gitolite: Override default sshd_config

Provide a config file for the back-end SSH daemon.  Primarily, this
explicitly disables root login, password auth, and additional
unnecessary frills.  Additionally, the sftp subsystem is omitted.

Now that this file is added, hostkey files (and the external volume
containing them) are moved to a new dedicated location (/hostkeys/...).
This allows us to bake sshd_config into the built gitolite image,
instead of it also living in the external volume.  This makes it easier
for future changes to be incorporated by simply updating the image.

Signed-off-by: Malfurious <m@lfurio.us>

1 files changed, 22 insertions, 0 deletions

diff --git a/docker/sshd_config b/docker/sshd_config
new file mode 100644
index 0000000..efc0c52
--- /dev/null
+++ b/docker/sshd_config
@@ -0,0 +1,22 @@
+Port 22
+
+HostKey /hostkeys/etc/ssh/ssh_host_rsa_key
+HostKey /hostkeys/etc/ssh/ssh_host_ecdsa_key
+HostKey /hostkeys/etc/ssh/ssh_host_ed25519_key
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+UsePAM yes
+PermitRootLogin no
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+PermitTTY no
+PrintLastLog no
+PermitUserEnvironment no
+PermitTunnel no