diff --git a/Dockerfile b/Dockerfile index 9e6dea0..1b30a8c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -40,11 +40,10 @@ COPY ./sshd_config /etc/ssh/ COPY ./sshd.pam /etc/pam.d/sshd RUN rm -f /etc/motd -ONBUILD RUN ssh-keygen -A - RUN adduser -D -G users -s /bin/sh -h /bastion bastion \ && passwd -u bastion RUN echo '[[ -e .google_authenticator ]] || google-authenticator' >> /etc/profile EXPOSE 22 -CMD /usr/sbin/sshd -De +VOLUME /etc/ssh /bastion +CMD ssh-keygen -A && /usr/sbin/sshd -De diff --git a/Dockerfile.example b/Dockerfile.example deleted file mode 100644 index 4c46cd7..0000000 --- a/Dockerfile.example +++ /dev/null @@ -1,2 +0,0 @@ -# use latest or one of the published tags as your base -FROM neochrome/bastion:latest diff --git a/Makefile b/Makefile index 8d8c6d7..f1f9efd 100644 --- a/Makefile +++ b/Makefile @@ -1,19 +1,28 @@ -.DEFAULT_GOAL := build +.DEFAULT_GOAL:=build -BUILD_TAG=neochrome/bastion:latest -EXAMPLE_TAG=neochrome/bastion:example +BUILD_TAG:=neochrome/bastion:latest +MAIN_CONTAINER:=bastion +DATA_CONTAINER:=bastion-data build: @docker build -t $(BUILD_TAG) . -example: build - @docker build -t $(EXAMPLE_TAG) -f Dockerfile.example . +data: build + @docker inspect $(DATA_CONTAINER) > /dev/null \ + || docker create --name $(DATA_CONTAINER) $(BUILD_TAG) -example-run: example - @docker run --rm -it -p 2222:22 -v $$HOME/.ssh/id_rsa.pub:/bastion/authorized_keys $(EXAMPLE_TAG) - -example-test: - @ssh bastion@localhost -p 2222 /bin/true +test: data + @docker inspect $(MAIN_CONTAINER) > /dev/null \ + || docker run --rm -d \ + --name $(MAIN_CONTAINER) \ + -p 2222:22 \ + --volumes-from $(DATA_CONTAINER) \ + -v "$$HOME/.ssh/id_rsa.pub:/bastion/authorized_keys:ro" $(BUILD_TAG) + @sleep 3 + @docker logs $(MAIN_CONTAINER) + @ssh bastion@localhost -p 2222 + @docker kill $(MAIN_CONTAINER) clean: - @docker rmi -f $(EXAMPLE_TAG) $(BUILD_TAG) + @-docker rm -f $(DATA_CONTAINER) $(MAIN_CONTAINER) + @-docker rmi -f $(BUILD_TAG) diff --git a/README.md b/README.md index 07b2824..02cf6b9 100644 --- a/README.md +++ b/README.md @@ -1,28 +1,35 @@ # Bastion with google authenticator +A simple ssh bastion using public keys and google authenticator to keep thing safe. ## Usage -Derive an image from this one in order to have host keys generated and -stored within the resulting image. -The image contains only one user, named `bastion` with it's home set -to `/bastion`. I.e, one must connect as the `bastion` user like so: +Since host keys are generated on demand upon launch, you might want to +store them in a separate data container. For this purpose the VOLUME +`/etc/ssh` is defined and may used like: +``` +$ docker create --name bastion-data neochrome/bastion:latest +$ docker run --volumes-from bastion-data -p 2222:22 neochrome/bastion:latest +``` + +The user `bastion` is used for connection: ``` $ ssh bastion@hostname ``` -Please see [Dockerfile.example](Dockerfile.example) for a minimal example of this. ### google-authenticator Upon first connection `google-authenticator` will be run in order to setup two-factor authentication. If you have previous settings or want to share the generated ones -between multiple bastions, please use VOLUMEs to share the `/bastion` folder -or specifically `/bastion/.google-authenticator`. +between multiple bastions or for safe-keep when upgrading, please use +a data container as shown above. ### authorized_keys -Either add `COPY authorized_keys /bastion/authorized_keys` to your `Dockerfile` -or use VOLUMEs to share such a file. -If you add the file to your image, remember to set owner to `bastion:users`. +In order to authenticate public keys need to be made available to the +bastion. This may be done in a derived image by adding the key(s) to +`/bastion/authorized_keys`, don't forget to set owner to `bastion:users`. +Another way is to use another defined VOLUME, `/bastion` and create a +data container as shown above. ### motd -The image comes without a `/etc/motd` file. If you want one, you may add a -`COPY my_motd /etc/motd` command to your `Dockerfile`. +The image comes without a `/etc/motd` file. If you want one, you may either +mount one or add one to a derived image.