feat(sshd) allow providing persistent Host Keys through the env var '…

…HOST_KEYS_SRC_DIR' (#29) Signed-off-by: Damien Duportal <[email protected]>
jenkins-infra · Nov 27, 2024 · 838bf50 · 838bf50
1 parent c20e4e8
commit 838bf50
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -31,7 +31,7 @@ ENV USER_RUN_DIR="${user_home}/run"
 
 RUN groupadd -g ${gid} ${group} \
     && useradd -l -d "${user_home}" -u "${uid}" -g "${gid}" -m -s /bin/bash "${user}" \
-    && mkdir -p "${user_home}"/.ssh "${user_home}"/data "${USER_RUN_DIR}" "${USER_ETC_DIR}"/rsyncd.d
+    && mkdir -p "${user_home}"/.ssh "${user_home}"/data "${USER_RUN_DIR}" "${USER_ETC_DIR}"/rsyncd.d "${USER_ETC_DIR}"/keys
 
 COPY rsyncd.conf "${user_home}"/etc/rsyncd.conf.orig
 COPY sshd_config "${user_home}"/etc/sshd_config.orig

diff --git a/README.md b/README.md
@@ -81,6 +81,8 @@ Default value is `INFO`, refer to <https://manpages.debian.org/testing/openssh-s
 Safety Note: There are no concepts of "Rsync" module with SSH: any specified directory accessible by the `rsyncd` user can be read (...or written).
 As such, it's recommended to always use a read-only rootfs and eventually restrict network access as additional security measures to the key based authentication.
 
+You can provide a set of pre-existing host keys to be used (instead of generating a new set if absent) through the variable `HOST_KEYS_SRC_DIR`.
+
 ## Build the image
 
 ```shell

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+: "${HOST_KEYS_SRC_DIR:="/notexisting"}"
+
 set -eux -o pipefail
 
 case "${RSYNCD_DAEMON:-rsyncd}" in
@@ -16,6 +18,11 @@ case "${RSYNCD_DAEMON:-rsyncd}" in
       envsubst '$SSHD_PORT $SSHD_LOG_LEVEL $USER_ETC_DIR $USER_RUN_DIR $HOST_KEYS_DIR'< "${USER_ETC_DIR}"/sshd_config.orig > "${USER_ETC_DIR}"/sshd_config
 
       # Generate hostkeys if absent
+      if [ -d "${HOST_KEYS_SRC_DIR}" ]
+      then
+        rsync -av "${HOST_KEYS_SRC_DIR}"/ssh_host* "${HOST_KEYS_DIR}"/
+      fi
+
       test -f "${HOST_KEYS_DIR}"/ssh_host_dsa_key || ssh-keygen -q -N "" -t dsa -f "${HOST_KEYS_DIR}"/ssh_host_dsa_key
       test -f "${HOST_KEYS_DIR}"/ssh_host_rsa_key || ssh-keygen -q -N "" -t rsa -b 4096 -f "${HOST_KEYS_DIR}"/ssh_host_rsa_key
       test -f "${HOST_KEYS_DIR}"/ssh_host_ecdsa_key || ssh-keygen -q -N "" -t ecdsa -f "${HOST_KEYS_DIR}"/ssh_host_ecdsa_key