usr/bin/sshd", "-D"]
diff --git a/docker/sshd_config b/docker/sshd_config
new file mode 100644
index 0000000..efc0c52
--- /dev/null
+++ b/docker/sshd_config
@@ -0,0 +1,22 @@
+Port 22
+
+HostKey /hostkeys/etc/ssh/ssh_host_rsa_key
+HostKey /hostkeys/etc/ssh/ssh_host_ecdsa_key
+HostKey /hostkeys/etc/ssh/ssh_host_ed25519_key
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+UsePAM yes
+PermitRootLogin no
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+PermitTTY no
+PrintLastLog no
+PermitUserEnvironment no
+PermitTunnel no